DHS Announces Virtual Town Halls on CIRCIA Final Rule

On February 13, 2026, the U.S. Department of Homeland Security (DHS) announced upcoming virtual town hall meetings scheduled for March 2026 regarding the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  The meetings will allow industry stakeholders to provide input to DHS to refine the “scope and burden” of the forthcoming CIRCIA final rule.

CIRCIA, signed into law in March 2022, requires DHS to issue regulations obligating “covered entities” operating in specific critical infrastructure sectors to report cyber incidents and ransom payments made in response to a ransomware attack to DHS’s Cybersecurity and Infrastructure Security Agency (CISA).  Critical infrastructure sectors within CIRCIA’s scope include communications, critical manufacturing, defense industrial bases, energy, financial services, food & agriculture, healthcare & public health, information technology, nuclear, transportation, and others.  DHS published a proposed rule in April 2024 and indicated that a final rule would follow within 18 months, but the March town halls mark the first CIRCIA regulatory action in nearly two years. 

How to Attend

The schedule for the upcoming town hall meetings, provided by DHS, is below.  Those interested in attending can register at www.cisa.gov/circia.

Sector-Specific Town Halls

• Chemical Sector; Water and Wastewater Sector; Dams Sector; Energy Sector; and Nuclear Reactors, Materials, and Waste Sector—March 9, 2026
• Commercial Facilities Sector; Critical Manufacturing Sector; and Food and Agriculture Sector—March 12, 2026
• Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector—March 17, 2026
• Communications Sector; Transportation Systems Sector; and Financial Services Sector—March 18, 2026
• Defense Industrial Base Sector and Information Technology Sector—March 19, 2026

General Sessions

• General Session 1: March 31, 2026
• General Session 2: April 2, 2026

Topics to be discussed

DHS’s announcement identified specific topics on which it is interested in receiving industry feedback, including:

• Potential approaches to harmonizing CIRCIA’s reporting requirements with other federal and state government cyber incident reporting regimes to avoid potential duplications or conflicts.
• Fine-tuning who will be considered “covered entities” under the rule.
• Examples of what would qualify as a substantial cyber incident under the rule.
• Content of reports.

Conclusion

CIRCIA rulemaking, when final, will likely impose new, mandatory cyber incident reporting requirements on hundreds of thousands of U.S. entities operating across a wide variety of industry sectors.  As the March townhalls could be the last chance for industry to weigh in on and potentially shape the final rule, entities operating in impacted sectors should strongly consider participating.  For questions about the town halls, CIRCIA and cyber incident reporting requirements more broadly, please contact our team.