CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

CISA Town Halls Set Final Stage for CIRCIA Debate

Data Breach Today Archived May 29, 2026 ✓ Full text saved

June Meetings Could Shape Which Entities Must Report Cyber Incidents The Cybersecurity and Infrastructure Security Agency's June town halls will give critical infrastructure operators a final opportunity to influence how the agency defines covered entities, reportable incidents and compliance requirements before issuing long-awaited CIRCIA regulations.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Critical Infrastructure Security , Regulation , Standards, Regulations & Compliance CISA Town Halls Set Final Stage for CIRCIA Debate June Meetings Could Shape Which Entities Must Report Cyber Incidents Chris Riotta (@chrisriotta) • May 29, 2026     Credit Eligible Get Permission Image: Pawel Michalowski/Shutterstock/ISMG The U.S. cyber defense agency is set to host a series of town halls in mid-June that will serve as industry's last and potentially most consequential opportunity to shape federal cyber incident reporting requirements before regulators move toward a final rule. The meetings come as the Cybersecurity and Infrastructure Security Agency works to finalize regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act. The 2022 law requires certain critical infrastructure operators to report significant cyber incidents ransomware payments to the federal government. The town halls will help determine which entities fall under the reporting regime and which incidents must be disclosed. The town halls will offer a window for industry into whether the Trump administration intends to narrow a proposal many organizations have criticized as broad and burdensome - or preserve a framework federal officials argue is necessary to improve visibility into threats targeting the nation's critical infrastructure. The virtual meetings, now set for June 15 to June 18, were rescheduled following a Department of Homeland Security funding lapse earlier this year that forced CISA to postpone a slate of stakeholder sessions originally planned for March and April. Congress directed the agency to establish regulations defining which organizations must report, what constitutes a reportable cyber incident and what information must be provided. Those questions have generated thousands of comments and significant pushback since CISA published its notice of proposed rulemaking in April 2024. Among the most contentious issues is determining which organizations will come under the regulation's mandate, or what constitutes a "covered entity." In a February request for information, CISA explored multiple approaches, including sector-based thresholds tied to an organization's size, revenue or operational importance. The agency also sought feedback on whether certain critical infrastructure operators should be covered based on their role in supporting national security, public health, economic stability or other critical functions, regardless of size. CISA similarly requested examples of what should constitute a "substantial cyber incident," a threshold determining when reporting requirements are triggered. Stakeholders were asked to weigh in on whether incidents should be judged based on operational disruption, financial losses, impacts to public safety, compromise of sensitive data or effects on the availability of critical services. Industry groups have said that portions of the proposed rule could create duplicative reporting obligations, unclear compliance triggers and significant operational burdens during major cyber events. That concern seems to be shaping CISA's latest outreach effort. In announcing the revised schedule, CISA Acting Director Nicholas Andersen said the agency is seeking to maximize CIRCIA's cybersecurity benefits while minimizing unnecessary burdens on critical infrastructure organizations. CISA also said it received requests for additional engagement on the proposal and views of the town halls as an opportunity to gather comments from affected sectors before finalizing the rule. Stakeholders are also closely watching whether the agency modifies reporting timelines, reporting fields and data collection requirements to better align with existing disclosure obligations imposed by sector regulators, state governments and, in some cases, the Securities and Exchange Commission. The town halls may also provide the clearest indication yet of how much the Trump administration intends to reshape a rulemaking largely developed during the previous administration. CISA originally faced an October 2025 deadline to complete the rulemaking process but pushed the effort into 2026 amid multiple government shutdowns, extensive industry feedback and ongoing debates over the proposal's scope, reporting thresholds and compliance burden.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗