Practice intelligence Current as of Jun 20, 2026
OlenderFeldman

PracticeCybersecurity

CISA proposes 72-hour cyber incident reporting for critical infrastructure — CIRCIA NPRM

What the law is now

The SEC's December 2023 cybersecurity disclosure rules require public companies to report material cybersecurity incidents on Form 8-K within four business days of determining materiality. CISA's Cyber Incident Reporting for Critical Infrastructure Act rules are in the notice-and-comment phase; no mandatory civilian reporting timeline is yet final for non-federal entities. Many sectors have voluntary or sector-specific reporting under existing frameworks (HIPAA for health data, FTC Safeguards Rule for financial institutions).

What just shifted

us-fed Primary source

What this adds: CISA's May 2026 supplemental guidance narrows the proposed definition of "covered entity" in the CIRCIA NPRM, confirming that companies providing cloud or managed security services to critical infrastructure owners — even if not themselves operators of critical infrastructure — will fall within the reporting obligation if the final rule adopts the supply-chain coverage in the proposal.

What this puts in question: Whether the "covered entity" definition in the final CIRCIA rule will apply to IT service providers and cloud companies whose clients include critical infrastructure operators, requiring those vendors to report incidents that affect — or could affect — the infrastructure client's systems.

What clients should weigh

·Do you operate in or provide services to sectors designated as critical infrastructure under CIRCIA — healthcare, financial services, water, energy, transportation, communications, or IT? If yes, CIRCIA reporting obligations will apply to you once the rule is final.
·Even before CIRCIA is final, do you have a documented incident response plan that addresses the 72-hour reporting window for both CISA (proposed) and the SEC's existing four-business-day materiality determination standard?
·If you are an IT or managed-security-service provider whose clients include critical infrastructure operators, the May supplemental guidance signals you may be treated as a covered entity — assess your incident response and reporting readiness now, before the final rule.
·CIRCIA is proposed, not final. The obligation described here is not yet active law. Build readiness now; expect the final rule to require reporting within a 12-month window after promulgation.
89 Fed. Reg. 23644 (CIRCIA NPRM, Apr. 4, 2024); CISA Supplemental Guidance, May 2026 ›

Watch for

· CIRCIA final rule, expected late 2026 or early 2027

· SEC enforcement actions on the four-business-day materiality determination

· FTC Safeguards Rule breach notification enforcement, 2026 cycle

Ready to use

These are drafts. Edit before sending to a client.

Client alert

Draft — edit before sending to a client.

This corpus reflects one attorney's personal review. It is not a comprehensive survey. Verify scope and currency before relying on it for any matter.