2026 is finally here. The expected finalization of the Cyber Incident Reporting for Critical Infrastructure Act, 2022 rules is expected to happen in May this year. In John Cena’s words, “the time is now.” Provided there is no extension, enforcement expectations will ensure that the gap between “we usually handle incidents this way” and “this is how reporting is supposed to work” will no longer be theoretical.
First off, critical infrastructure operators must notify CISA within 72 hours of experiencing a significant cyber incident. The time shrinks to 24 hours if a ransomware payment is made. This tight deadline ensures that there is virtually no scope for vacillation. Organizations will be expected to decide whether an incident is “substantial” while investigations are still incomplete and operational teams are still stabilizing systems. Delays caused by internal debate or uncertainty will directly lead to compliance risk. Further, the ransomware part will make ransomware attack response a regulated event, not a private negotiation. This, in turn, is expected to create pressure to shift decision-making processes to a formal mode, rather than the current on the fly response.
What Most Organizations Look Like in 2025
| Area | Typical State in 2025 | Why This Is Still Risky |
| Awareness of CIRCIA | Leadership and security teams are aware of 72h / 24h requirements | Awareness does not translate into operational readiness |
| Incident classification | Early attempts to map “substantial incident” to business impact | Criteria remain vague, subjective, and inconsistently applied |
| Trigger for reporting | Reporting is discussed earlier in the IR process than before | Still treated as a downstream decision, not a built-in escalation point |
| Discovery definition | Teams acknowledge “reasonable belief” matters | Few organizations formally log when belief is formed |
| Decision authority | Reporting responsibility loosely assigned (e.g., “Security + Legal”) | Authority remains shared, which slows decisions under pressure |
| Ransomware response | Payment decisions more structured than before | Documentation is created after the fact, not in real time |
| 24h ransom reporting readiness | Known requirement, rarely rehearsed | Decision-to-report timeline remains untested |
| Evidence preservation | Some automation added for logs and alerts | Early impact and decision rationale still poorly captured |
| Documentation discipline | Incident templates updated to “include CIRCIA fields” | Templates exist, but are not used consistently during live incidents |
| Tolerance for uncertainty | Teams intellectually accept provisional reporting | Executives still resist reporting without high confidence |
| Cross-functional exercises | Tabletop exercises mention CIRCIA | Exercises rarely simulate 72h / 24h clock pressure |
| Third-party incidents | Vendor risk teams flag CIRCIA relevance | Dependency mapping and impact assessment remain slow |
| Vendor tooling expectations | Buyers ask vendors about “CIRCIA readiness” | Vendors respond with feature claims, not workflow support |
| Incident narrative | Early narratives drafted but frequently revised | Version control and consistency remain weak |
| Executive engagement | Executives briefed earlier than before | Still expect clarity before regulatory action |
For vendors, the new deadlines mean they need to make decision speed and narrative clarity a key buying criteria. Vendors whose products help customers quickly assess operational impact, correlate incidents to business services, and distinguish between suspected and confirmed facts will gain relevance in a CIRCIA-driven environment. The deadlines effectively penalize tools that require prolonged tuning, manual correlation, or expert interpretation before conclusions can be drawn.
Sofia Ali, Associate Director & Principal Analyst, QKS Group, explains, “CIRCIA will redefine incident response: speed, clarity, and documented decisions will matter more than perfect investigations. Organizations will be judged not only on how well they respond to incidents, but on how quickly they can interpret uncertainty, make defensible decisions, and translate technical events into regulatory-ready narratives.
However, the ransomware timeline is bound to leave vendors wondering whether they are responders, advisors, or documentation enablers. Customers will expect vendors involved in incident response, MDR, DFIR, and negotiation support to support regulatory-ready documentation almost immediately after payment decisions are made. Vendors treating ransom response as a containment or negotiation exercise may leave customers exposed if they cannot help provide timely, accurate reporting inputs.
The timeline will also affect the evidence and timeline preservation process. Vendors need to offer products that capture the key escalation points incident in or in near real-time. Vendors that enable snapshotting, versioned incident records, or structured incident summaries align naturally with the compressed reporting timelines and are likely to be favored over those carrying out investigations for a final report later. So, it is time to circle your wagons for CIRCIA.