{"id":191044,"date":"2026-02-26T15:05:00","date_gmt":"2026-02-26T20:05:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/26\/navigating-cyber-disclosures-in-2026-a-limited-renewal-of-cisa-2015-and-take-two-on-finalizing-circias-reporting-regulations-husch-blackwell-llp\/"},"modified":"2026-02-26T18:35:14","modified_gmt":"2026-02-26T23:35:14","slug":"navigating-cyber-disclosures-in-2026-a-limited-renewal-of-cisa-2015-and-take-two-on-finalizing-circias-reporting-regulations-husch-blackwell-llp","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/26\/navigating-cyber-disclosures-in-2026-a-limited-renewal-of-cisa-2015-and-take-two-on-finalizing-circias-reporting-regulations-husch-blackwell-llp\/","title":{"rendered":"Navigating Cyber Disclosures in 2026: A Limited Renewal of CISA 2015, and \u201cTake Two\u201d on Finalizing CIRCIA\u2019s Reporting Regulations | Husch Blackwell LLP"},"content":{"rendered":"

Navigating Cyber Disclosures in 2026: A Limited Renewal of CISA 2015, and \u201cTake Two\u201d on Finalizing CIRCIA\u2019s Reporting Regulations | Husch Blackwell LLP<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/navigating-cyber-disclosures-in-2026-a-4676715\/<\/a><\/p>\n

Publish Date: 2026-02-26 15:05:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

Key point: 2026 may be a pivotal year for organizations to monitor cyber incident reporting requirements\u2014the voluntary sharing allowed under CISA 2015 remains available, but only through September, and regulations delineating who and how mandatory reporting requirements are managed under CIRCIA are coming.<\/p>\n

Owner-operators in critical infrastructure sectors should monitor two federal initiatives regarding cybersecurity sharing and reporting. First, voluntary information sharing under CISA 2015 has been extended again, from January 30 to September 30, 2026. Second, CISA (the agency, not the law) is soliciting industry feedback as it resumes the rulemaking process for cyber incident reporting under CIRCIA.<\/p>\n

CISA 2015: Voluntary Disclosures Extended<\/p>\n

When Congress originally passed the law, the goal was to allow companies to voluntarily share information about cyber threats with the federal government to help improve the national cybersecurity posture. In return, these companies would receive certain legal protections, such as limits on how the information can be used by regulators and immunity from lawsuits. Originally, the law was scheduled to sunset on September 30, 2025, but as part of the compromise to reopen the government last fall, Congress renewed the law through January 30, 2026.<\/p>\n

CISA 2015 continues to have its fair share of critics who argue that the law is overly broad, encroaches on privacy interests, and is ineffective at reducing cybersecurity risks. Supporters, however, argue it continues to be an initial step in the right direction, and its demise would remove the antitrust, FOIA, and liability protections that apply to sharing cyber threat intelligence.<\/p>\n

For now, at least, Congress has decided \u201csomething is better than nothing\u201d and has renewed the law a second time in this month\u2019s Consolidated Appropriations Act, but only until September 30, 2026. Arguably, the most helpful step Congress could take would be to rename the statute to eliminate the duplicative use of the \u2018CISA acronym,\u2019 which refers to a cybersecurity law as well as a federal cybersecurity agency.<\/p>\n

These temporary extensions keep the current voluntary sharing system in place without changing any of the law\u2019s requirements and protections. Organizations should be aware that the future of voluntary cyber information sharing remains uncertain beyond the end of this fiscal year.<\/p>\n

CIRCIA: Mandatory Disclosures on the Horizon<\/p>\n

CIRCIA\u2019s statutory text directs CISA to promulgate regulations by October 2025, but last September, CISA announced the final regulations would be delayed until May 2026. As part of its effort to refine the scope and burden of CIRCIA-mandated regulations, CISA announced seven virtual town halls between March 9 and April 2, 2026 to get stakeholder input. The first five events will be industry-specific, and the final two sessions general in nature.<\/p>\n

Registration for these sessions is open at www.cisa.gov\/circia.<\/p>\n

\t\t\tIndustry Sector
\n\t\t\tDate<\/p>\n

\t\t\tChemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector
\n\t\t\tMarch 9, 2026<\/p>\n

\t\t\tCommercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector
\n\t\t\tMarch 12, 2026<\/p>\n

\t\t\tEmergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector
\n\t\t\tMarch 17, 2026<\/p>\n

\t\t\tCommunications Sector; Transportation Systems Sector; and Financial Services Sector
\n\t\t\tMarch 18, 2026<\/p>\n

\t\t\tDefense Industrial Base Sector and Information Technology Sector
\n\t\t\tMarch 19, 2026<\/p>\n

\t\t\tCISA also plans to hold two general town hall meetings:
\n\t\t\t\u00a0<\/p>\n

\t\t\tGeneral Session 1
\n\t\t\tMarch 31, 2026<\/p>\n

\t\t\tGeneral Session 2
\n\t\t\tApril 2, 2026<\/p>\n

To avoid any confusion in the discussion, the 72-hour and 24-hour deadlines for covered entities to notify CISA of an incident or a ransom payment are statutory requirements and cannot be altered by regulation. Hence, the topics for these town halls include: (1) the scope of covered entities (2) the inclusion of cloud or managed service providers in the regulations (3) definitions of \u2018covered cyber incidents\u2019 and \u2018ransom payments\u2019 (4) harmonization with other federal and state requirements, and (5) the reporting of \u2018substantially similar\u2019 events.<\/p>\n

[View source.]<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Navigating Cyber Disclosures in 2026: A Limited Renewal of CISA 2015, and \u201cTake Two\u201d on…<\/p>\n","protected":false},"author":1,"featured_media":191045,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.15872_4946.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-191044","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191044"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=191044"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191044\/revisions"}],"predecessor-version":[{"id":191046,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/191044\/revisions\/191046"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/191045"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=191044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=191044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=191044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}