CISA Delays Critical Cyber Incident Reporting Rule to May 2026

September 21, 2025Source: DWT Privacy & Security Law Blog

Found this useful? Share it with your network

The Cybersecurity & Infrastructure Security Agency (CISA) has delayed the implementation of its cyber incident reporting rule for critical infrastructure operators until May 2026, shifting the timeline from the previously expected October 2025 release. This regulation, mandated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, requires timely reporting of cyber incidents to CISA, which is essential for strengthening national cybersecurity. The postponement comes amidst substantial criticism from industry stakeholders and lawmakers who argue that the proposed definitions, particularly regarding "covered entities," may be too broad and potentially exceed the statute's intent. This situation highlights ongoing tensions between regulatory frameworks and industry practices in managing cybersecurity risks effectively within healthcare technology and other critical sectors.

Read Full Article

Opens on DWT Privacy & Security Law Blog

More News

AMA Asking For Stronger Safeguards on AI Mental Health Chatbots

April 29, 2026MobiHealthNews

Andrea Daugherty Appointed Chief Information and Digital Transformation Officer at ARMC

April 24, 2026arrowheadregional.org

Craig Richardville Appointed Chief Digital and Information Officer at UF Health

April 13, 2026ufhealth.org

Former AMA Exec Margaret Lozovatsky Named CDIO At Premier Health

April 10, 2026premierhealth.com

Signature Healthcare Diverts Ambulances Following Cybersecurity Incident

April 8, 2026SecurityWeek

More Than 100 Hospitals Suing HHS Over Alleged Underpayment

April 6, 2026MedCity News