Non-Lawyers Summary

One cyberattack can start several different reporting clocks at the same time. This post explains who has to be told, how fast each notice is due, which reports stay private, and why companies need a single decision process instead of treating each law in isolation.

The Cold Open

The alert arrived at 2:47 a.m.

The SOC analyst saw it first: anomalous lateral movement across three network segments. By 3:15, the incident response team was assembled. By 4:00, they knew it was bad. By 5:30 — when the extent of the breach was beginning to come into focus — the general counsel's phone rang.

The first question out of her mouth: "What do we have to report, and when?"

What followed was a cascading realization that no one had fully mapped before that moment. This was a publicly traded company. It operated in New York under DFS license. It had healthcare subsidiaries. It processed EU customer data. It was a critical infrastructure entity in the financial sector.

In seconds, everything changed. Not one reporting obligation. Ten.

Each with a different clock. Each running simultaneously. Each measured from a different starting point. Each going to a different recipient. Some public. Some private. Some with safe harbors. Some without. One measured in hours. One in days. One in months. All of them ticking at once.

This is the reality of cyber incident reporting in 2026 — and the organizations that navigate it without a pre-built playbook pay the price in enforcement, litigation, and regulatory credibility they can never fully recover.

Overview

A single cyberattack on a publicly traded financial institution that also owns healthcare subsidiaries may simultaneously trigger ten or more distinct mandatory reporting obligations — each with different clocks, different recipients, different content requirements, and different consequences for non-compliance. CIRCIA requires 72-hour CISA notification (private, with safe harbor). The SEC requires 8-K disclosure within 4 business days of materiality determination (public, no safe harbor). HIPAA requires 60-day notification to OCR and affected individuals. DFS 23 NYCRR 500 requires 72-hour notification to the New York Department of Financial Services. GDPR requires 72-hour notification to the supervisory authority. NIS2 requires a 24-hour early warning and a 72-hour full notification. DORA requires classification-triggered notification within 4 to 24 hours. California and New York each require 30-day individual notification. This module provides the practitioner's reference for navigating this patchwork — framework by framework, clock by clock — with a consolidated comparison table and the decision framework for managing parallel obligations.

The Core Problem: Notification Fatigue and Obligation Stacking

No single unified incident reporting standard exists in U.S. or international law as of 2026. Each reporting framework was enacted by a different authority, at a different time, for a different policy purpose:

  • CIRCIA: national security intelligence collection and systemic risk visibility
  • SEC 8-K: investor protection and material information disclosure
  • HIPAA: patient privacy and healthcare data protection
  • DFS 500: New York financial sector supervisory oversight
  • GDPR: EU personal data rights protection
  • NIS2: EU critical infrastructure resilience
  • DORA: EU financial sector operational resilience
  • State breach notification: consumer notice and identity theft prevention

The result: lawyers advising clients on incident response must simultaneously manage incompatible timelines, different materiality standards, different content requirements, and disclosure obligations to different recipients — some of which are public filings (SEC 8-K) and some of which carry safe harbor protections (CIRCIA).

But the core problem runs deeper than complexity. The problem is that these frameworks generate conflicting incentives in real time. CIRCIA rewards candor — its safe harbor protects frank disclosure. The SEC 8-K puts that same disclosure into a public filing reviewed by plaintiffs' attorneys. The organization that is candid in its CIRCIA report and then guarded in its 8-K creates an inconsistency that regulators will find. The organization that waits to understand the full scope before filing anything misses the clocks that don't wait.

The practitioner's first task after an incident is confirmed: build the notification matrix. What data was affected? What sector does this client operate in? Is this client publicly traded? Where are the affected individuals located?

CIRCIA — The Clock Nobody Fully Understands Yet

Authority: Cybersecurity and Infrastructure Security Agency (CISA) under the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Who must comply: Approximately 300,000+ covered entities across the 16 PPD-21 critical infrastructure sectors (energy, financial services, healthcare, transportation, communications, water, and 10 more)

Status: Final rule expected May 2026; NPRM published April 4, 2024. In a February 13, 2026 Federal Register notice, CISA announced March 2026 sector town halls to refine the proposed rule's scope and burden. CIRCIA is NOT yet in full effect — obligations trigger after final rule publication.

Reporting Clocks

Covered cyber incident — 72 hours: From the moment the covered entity reasonably believes a covered incident occurred. "We're still investigating" does not stop the clock. Covered incidents include: unauthorized access with loss of confidentiality/integrity/availability; disruption of business or industrial operations due to a cyberattack; unauthorized access to or exfiltration of sensitive information; denial of service causing significant disruption; compromise of operational technology affecting physical processes.

Ransomware payment — 24 hours: From making any ransom payment, regardless of whether a covered incident report was filed. This is the tightest cybersecurity reporting deadline in U.S. law. The payment report may be combined with the incident report — but the 24-hour payment clock controls.

CIRCIA's Safe Harbor — The Feature That Changes Everything

CIRCIA's safe harbor is the most significant feature distinguishing it from all other U.S. incident reporting requirements. It is the reason the CIRCIA report may be the most candid document produced during an incident response.

  • Regulatory proceedings protection: CIRCIA reports submitted to CISA cannot be used by federal agencies as the basis for regulatory enforcement action against the reporting entity. Security failures disclosed in the report cannot establish regulatory violations.
  • FOIA protection: CIRCIA reports are protected from Freedom of Information Act disclosure — unlike SEC Form 8-K filings, CIRCIA reports remain private between the entity and CISA.
  • No admission of liability: A CIRCIA report is not an admission of fault or a violation of law.

Practical implication: For clients with multi-framework obligations, the CIRCIA report may contain the most candid assessment of what happened and what security controls were in place. Because of the safe harbor, counsel may advise that the CIRCIA report include facts that would not appear in a public SEC 8-K disclosure. This is not inconsistency — this is strategic disclosure management within the rules.

CIRCIA and Substantially Similar Reports

If a covered entity has already filed a comparable incident report with another federal agency (FERC, TSA, FRB, OCC, FDIC, HHS), that report may be submitted to CISA as the CIRCIA report — eliminating duplicative reporting. This requires advance coordination to ensure the existing sector-specific report meets CIRCIA's content requirements.

SEC Form 8-K — The Disclosure That Goes Public

Authority: Securities and Exchange Commission (SEC)

Final rule: Adopted July 26, 2023; effective December 18, 2023

Who must comply: All SEC reporting companies — publicly traded companies with reporting obligations under the Securities Exchange Act

The trigger for SEC 8-K disclosure is a determination that a cybersecurity incident is "material" — information that a reasonable investor would consider important in making an investment decision; a substantial likelihood that a reasonable investor would consider the information important.

Clock: Within 4 business days of determining the incident is material (not 4 business days from discovery). The materiality determination itself takes time — and that determination is a legal judgment, not a technical one.

This is where companies make their first mistake. They treat materiality as a technical question — how many records were compromised, how long was the system down. It is not. Materiality asks what a reasonable investor would consider important. That analysis involves business impact, reputational exposure, customer concentration, regulatory consequences, and litigation risk. It requires counsel. And it has to happen fast, because the 4-day clock starts when the determination is made.

Content: The 8-K must describe the nature, scope, timing, and material impact (or reasonably likely material impact) of the incident. The SEC rule does not require disclosure of technical details that would undermine ongoing incident response or remediation.

Delay Mechanism

Disclosure may be delayed if the U.S. Attorney General certifies that immediate disclosure would pose a substantial risk to national security or public safety. Initial delay: 30 days. Additional 30-day extension available. A second additional 30-day delay is possible in extraordinary circumstances.

Enforcement context: The SEC's enforcement posture on cybersecurity disclosure became significantly less aggressive under the Atkins administration (2025+). The SolarWinds enforcement action — the SEC's most aggressive cybersecurity disclosure enforcement — was dismissed in 2025. However, the rule remains in effect and the materiality disclosure obligation continues.

Annual Cybersecurity Disclosure (Form 10-K)

In addition to incident-specific 8-K reporting, all SEC reporting companies must include in their annual Form 10-K a description of:

  • Material cybersecurity risks and their potential impact on strategy, operations, and financial condition
  • Governance of cybersecurity risk, including board and management oversight
  • Processes for assessing, identifying, and managing cybersecurity risks

This creates an ongoing annual audit function for legal counsel: are the 10-K cybersecurity disclosures accurate and complete? A company whose 10-K disclosed robust cybersecurity governance that demonstrably failed will face questions about whether that disclosure was accurate at the time it was made.

GDPR Article 33 — The EU Personal Data Clock

Authority: National Data Protection Authorities (DPAs) in each EU Member State

Who must comply: Data controllers that experience a "personal data breach" involving personal data of EU residents

Threshold: The reporting obligation is triggered by a personal data breach that is "likely to result in a risk to the rights and freedoms of natural persons." Low-risk breaches (e.g., accidental exposure of non-sensitive data immediately remediated with no likely adverse impact) may not require notification — but the burden is on the controller to document why.

Clocks

Supervisory authority notification (Article 33): Within 72 hours of becoming aware of the breach. The clock runs from awareness, not from confirmation. Initial notification may be incomplete — the controller may file an initial report and supplement it as investigation proceeds.

Individual notification (Article 34): "Without undue delay" when the breach is "likely to result in a high risk" to rights and freedoms. No specific outer deadline, but "without undue delay" means as soon as the controller has determined the affected individuals and the nature of the risk.

Content Requirements

The GDPR Article 33 notification must include:

  • Nature of the breach (categories and approximate number of data subjects and records affected)
  • Name and contact details of the Data Protection Officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

NIS2 — The Three-Stage EU Infrastructure Regime

Authority: National competent authorities and CSIRTs (Computer Security Incident Response Teams) in each EU Member State

Who must comply: Essential entities and important entities in covered sectors — energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space

Transposition status: NIS2 required Member States to adopt and publish transposition measures by October 17, 2024 and apply them from October 18, 2024. Enforcement began Q1 2026, but only 14 of 27 EU Member States had fully transposed NIS2 by the October 2024 deadline. Member States transposing after October 2024 may have variation in national implementing rules.

Three-Stage Reporting Structure

Stage 1 — Early Warning (24 hours from awareness): Notify the national competent authority or CSIRT within 24 hours of becoming aware of a "significant incident." Content: basic notification that a significant incident has occurred; no full assessment required. Purpose: allows national authorities to prepare resources and coordinate if cross-border impact is suspected.

Stage 2 — Full Incident Notification (72 hours from awareness): Submit a full notification within 72 hours of becoming aware. Content must include: initial assessment of the incident; severity; impact; suspected cause; indicators of compromise; whether cross-border impact is likely.

Stage 3 — Final Report (within 1 month of Stage 2 submission): A detailed final report including: full description of the incident; root cause analysis; mitigation measures applied; cross-border impact assessment (if any); lessons learned and planned improvements.

Ongoing incidents: For incidents that are not yet resolved at the Stage 2 deadline, submit monthly progress reports and a final report within 1 month of resolution.

What is a "significant incident"? An incident that causes or is capable of causing serious operational disruption or financial loss; that affects other natural or legal persons by causing considerable material or non-material damage. Indicators include: service unavailability, data integrity compromise, financial loss, reputational harm.

DORA — The Tightest Clock in the Portfolio

Authority: European Supervisory Authorities (EBA for banking, ESMA for securities, EIOPA for insurance); national financial supervisors

Effective date: January 17, 2025

Direct-application point: Because DORA is a regulation, it applies directly from January 17, 2025 across the EU financial sector. Practitioners still need to track technical standards and supervisory guidance, but they do not wait on national transposition in the same way they do with NIS2.

Who must comply: Banks and credit institutions, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, insurance undertakings, reinsurance undertakings, fund managers, credit rating agencies, data reporting service providers — and their critical ICT third-party service providers.

DORA establishes a two-tier incident classification: "exceptional" and "major" incidents.

Initial notification:

  • Exceptional incidents: Within 4 hours of classifying the incident as exceptional
  • Major incidents: Within 24 hours of classifying the incident as major

4 hours. Not 4 hours after full investigation. Not 4 hours after executive approval. 4 hours after the incident is classified. By the time the classification meeting ends, the clock is already running.

Intermediate report: Within 72 hours of initial notification. Content: updated assessment, scope, affected services, preliminary root cause, measures taken.

Final report: Within 1 month of resolution. Content: full root cause analysis, remediation timeline, implementation of measures, cross-border impact if applicable.

Classification factors for "major" incident: Number of clients affected; geographic spread of impact; duration; economic impact; criticality of affected services; reputational damage; whether the incident was caused by an ICT third-party provider.

DORA + GDPR + NIS2 stacking: An EU financial institution that suffers a cyberattack affecting customer personal data and causing operational disruption may simultaneously face all three EU reporting obligations. DORA's timelines are the tightest for financial institutions; NIS2 provides the three-stage structure; GDPR governs personal data disclosure. Legal counsel must coordinate across all three frameworks.

HIPAA Breach Notification — The Healthcare Clock

Authority: HHS Office for Civil Rights (OCR)

Who must comply: HIPAA covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates

Threshold: A "breach" under HIPAA is an impermissible acquisition, access, use, or disclosure of unsecured protected health information (PHI) that compromises the security or privacy of the PHI. Not every security incident is a HIPAA breach — the covered entity must perform a four-factor risk assessment. The presumption is that impermissible access = breach, unless the risk assessment demonstrates low probability of compromise.

Notification Clocks

Individual notification: Within 60 days of discovery of the breach. "Discovery" is when the covered entity knew or, by exercising reasonable diligence, would have known.

HHS notification:

  • For breaches affecting 500 or more individuals: notify HHS simultaneously with individual notification (within 60 days of discovery); HHS posts to public "Wall of Shame" website
  • For breaches affecting fewer than 500 individuals: log the breach and report to HHS annually within 60 days of end of calendar year

Media notification: For breaches affecting 500 or more residents of a state or jurisdiction, the covered entity must also notify prominent media outlets in that state, in the same timeframe as individual notification.

Business associate to covered entity: Without unreasonable delay; not to exceed 60 days from discovery by the business associate.

HIPAA and the 2025 NPRM

The 2025 HIPAA Security Rule NPRM (see Module 1I) proposes to require business associates to notify covered entities within 24 hours of discovering a security incident — regardless of whether the incident constitutes a breach. This proposed change, if finalized, will dramatically accelerate the incident communication timeline for the covered entity.

DFS 23 NYCRR 500 — New York's 72-Hour Hammer

Authority: New York Department of Financial Services (DFS)

Who must comply: All entities licensed or authorized by DFS — banks, insurers, money transmitters, mortgage companies, premium finance agencies, and others regulated by DFS

Triggering event: A "cybersecurity event" that has a reasonable likelihood of materially affecting normal operations or that involves nonpublic information.

Reporting Clocks

Cybersecurity event: Notify DFS within 72 hours of determining that a qualifying cybersecurity event occurred.

Extortion payment: Notify DFS within 24 hours of making an extortion payment. Where feasible, the DFS-regulated entity must provide prior notice and obtain DFS approval before making a ransomware payment.

Annual certification: The CISO (or equivalent) must submit an annual certification of compliance with 23 NYCRR 500 to DFS.

Enforcement: DFS has been one of the most active U.S. financial regulators in cybersecurity enforcement. First American Financial Corporation paid a $1M penalty in 2021; Carnival Corporation paid $5M in 2022. DFS cybersecurity enforcement actions are public and are regularly cited as examples of the cost of non-compliance.

CA Breach Notification (30-Day) — California's Civil Liability Exposure

Authority: California Attorney General; private right of action under Civil Code § 1798.150

Effective date for 30-day rule: January 1, 2026 (Civil Code § 1798.82 amended)

Who must comply: Any person or business that owns or licenses personal information of California residents

Triggering event: Unauthorized acquisition of specific categories of personal information — name + Social Security number; name + financial account number + access code; name + medical/health information; login credentials; biometric data; geolocation combined with other data; and others.

Clock: Within 30 days of discovery of the breach.

Notification to AG: For breaches affecting more than 500 California residents, submit a sample notice to the California AG at the same time individual notices are sent.

Statutory damages: Civil Code § 1798.150 provides a private right of action for $100 to $750 per consumer per incident, or actual damages if greater. This is the most significant civil liability exposure in U.S. state breach notification law. One million California consumers. $750 per incident. The math does not require a calculator to be alarming.

NY Breach Notification (30-Day) — New York's Parallel Clock

Authority: New York Attorney General under General Business Law § 899-aa

Who must comply: Any person or business that owns or licenses private information of New York residents

Triggering event: Unauthorized acquisition or access to private information — defined to include financial account numbers, biometric data, login credentials, SSNs, and other sensitive categories.

Clock: Within 30 days of discovery of the breach.

Notification to AG: Required when the breach affects New York residents; AG notification accompanies individual notification.

DFS 500 relationship: For DFS-regulated financial entities, DFS 500's 72-hour reporting obligation runs separately and faster than the 30-day NY GBS § 899-aa obligation. Both apply. The DFS 500 report goes to the financial regulator; the GBS § 899-aa obligation requires individual notification.

FRB / OCC / FDIC Banking Regulator Notification — 36 Hours

Authority: Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) — joint rule

Effective date: May 1, 2022

Who must comply: All U.S. banking organizations supervised by FRB, OCC, or FDIC

Triggering event: A "computer-security incident" that rises to the level of a "notification incident" — defined as one that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization's ability to carry out operations, deliver services to customers, or impact the stability of the financial sector.

Clock: As soon as possible but no later than 36 hours after determining that a notification incident occurred.

Recipient: The banking organization's primary federal regulator (FRB, OCC, or FDIC).

Bank service provider obligations: Bank service providers (technology companies, processors) must notify affected banking organizations as soon as possible upon determining that a notification incident occurred — no specified outer deadline, but must be prompt.

Relationship to CIRCIA: Banking organizations are covered entities under CIRCIA (financial services sector). Once CIRCIA's final rule takes effect, the substantially similar reports provision allows the FRB/OCC/FDIC notification to serve as the CIRCIA report — avoiding duplicative reporting. This requires advance coordination to ensure the bank regulator notification meets CIRCIA content requirements.

Master Comparison Table

FrameworkWhoTriggering EventReporting ClockRecipientPublic?Safe Harbor
CIRCIA (incident)300K+ critical infrastructure entitiesCovered cyber incident72 hours from reasonable beliefCISANo (private)Yes — FOIA + regulatory proceeding protection
CIRCIA (ransomware)SameRansomware payment24 hours from paymentCISANo (private)Yes
FRB/OCC/FDICU.S. bank organizationsNotification incident (material disruption)36 hoursPrimary federal bank regulatorNoNo
SEC Form 8-KPublicly traded companiesMaterial cybersecurity incident4 business days from materiality determinationSEC + publicYesNo (delay available with AG cert)
GDPR Art. 33Data controllers (EU personal data)Personal data breach with risk72 hours from awarenessDPA / supervisory authorityNoNo
NIS2 Stage 1Essential/important entities (EU)Significant incident24 hours (early warning)National CA / CSIRTNoNo
NIS2 Stage 2SameSame72 hours (full notification)SameNoNo
NIS2 Stage 3SameSame1 month (final report)SameNoNo
DORA (exceptional)EU financial entitiesExceptional ICT incident4 hours from classificationFinancial supervisorNoNo
DORA (major)SameMajor ICT incident24 hours from classificationSameNoNo
DFS 500NY DFS-licensed entitiesQualifying cybersecurity event72 hoursDFSNoNo
DFS 500 (extortion)SameExtortion payment24 hoursDFSNoNo
HIPAACovered entities + BAsBreach of unsecured PHI60 daysOCR + individualsPartial (HHS wall of shame for ≥500)No
CA breach lawAny co. with CA resident PIBreach of personal info30 daysCA AG (500+) + individualsPartialNo
NY breach lawAny co. with NY resident PIBreach of personal info30 daysNY AG + individualsPartialNo

The Notification Matrix — The Playbook You Build Before the Breach

Before any incident occurs, legal counsel should build a notification matrix for each client:

Step 1: What data does the client hold?

  • Personal information of CA/NY residents → state breach notification
  • EU personal data → GDPR
  • PHI / ePHI → HIPAA
  • Nonpublic personal financial information → DFS 500 (if NY-licensed)

Step 2: What sector does the client operate in?

  • 16 critical infrastructure sectors → CIRCIA (after final rule)
  • Banking / federally supervised → FRB/OCC/FDIC 36-hour rule
  • EU essential/important entity → NIS2
  • EU financial entity → DORA

Step 3: Is the client publicly traded?

  • Yes → SEC 8-K (materiality determination required)

Step 4: Map the fastest clocks first. The fastest clocks determine your immediate incident response priorities:

  1. DORA exceptional: 4 hours from classification
  2. CIRCIA ransomware / DFS extortion payment: 24 hours
  3. NIS2 early warning: 24 hours
  4. FRB/OCC/FDIC: 36 hours
  5. CIRCIA incident / GDPR / NIS2 full / DFS 500: 72 hours
  6. SEC 8-K: 4 business days from materiality determination
  7. HIPAA: 60 days
  8. CA/NY state breach: 30 days

Step 5: Manage consistency across disclosures. The same core facts about the incident will appear in multiple reports to multiple recipients. Inconsistencies across the CIRCIA report (private), the SEC 8-K (public), and state AG notifications create litigation and enforcement risk. Establish a single factual narrative, then adapt each report to its specific content requirements.

Practitioner Takeaways

1. The fastest clocks require pre-drafted templates — not drafting under pressure. The 4-hour DORA exceptional clock, 24-hour CIRCIA ransomware clock, and 24-hour DFS extortion payment clock cannot be met if counsel is drafting notification language from scratch during an active incident. Every client with applicable obligations should have jurisdiction-specific templates approved by outside counsel before an incident occurs.

2. Materiality under the SEC rule is a legal determination — not a technical one. The SEC 8-K obligation triggers on materiality determination, not on discovery. The 4-business-day clock starts when the company determines the incident is material. Clients need pre-approved materiality frameworks and outside counsel involvement in materiality determinations before disclosure is drafted.

3. CIRCIA's safe harbor changes the content calculus. Because CIRCIA reports cannot be used in federal regulatory proceedings, the CIRCIA report may be the most candid incident assessment in the portfolio. Counsel advising clients on multi-framework disclosure should consider whether facts appropriate for the CIRCIA report should appear in other, less protected, disclosures.

4. The substantially similar reports provision requires advance mapping. For banking organizations, pipeline operators, and other entities with existing sector-specific reporting obligations, the CIRCIA substantially similar reports provision may eliminate duplicative reporting. This requires pre-incident analysis to confirm that the existing report format meets CIRCIA content requirements — not ad hoc during the incident.

5. EU triple-stack is now operational. For EU financial entities, DORA (effective January 17, 2025), NIS2 (enforcement Q1 2026), and GDPR Article 33 may all apply simultaneously to a single incident. Each framework has different timelines and different recipients. Map EU obligations against each client's specific sector and data profile in advance.

6. Dual-reporting inconsistency is an enforcement trigger. Regulators and plaintiffs' counsel compare disclosures across frameworks. A candid SEC 8-K that conflicts with a minimal state AG notification, or a narrow HIPAA breach determination that contradicts a broader SEC materiality disclosure, invites enforcement and litigation scrutiny. Core facts must be consistent; jurisdictional framing may differ.

Quiz

See: artifacts/quizzes/quiz-01l.md

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →