The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA or Pub. L. 117-58, Division Y) directed the United States Cybersecurity and Infrastructure Security Agency (CISA) to develop mandatory reporting requirements for covered entities in critical infrastructure sectors. After an extended rulemaking process, the reporting rules are advancing toward final form — and technology companies that supply products or services to critical infrastructure sectors need to understand what is coming and begin building the internal infrastructure to comply now, not after the first incident.
This post addresses what CIRCIA requires, who is covered, what the reporting timelines are, and what practical steps technology companies should be taking today to prepare.
What CIRCIA Requires
CIRCIA creates two categories of mandatory reports to CISA: covered cyber incident reports and ransom payment reports. Covered cyber incident reports must be submitted within 72 hours of a covered entity reasonably believing a covered cyber incident has occurred. Ransom payment reports must be submitted within 24 hours of making a ransom payment, regardless of whether the ransomware attack has been separately reported as a covered cyber incident.
The 72-hour clock is notably shorter than the SEC's four-business-day disclosure window for material cybersecurity incidents at public companies, and aligns more closely with the European Union General Data Protection Regulation (GDPR, EU Regulation 2016/679) 72-hour breach notification requirement to supervisory authorities. Companies operating across these frameworks will need a unified incident response process capable of satisfying multiple simultaneous reporting obligations with different timelines, different recipients, and different content requirements.
Who Is a Covered Entity
CIRCIA defines covered entities by reference to the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21): chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors and materials, transportation systems, and water and wastewater systems.
For technology companies, the critical insight is that "covered entity" is not limited to the operators of critical infrastructure. It can also extend to companies that provide essential technology, software, or services to covered sectors. An embedded systems company that supplies ECUs to automotive manufacturers, a cybersecurity software company whose products protect energy management systems, a cloud services provider that hosts healthcare IT systems — all may qualify as covered entities depending on how CISA's final rules define the sector boundaries.
The final rules include size-based thresholds that exempt small businesses in some circumstances, but technology companies in the covered sectors that exceed those thresholds — particularly Tier 1 (first-tier automotive supplier) automotive suppliers, defense industrial base contractors, and IT product companies — should assume they are covered entities and plan accordingly.
What Counts as a Covered Cyber Incident
A covered cyber incident is one that meets a substantial cyber incident threshold — meaning it has a significant impact on the integrity, confidentiality, or availability of covered systems; disrupts business or industrial operations; or involves unauthorized access to operational technology systems. CISA's proposed rules indicate that the threshold is designed to capture incidents that are material to the covered entity's operations, not every routine security event.
For embedded systems companies and automotive suppliers, the operational technology dimension is particularly significant. An intrusion into an information technology (IT) network that does not reach operational technology (OT) systems may or may not cross the threshold. An incident that affects the availability or integrity of systems that control physical processes — a vehicle ECU, an industrial control system, a medical device — is almost certainly a covered cyber incident under any reasonable reading of the rule.
What the Report Must Contain
Within the 72-hour window, covered entities must provide: a description of the covered cyber incident including the date range, nature of the incident, and systems affected; a description of the vulnerabilities exploited; indicators of compromise (IOCs) where available; the category of information accessed or exfiltrated; the impact on operations; and contact information for the covered entity's point of contact.
Seventy-two hours is a very short window. Companies that have never been through a significant cybersecurity incident routinely underestimate how chaotic the first 24–48 hours of incident response are. The teams managing technical remediation are simultaneously being asked to preserve evidence, notify insurers, brief executive leadership, assess customer notification obligations, and now prepare a regulatory report. Companies that build the report template and the internal coordination process before the incident occurs are far better positioned than those improvising under pressure.
Interaction with ISO/SAE 21434:2021 (Road Vehicles — Cybersecurity Engineering) and UNECE WP.29 for Automotive Companies
Automotive companies and their Tier 1 and Tier 2 (second-tier automotive supplier) suppliers operating under ISO/SAE 21434 already have incident response obligations embedded in their Cybersecurity Management System (CSMS) requirements. United Nations Economic Commission for Europe (UNECE) Regulation No. 155 (WP.29) (Cyber Security and Cyber Security Management System), which is binding in type-approval jurisdictions including the EU, Japan, South Korea, and others, requires original equipment manufacturers (OEM) to monitor, detect, and respond to cybersecurity incidents across the vehicle fleet lifecycle.
CIRCIA adds a U.S. government reporting obligation on top of existing CSMS incident management processes. Companies that have properly implemented ISO/SAE 21434 should already have the technical incident detection and characterization capability that CIRCIA reporting requires. What they may lack is the regulatory reporting process — the specific 72-hour workflow, the designated CISA reporting point of contact, the pre-built report template — that translates a CSMS incident record into a compliant CIRCIA report.
guibert.law Insight
The companies that will struggle most with CIRCIA compliance are those with strong engineering cybersecurity practices but weak regulatory interfaces. Good threat detection without a reporting workflow does not satisfy CIRCIA. The preparation required is partly technical and largely procedural — and the procedural preparation should begin before the rules are finalized, not after the first incident triggers the obligation.
Practical Preparation Steps
Regardless of where your company falls in the covered entity analysis, the following steps are appropriate now: conduct a covered entity determination and document your analysis; map your products and services to the 16 critical infrastructure sectors; identify your CISA reporting point of contact and register with CISA's reporting portal; draft your incident report template using CISA's published guidance; integrate CIRCIA reporting into your existing incident response plan alongside SEC disclosure, insurance notification, and customer notification workflows; and conduct a tabletop exercise that specifically tests the 72-hour reporting workflow.
Attorney advertising. The information in this post is provided for general informational purposes and does not constitute legal advice. Prior results do not guarantee a similar outcome. © 2026 guibert.law