CIRCIA Cyber Reporting Deadline Pushed to May 2026 After Industry Pushback
CISA has delayed final CIRCIA cyber incident reporting rules until May 2026, giving organizations extra time.
Why it matters: Legal teams at government contractors and critical infrastructure firms must reassess compliance, contract risk, and reporting strategies. The extended timeline gives organizations a longer runway for process reviews but maintains significant new legal exposure when regulations go live.
- CISA issued the CIRCIA Notice of Proposed Rulemaking (NPRM) on April 4, 2024.
- The final rule will be published in May 2026 following public comment and review.
- CIRCIA requires reporting covered cyber incidents in 72 hours and ransomware payments in 24 hours.
- Roughly 72,000 Defense Industrial Base companies will need to meet these new requirements.
The Cybersecurity and Infrastructure Security Agency (CISA) has moved the timeline for its Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rules to May 2026. This change comes after a wave of feedback from industry stakeholders, shifting compliance deadlines well past the expected 2025 target.
- On April 4, 2024, CISA opened its Notice of Proposed Rulemaking (NPRM) to public comment, outlining new reporting duties for government contractors and owners of critical infrastructure.
- Entities covered by CIRCIA must report significant cyber incidents within 72 hours. Any ransomware payment must be reported within 24 hours—requirements that go beyond the current Defense Federal Acquisition Regulation Supplement (DFARS) standards.
- CISA projects that about 72,000 Defense Industrial Base companies will fall within the regulation’s scope, facing heightened legal obligations.
- To address concerns from contractors and law firms, the public comment period will now extend into early 2026. Additional town halls are planned to clarify definitions like “covered cyber incident” and discuss secure details-sharing.
Legal teams are advised to use this extension to update incident response policies, audit notification provisions in contracts, and conduct liability gap assessments now—before CIRCIA’s changes take effect.
CISA has described CIRCIA as a major move to increase awareness of cyber threats, while legal advisors urge companies to anticipate challenges from unresolved definitions and strict reporting timelines. The extra time is meant for industry feedback but doesn’t reduce the potential for future enforcement risk.
By the numbers:
- 72,000 — Defense Industrial Base entities likely covered by new CIRCIA rules
- 72 hours — Maximum time to report a significant cyber incident under CIRCIA
- 24 hours — Maximum time to report any ransomware payment for covered entities
Yes, but: Despite the delay, key definitions remain vague and rapid reporting deadlines may create compliance headaches for legal teams.
What's next: Extended public comment and industry town halls will run into early 2026, ahead of the final rule publication in May 2026.