The useful thing about a reporting deadline is that it does not care who owns the Slack channel. If CISA's pending breach reporting rule lands on the September track Bloomberg Law reported, the first compliance problem will not be prose. It will be whether an incident record, a legal assessment, and a federal reporting handoff can find each other quickly enough. ## The date that matters is a release target Bloomberg Law reported on July 6, 2026, that the Cybersecurity and Infrastructure Security Agency is targeting a September release for its breach reporting rule. MeriTalk, citing a regulation document, also reported that CISA plans to finalize a cybersecurity incident reporting rule in September. That is not the same thing as immediate enforcement, and the evidence provided here does not state a first fine date. It is, however, a practical signal to stop treating breach reporting as a document drafted after the incident call ends. MeriTalk ties the rule to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, known as CIRCIA, and reports that CISA published its notice of proposed rulemaking on April 4, 2024. Inside Privacy covered CISA's delay of the cyber incident reporting rule on September 5, 2025. Put together, the sequence is less dramatic than it is operational: Congress created the reporting mandate, CISA proposed details, the process slipped, and the agency is now aiming at September. ## What the rule is actually about MeriTalk reports that the regulation would require critical infrastructure entities to report major cyber incidents and ransomware payments directly to CISA under the 2022 law. It further states that critical infrastructure entities would be required to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. Those two clocks are the part builders should tape to the incident response runbook, preferably before anyone is deciding whether an outage is merely embarrassing or legally reportable. This does not mean every software vendor suddenly has a federal breach report due whenever a dashboard turns red. Based on MeriTalk's summary, the rule is aimed at critical infrastructure entities and implements CIRCIA's reporting requirements for covered cyber incidents and ransom payments. The scope question still matters, especially for vendors serving regulated infrastructure customers. If your customer is likely to ask for incident evidence inside a 72 hour window, your contract may become the practical enforcement mechanism before CISA ever sends a letter. ## The workflow hidden inside the deadline The 72 hour and 24 hour windows reported by MeriTalk are not just legal timers. They are design constraints for incident response tooling, ticket taxonomies, log retention, and escalation paths. A team that discovers an incident at 2 a.m. needs a record of who noticed what, which systems were affected, what evidence was preserved, and who can decide whether CISA reporting is triggered. That is a workflow question wearing a legal hat. The useful preparation is boring, which is how compliance usually announces it is real. Companies should map who receives security alerts, who can classify an event as potentially reportable, who preserves evidence, and who transmits information to legal or compliance. They should also check whether ransomware payment decisions flow through a separate finance, legal, or executive approval process, because MeriTalk reports a separate 24 hour window for those payments. The law may not require your internal diagram to be pretty. It does require the organization to function faster than a postmortem committee. ## The delay was the warning Inside Privacy's September 5, 2025, coverage framed the rule as delayed, which was useful if companies spent the extra time building muscle instead of waiting for the Federal Register to entertain them. CISA's own public page labels the program as the Cyber Incident Reporting for Critical Infrastructure Act of 2022, a reminder that this is not a voluntary information sharing campaign with a nicer logo. It is a statutory reporting regime moving toward final form. The next thing to watch is the final text, especially how CISA defines the entities and incidents that must report. Until then, the safest distinction is between what is already clear and what is still pending. Clear: critical infrastructure reporting is the target, and the reported windows are 72 hours for substantial cyber incidents and 24 hours for ransomware payments. Pending: the exact operational edge cases that will decide whether your vendor contract needs one new clause or three. For builders and learners, the September target is a calendar entry with engineering consequences. Incident response is becoming a compliance workflow, which means logging, preservation, escalation, and reporting handoffs need owners before the rule arrives. Watch the final rule for scope definitions, but do not wait for it to invent your process. Regulators rarely fine companies for having too much evidence and too clear an escalation path. ## Sources - Cyber Agency Targets September Release of Breach Reporting Rule
- CISA Eyes September Date for Final Cyber Incident Reporting Rule
- CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure
- Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA
Sources
- Cyber Agency Targets September Release of Breach Reporting Rule
- CISA expects to finalize key cyber reporting rule by September - Nextgov/FCW
- CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 ... - CISA
- CISA Seeks Additional Feedback on Cybersecurity Reporting Rules | Davis Wright Tremaine
- Cyber Agency Targets September Release of Breach Reporting Rule
- CISA Eyes September Date for Final Cyber Incident Reporting Rule – MeriTalk
- CISA expects to finalize key cyber reporting rule by September - Nextgov/FCW
- Cyber Incident Reporting for Critical Infrastructure Act of 2022 ... - CISA
- CISA Delays Cyber Incident Reporting Rule for Critical Infrastructure