Key point: 2026 may be a pivotal year for organizations to monitor cyber incident reporting requirements—the voluntary sharing allowed under CISA 2015 remains available, but only through September, and regulations delineating who and how mandatory reporting requirements are managed under CIRCIA are coming.

Owner-operators in critical infrastructure sectors should monitor two federal initiatives regarding cybersecurity sharing and reporting. First, voluntary information sharing under CISA 2015 has been extended again, from January 30 to September 30, 2026. Second, CISA (the agency, not the law) is soliciting industry feedback as it resumes the rulemaking process for cyber incident reporting under CIRCIA.

CISA 2015: Voluntary Disclosures Extended

When Congress originally passed the law, the goal was to allow companies to voluntarily share information about cyber threats with the federal government to help improve the national cybersecurity posture. In return, these companies would receive certain legal protections, such as limits on how the information can be used by regulators and immunity from lawsuits. Originally, the law was scheduled to sunset on September 30, 2025, but as part of the compromise to reopen the government last fall, Congress renewed the law through January 30, 2026.

CISA 2015 continues to have its fair share of critics who argue that the law is overly broad, encroaches on privacy interests, and is ineffective at reducing cybersecurity risks. Supporters, however, argue it continues to be an initial step in the right direction, and its demise would remove the antitrust, FOIA, and liability protections that apply to sharing cyber threat intelligence.

For now, at least, Congress has decided “something is better than nothing” and has renewed the law a second time in this month’s Consolidated Appropriations Act, but only until September 30, 2026. Arguably, the most helpful step Congress could take would be to rename the statute to eliminate the duplicative use of the ‘CISA acronym,’ which refers to a cybersecurity law as well as a federal cybersecurity agency.

These temporary extensions keep the current voluntary sharing system in place without changing any of the law’s requirements and protections. Organizations should be aware that the future of voluntary cyber information sharing remains uncertain beyond the end of this fiscal year.

CIRCIA: Mandatory Disclosures on the Horizon

CIRCIA’s statutory text directs CISA to promulgate regulations by October 2025, but last September, CISA announced the final regulations would be delayed until May 2026. As part of its effort to refine the scope and burden of CIRCIA-mandated regulations, CISA announced seven virtual town halls between March 9 and April 2, 2026 to get stakeholder input. The first five events will be industry-specific, and the final two sessions general in nature.

Registration for these sessions is open at www.cisa.gov/circia.

To avoid any confusion in the discussion, the 72-hour and 24-hour deadlines for covered entities to notify CISA of an incident or a ransom payment are statutory requirements and cannot be altered by regulation. Hence, the topics for these town halls include: (1) the scope of covered entities (2) the inclusion of cloud or managed service providers in the regulations (3) definitions of ‘covered cyber incidents’ and ‘ransom payments’ (4) harmonization with other federal and state requirements, and (5) the reporting of ‘substantially similar’ events.

Conclusion

With CISA 2015 extended only briefly and CIRCIA rules still taking shape, organizations must prioritize agility and awareness in their compliance efforts. Now is the time for organizations to get engaged and update their internal policies to be ready for these changes.