CISA Cybersecurity Incident Reporting Rule May 2026: What Every Company Must Report

# CISA Cybersecurity Incident Reporting Rule May 2026: What Every Company Must Report

> **Quick answer:** CISA's final CIRCIA rule, issued in May 2026, requires over 300,000 critical infrastructure companies across 16 sectors to report covered cyber incidents within 72 hours of discovery and ransomware payments within 24 hours. Penalties for non-compliance include federal subpoenas, criminal liability for false statements (up to 5 years imprisonment), and debarment from federal contracts. The compliance effective date is expected in late 2027 to 2028.

The most sweeping federal cybersecurity mandate in U.S. history is now final. The CISA cybersecurity incident reporting rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 reached its final rule stage in May 2026, ending years of regulatory uncertainty for hundreds of thousands of American businesses. If your company operates in energy, healthcare, financial services, transportation, defense, or any of 13 other critical sectors, your legal obligations just became concrete — and the clock on compliance has started.

## What Is CIRCIA and Why Did It Take This Long?

Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in March 2022, directing CISA to create mandatory reporting rules for significant cyber incidents affecting critical infrastructure. The statutory deadline for the final rule was March 2024. CISA missed it.

The agency then pushed its target to October 2025, then again to May 2026, citing the volume and complexity of public comments received on the proposed rule. CISA director officials noted the delay would allow the agency to streamline requirements and harmonize CIRCIA with existing cyber reporting frameworks at other federal agencies — the SEC, HHS, FERC, and others had each developed their own reporting regimes, creating overlapping obligations that industry groups argued would be unworkable in practice.