signzy

API Marketplace

downArrow

Solutions

downArrow

Resources

downArrow

Our Company

downArrow
Book a Demo
laptop
Logo
Responsive
Decorative line
← Back to Glossary

CIRCIA Cyber Incident Reporting Law

United States

United States

2022

Cybersecurity

Tax & Reporting

Overview

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law in March 2022 as part of the U.S. effort to improve national cybersecurity response and resilience. CIRCIA mandates that covered entities report certain cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within specified timeframes.
The law applies to entities in critical infrastructure sectors, including financial services, healthcare, energy, transportation, telecommunications, manufacturing, and government services. CISA is responsible for defining reportable incidents and issuing implementing regulations. As of 2025, final rules are expected by 2025, with full enforcement anticipated within 18 months of issuance, requiring organizations to establish comprehensive incident response frameworks and authentication protocols to meet federal reporting obligations and enhance national cyber resilience through advanced biometric verification systems that ensure proper access controls and accurate incident tracking capabilities.

Key Obligations

  • Report covered cyber incidents to CISA within 72 hours of discovery
  • Report ransomware payments to CISA within 24 hours of payment
  • Preserve incident data and evidence as required
  • Cooperate with CISA in information-sharing and threat mitigation
  • Update reports if new relevant information becomes available
  • Protect proprietary and security-sensitive data during disclosures

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

Transaction Monitoring

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

AML Screening

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Related Regulations

Decorative icon
SEC Cyber Disclosure Rules

Decorative icon
GLBA Safeguards Rule Compliance

Decorative icon
NYDFS Part 500 Cybersecurity Rule

FAQ

Who is considered a covered entity under CIRCIA?

Covered entities will be defined by CISA, focusing on those operating in critical infrastructure sectors.

Are the reporting deadlines final?

Yes. The statute specifies 72 hours for incidents and 24 hours for ransomware payments, though CISA may clarify how these are counted.

What types of incidents must be reported?

Substantial incidents like data breaches, denial-of-service attacks, or supply chain compromises with operational impact.

Is this law already in effect?

Yes, the law is enacted, but full compliance will be required only after CISA publishes final rules expected in 2025.