On February 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) within the US Department of Homeland Security published a notice in the Federal Register announcing that it would hold a series of town halls to "allow external stakeholders a limited additional opportunity to provide input on refining the scope and burden" of the proposed rule that would implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Although CISA did not reopen the comment period, this announcement presents an opportunity for interested stakeholders to further inform CISA's approach to implementing this significant federal cyber incident reporting statute. More broadly, this notice signals CISA's continued focus on this rulemaking as it approaches May 2026, the date that CISA previously identified in a regulatory filing as the expected release date of a final rule.
As discussed in our prior Legal Update, on March 27, 2024, CISA released a much-anticipated notice of proposed rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Under the proposed rule, covered entities will have 72 hours to report to CISA a "covered cyber incident" and 24 hours to report a ransom payment (even if it is not a payment associated with a covered incident). As proposed, the rule would substantially expand on existing US cyber incident reporting requirements and have important implications for how relevant companies respond to cyber incidents.
CISA now is hosting town hall meetings to seek "any specific, actionable improvements that CISA could implement in the final rule to clarify or reduce burden of CIRCIA's regulatory requirements while enhancing the federal government's visibility into the cyber threat landscape for critical infrastructure sectors." CISA further explains that "[i]nput that would be most useful are examples on how the [Notice of Proposed Rulemaking] may impact regulated entities and specific improvements, including how such suggestions would increase the benefit of CIRCIA to critical infrastructure owners and operators." Participates may also provide "data or specific written materials" within seven days of each town hall.
Subject to the ending of the partial government shutdown currently affecting DHS, CISA intends to host sector-specific town hall meetings throughout March and two general town hall sessions, with the final session on April 2. CISA will create a transcript for each of these sessions that will be entered into the CIRCIA rulemaking docket. CISA chose not to reopen the comment period at this time, but notes that it "may elect to do so in the future." In addition, if stakeholders want CISA to "consider data or specific written materials as part of a town hall meeting," they may email that information to CISA "no later than seven (7) calendar days after the meeting."
The CIRCIA rulemaking has significant implications for companies across many sectors. Interested companies and trade associations may therefore wish to participate in the upcoming town halls in order to further weigh in on the questions raised by CISA or other priority issues. And companies would be wise to view this notice as a signal that the CIRCIA rulemaking is moving forward once more. Companies should be prepared to revisit their assessments of CIRCIA's potential impact on their cyber incident response processes to ensure that they are well-positioned to respond if CISA does go forward with a final rule in the coming months.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2026. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
