Non-Lawyers Summary
CIRCIA will require many critical infrastructure companies to report serious cyber incidents to CISA within 72 hours and ransomware payments within 24 hours once the final rule takes effect. It adds a new federal reporting clock, but it does not replace state, sector, or other breach-notice duties.
The Law That Came After the Wake-Up Call
In May 2021, hackers encrypted the Colonial Pipeline's operational systems. For six days, the pipeline carrying 45% of the fuel supply for the Eastern United States sat offline. Gas stations ran dry from Virginia to Florida. Airports rationed fuel. The price of gasoline spiked across the country.
The attack revealed something that Washington had quietly known for years: the United States had no mandatory requirement for critical infrastructure operators to report cyberattacks to the federal government. Companies could get hit — and say nothing. They could pay the ransom — and tell no one. The government might not know an attack on a fuel pipeline had occurred until it showed up on the news.
Ten months later, Congress acted. On March 15, 2022, President Biden signed CIRCIA — the Cyber Incident Reporting for Critical Infrastructure Act — into law as part of the Consolidated Appropriations Act, 2022. It was the most significant expansion of U.S. federal cybersecurity reporting obligations in a generation.
When the final rule takes effect — expected May 2026 — approximately 300,000 entities across 16 critical infrastructure sectors will be required to report covered cyber incidents to CISA within 72 hours. Ransomware payments within 24 hours.
The clocks are already ticking. Most organizations just do not know it yet.
Key Concepts
What Is a "Covered Entity"?
A covered entity is any organization that owns or operates assets in one of the 16 critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21). This is a broad category — it includes electric utilities, water systems, hospitals, banks, defense contractors, internet exchange points, pipeline operators, and more. The NPRM proposes size thresholds that may exclude very small entities from some obligations, but the final rule will define the exact scope.
For lawyers: Your client does not need to be a "critical infrastructure company" in a colloquial sense to be covered. A mid-sized regional hospital, a mid-market bank, a regional ISP — all likely qualify. The analysis starts with sector classification, not company size.
What Is a "Covered Cyber Incident"?
The NPRM defines covered cyber incidents as:
- Unauthorized access resulting in loss of confidentiality, integrity, or availability
- Disruption of business or industrial operations due to a cyberattack
- Unauthorized access to or exfiltration of sensitive information
- Denial of service causing significant disruption
- Compromise of operational technology (OT) systems affecting physical processes
For lawyers: Not every security event is a "covered cyber incident." The final rule will define thresholds — but the 72-hour clock runs from when the entity reasonably believes a covered incident occurred. "We're still investigating" does not stop the clock.
The Two Reporting Clocks
In seconds, everything changed for compliance counsel when CIRCIA's reporting windows were locked into the NPRM:
- 72-hour clock: For covered cyber incidents — runs from reasonably believing the incident occurred
- 24-hour clock: For ransomware payments — runs from making any ransom payment (whether or not a covered cyber incident was separately reported)
The 24-hour ransomware payment clock is the tightest cybersecurity reporting deadline in U.S. law. It will often run before the full incident has been assessed. Before the forensics firm has issued a preliminary report. Before outside counsel has finished the first briefing call.
Statutory Framework
Full name: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Enacted: March 15, 2022 — signed by President Biden as part of the Consolidated Appropriations Act, 2022 Administering agency: CISA (Cybersecurity and Infrastructure Security Agency), within the Department of Homeland Security Rulemaking status: NPRM published April 4, 2024 (188 pages); final rule expected May 2026 (delayed from original 2025 target). In a February 13, 2026 Federal Register notice, CISA also announced March 2026 sector town halls to refine the proposed rule's scope and burden before finalization. Estimated coverage: 300,000+ entities across 16 PPD-21 critical infrastructure sectors
Operational implication: The 72-hour and 24-hour clocks are stable in the NPRM, but coverage thresholds and burden-reduction details were still being refined in 2026. Counsel should treat pre-final-rule CIRCIA playbooks as version-controlled assumptions, not frozen production rules.
The 16 Critical Infrastructure Sectors (PPD-21)
Chemical | Commercial Facilities | Communications | Critical Manufacturing | Dams | Defense Industrial Base | Emergency Services | Energy | Financial Services | Food and Agriculture | Government Facilities | Healthcare and Public Health | Information Technology | Nuclear Reactors, Materials, and Waste | Transportation Systems | Water and Wastewater Systems
Reporting Obligations
Covered Cyber Incident Report — 72 Hours
Covered entities must report to CISA within 72 hours of reasonably believing a covered cyber incident has occurred. The report must include (per NPRM):
- Description of the incident (nature, timeline, systems affected)
- Vulnerabilities exploited (if known)
- Security defenses in place
- Categories of data affected
- Impact on operations
- Contact information for the entity
No minimum loss threshold: Unlike CFAA's $5,000 loss requirement for civil suits, CIRCIA does not propose a minimum financial loss threshold. The trigger is the nature of the incident, not the dollar amount.
Ransomware Payment Report — 24 Hours
Covered entities must report to CISA within 24 hours of making any ransom payment, regardless of whether a covered cyber incident report was already submitted.
Combined reporting: If a covered cyber incident IS also a ransomware attack, the 72-hour incident report and 24-hour payment report may be submitted together — but the 24-hour payment deadline controls.
No payment prohibition: CIRCIA does not prohibit ransomware payments — it requires reporting them. The OFAC sanctions analysis (Module 1G) governs legality of the payment itself; CIRCIA governs the reporting obligation.
Safe Harbors — CIRCIA's Unique Protection
Here is the twist no one saw coming: CIRCIA's safe harbor provisions make this federal reporting mandate less legally dangerous than many state breach notification laws that carry no such protection.
CIRCIA's safe harbor provisions are the most significant feature distinguishing it from all U.S. state breach notification laws:
Protection from regulatory proceedings: CIRCIA reports submitted to CISA cannot be used by federal agencies as the basis for regulatory action against the reporting entity. If a company reports an incident to CISA and the report reveals security failures, that report cannot be used to establish a regulatory violation.
FOIA protection: CIRCIA reports are protected from disclosure under the Freedom of Information Act (to the extent legally permissible). Unlike SEC Form 8-K disclosures — which are immediately public and readable by plaintiff class action attorneys — CIRCIA reports remain private between the entity and CISA.
No admission of liability: A CIRCIA report cannot be construed as an admission of fault or a violation of law.
Why this matters: The safe harbor is designed to encourage complete, honest reporting. Without it, entities would have strong incentives to minimize or delay reports to avoid creating evidence against themselves. Counsel advising clients on CIRCIA compliance should understand that the safe harbor makes CIRCIA reporting less legally dangerous than it might initially appear.
A full, honest CIRCIA report — delivered on time — is both a legal obligation and a strategic asset.
Enforcement — What Happens When You Don't Report
Subpoena authority: If CISA has reason to believe a covered entity experienced a covered cyber incident but failed to report it, CISA may issue a subpoena to compel reporting.
Failure to comply with subpoena: Referral to the Department of Justice for enforcement action.
Civil penalties: Available for failure to comply with a CISA subpoena — specific amounts being defined in the final rule.
Debarment: Willful or repeat non-compliance may result in debarment from federal contracting.
Sharing with law enforcement: CISA will share CIRCIA reports with relevant sector risk management agencies and law enforcement. The report goes to CISA — not DOJ — but DOJ will see it. This affects privilege and litigation strategy considerations.
No one told the Colonial Pipeline operators they had no mandatory reporting obligation. The law simply did not exist yet. After CIRCIA, that silence becomes a choice — and choices have consequences.
Relationship to Other Reporting Frameworks
CIRCIA does NOT preempt state breach notification laws. CA's 30-day clock, NY's 30-day clock, and all other state obligations continue to run independently. CIRCIA adds a federal layer on top.
"Substantially similar reports" provision: If a covered entity already filed a comparable incident report with another federal agency (FERC, TSA, FRB, OCC, FDIC, HHS, etc.), that report may be submitted to CISA as the CIRCIA report — avoiding duplicative reporting for entities with existing sector-specific obligations.
Comparison table:
| Framework | Who | Incident Clock | Ransom Clock | Recipient | Safe Harbor | Status |
|---|---|---|---|---|---|---|
| CIRCIA | 300K+ critical infrastructure entities | 72 hours | 24 hours | CISA (private) | Yes — FOIA + regulatory protection | Final rule May 2026 |
| GDPR Art. 33 | Data controllers (EU personal data) | 72 hours | N/A | DPA (supervisory authority) | No | In effect |
| NIS2 | Essential/important entities (EU) | 24h early warning + 72h full | N/A | National CA / CSIRT | No | In effect (Q1 2026) |
| CA breach law | Any co. with CA resident PI | 30 days | N/A | CA AG + individuals | No | In effect |
| SEC 8-K | Public companies | 4 business days (material incidents) | N/A | SEC / public | No | In effect (Dec 2023) |
| DFS 500 | NY financial entities | 72 hours | 24 hours | DFS | No | In effect |
Practitioner Takeaways
1. Build the 72-hour IR trigger into your playbooks before the final rule drops. The final rule expected May 2026 will give covered entities limited transition time. Counsel should advise clients to assess sector coverage now and begin building CIRCIA-compliant incident response workflows. Waiting for the final rule is a valid strategy for detailed compliance, but the general structure — 72h/24h — is settled.
2. The 24-hour ransomware payment clock requires pre-drafted templates. 24 hours from making a payment is an extremely tight window — often shorter than the incident response team's full assessment cycle. Counsel advising clients who may face ransomware should have a pre-drafted CIRCIA ransomware payment notification template ready before an incident occurs. You cannot write this from scratch during an active incident.
3. The CIRCIA safe harbor changes the litigation calculus. Unlike state breach notification, CIRCIA reports cannot be used against the company in federal regulatory proceedings. Counsel should factor this in when advising on notification strategy — a full and honest CIRCIA report is legally safer than a minimal one, because the safe harbor provides meaningful protection.
4. Sector overlap analysis is required before any incident. Entities in multiple sectors — a financial firm also owning energy infrastructure; a hospital system also operating a health insurance subsidiary — may qualify as "covered entities" under CIRCIA while also facing HIPAA, DFS, and SEC reporting obligations. Map your client's sector exposure before the final rule, not during the incident.
5. CIRCIA does not resolve the OFAC problem. Reporting a ransomware payment to CISA satisfies CIRCIA but does not resolve sanctions exposure. The OFAC SDN screening (Module 1G) and any OFAC license requirements are independent obligations that must be addressed before the payment is made. The 24-hour CIRCIA clock starts after payment — the OFAC analysis must happen before payment.
6. The "substantially similar reports" provision requires coordination across regulatory silos. For entities with existing sector-specific reporting obligations (TSA, FERC, FRB, etc.), the substantially similar reports provision may allow a single report to satisfy multiple obligations. This requires advance coordination across compliance, legal, and operations teams — not ad hoc during an incident.
7. Keep draft-rule assumptions separate from final-rule obligations. CISA was still seeking sector-specific input on scope and burden in early 2026. Build pre-drafted templates and coverage maps now, but label every CIRCIA workflow element that depends on the final rule so the playbook can be updated cleanly when the rule lands.
Quiz
See: artifacts/quizzes/quiz-01h.md
Test your knowledge
Ready to check what stuck?
10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.