API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

CIRCIA Cyber Incident Reporting Law

United States2022CybersecurityTax & Reporting

Overview

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law in March 2022 as part of the U.S. effort to improve national cybersecurity response and resilience. CIRCIA mandates that covered entities report certain cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within specified timeframes.

The law applies to entities in critical infrastructure sectors, including financial services, healthcare, energy, transportation, telecommunications, manufacturing, and government services. CISA is responsible for defining reportable incidents and issuing implementing regulations. As of 2025, final rules are expected by 2025, with full enforcement anticipated within 18 months of issuance, requiring organizations to establish comprehensive incident response frameworks and authentication protocols to meet federal reporting obligations and enhance national cyber resilience through advanced biometric verification systems that ensure proper access controls and accurate incident tracking capabilities.

Key Obligations

Report covered cyber incidents to CISA within 72 hours of discovery
Report ransomware payments to CISA within 24 hours of payment
Preserve incident data and evidence as required

Cooperate with CISA in information-sharing and threat mitigation
Update reports if new relevant information becomes available
Protect proprietary and security-sensitive data during disclosures

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

AML Screening

Screen users against Politically Exposed Persons (PEP), watchlists, sanctions lists, adverse media, and more through one-time screening and advanced monitoring.

Related Regulations

SEC Cyber Disclosure Rules

GLBA Safeguards Rule Compliance

NYDFS Part 500 Cybersecurity Rule

FAQ

Who is considered a covered entity under CIRCIA?

Covered entities will be defined by CISA, focusing on those operating in critical infrastructure sectors.

Are the reporting deadlines final?

Yes. The statute specifies 72 hours for incidents and 24 hours for ransomware payments, though CISA may clarify how these are counted.

What types of incidents must be reported?

Substantial incidents like data breaches, denial-of-service attacks, or supply chain compromises with operational impact.

Is this law already in effect?

Yes, the law is enacted, but full compliance will be required only after CISA publishes final rules expected in 2025.