CIRCIA 72-Hour Reporting Rule 2026: NC Business Guide

TL;DR: The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) final rule lands in May 2026, requiring critical infrastructure entities to report covered cyber incidents to CISA within 72 hours and ransom payments within 24 hours. CISA estimates the rule applies to more than 300,000 entities across 16 critical infrastructure sectors. North Carolina manufacturers, defense contractors, water utilities, healthcare providers, and energy companies that exceed the SBA small business size standard need an incident reporting playbook before the first qualifying event.

Key takeaway: CIRCIA is the first federal rule that converts cyber incident reporting from a best practice into a 72-hour deadline backed by federal enforcement. The clock starts when you discover the incident, not when you finish the investigation.

Need a CIRCIA readiness review? Preferred Data Corporation helps NC critical infrastructure businesses build incident response and reporting playbooks. Call (336) 886-3282 or request a CIRCIA assessment.

What CIRCIA actually requires

CIRCIA was signed into law in 2022, but the implementing rule was delayed by CISA until May 2026 to harmonize with other federal cyber reporting frameworks and incorporate industry comments. The core obligations:

Trigger	Reporting deadline	Recipient
Covered cyber incident	72 hours after reasonable belief incident occurred	CISA
Ransom payment	24 hours after payment is made	CISA
Supplemental information (new material facts)	Promptly, as discovered	CISA
Records retention	2 years from each report	Covered entity

A "covered cyber incident" generally means a substantial cyber event that causes serious harm or compromises the confidentiality, integrity, or availability of an information or operational technology (OT) system, or unauthorized access to data through compromise of a third-party service provider or supply chain.

Who CIRCIA applies to in North Carolina

The proposed rule covers entities operating in one of 16 critical infrastructure sectors AND exceeding the SBA small business size standard for the entity's industry. NC has heavy presence in several covered sectors:

Critical infrastructure sector	NC examples
Critical Manufacturing	Furniture, textiles, automotive, aerospace across the Piedmont Triad and Hickory
Defense Industrial Base	CMMC-bound contractors and subcontractors statewide
Healthcare and Public Health	Provider networks across Charlotte, Durham, Winston-Salem
Water and Wastewater	Municipal utilities across the Triad and Triangle
Energy	Power and natural gas distribution operators
Financial Services	Banks and credit unions exceeding SBA thresholds
Information Technology	NC IT and SaaS vendors that exceed SBA size standards
Communications	Regional telecom and wireless operators
Food and Agriculture	Food processors throughout eastern NC
Transportation Systems	Logistics and trucking firms above SBA size

For most NC manufacturers and contractors, the determinative test is the SBA size standard (often 500 employees or $7.5M to $47M in revenue depending on NAICS code), not the sector itself.

Key takeaway: Even if you do not believe you are "critical infrastructure," your NAICS code and revenue often make the decision for you. A 75-employee NC machine shop in critical manufacturing is in scope. A 30-employee professional services firm in the same sector might not be.

How CIRCIA reporting actually works

CISA's draft reporting form follows a structured Q&A. Typical content the covered entity must provide within 72 hours:

Description of the incident, including the date and time of discovery
Affected information systems, networks, and operational technology
Description of any vulnerabilities exploited, attack vector, or initial access method
Estimated impact, including data potentially compromised
Mitigation and response actions already taken
Identification of the threat actor, if known
Contact information for the incident response lead

A meaningful share of this content is unknown 72 hours in. The rule explicitly contemplates that the initial report is preliminary and supplements follow as facts emerge.

Building a CIRCIA-ready incident playbook

The realistic CIRCIA preparation problem for a NC small to mid-sized business is not "How do I file the report?" It is "How do I detect, decide, and document the incident inside 72 hours?" That requires four pre-built artifacts:

1. A defensible "is this a covered incident" decision tree

Most cyber events are not covered incidents under CIRCIA. A pre-built decision tree, signed off by counsel, lets the incident response team triage quickly:

Was there confirmed unauthorized access to confidentiality of regulated data?
Was operational technology (OT) impacted in a way that disrupted services?
Was there meaningful integrity or availability impact?
Was the cause a third-party service provider or supply chain compromise?

2. A named incident response lead with clear authority

A 72-hour clock cannot wait for an executive committee. The incident lead must be empowered to: declare an incident, engage outside counsel and DFIR, authorize containment actions, and approve the CISA report submission. PDC's managed cybersecurity clients typically pair an internal lead with an external incident response retainer.

3. A pre-drafted CISA reporting template

Filling out the CISA web form in real time during a live incident is a recipe for missing the deadline. A pre-drafted internal template that maps to the form fields shortens the clock significantly. Most templates include:

Standard incident description language
A populated entity profile (NAICS, employee count, sector designation)
The named reporting lead and contact path
Pre-mapped containment and remediation actions

4. A documented evidence preservation procedure

CIRCIA requires two-year records retention. That implies a defensible chain of custody for logs, images, and communications related to the incident. This is operationally easier with immutable backups and a defined evidence vault.

Ransom payments and the 24-hour clock

The 24-hour ransom payment reporting requirement deserves separate attention. It applies whenever a covered entity makes a ransom payment in response to a ransomware incident, whether or not the underlying incident itself qualifies as a covered cyber incident. Practical implications:

The decision to pay a ransom must consider the reporting obligation
Insurance coordination must happen before payment, not after
Counsel must be engaged before the wire is sent
The 24-hour clock begins at payment, not at incident discovery

Verizon's 2025 DBIR shows that ransom payment rates are at record lows, in part because better backups are eliminating the need to pay. CIRCIA reinforces that trend by adding a reporting cost to any payment decision.

Harmonization with other federal cyber reporting

A long-standing concern with CIRCIA was the risk of duplicative reporting against existing frameworks like the SEC cyber disclosure rule, HIPAA breach notification, DFARS 252.204-7012, and various state breach notification laws. CISA explicitly committed to harmonization in the final rule, including:

Limited duplication where another federal reporting obligation already applies
Information sharing across federal agencies to reduce burden
Substantially similar reporting recognition where state or sector frameworks already produce equivalent disclosures

Even with harmonization, NC critical infrastructure entities need a single playbook that addresses CIRCIA alongside HIPAA, CMMC, DFARS, and NC's state breach notification law.

Need to map your reporting obligations? Call Preferred Data Corporation at (336) 886-3282 or request a compliance gap assessment.

A 60-day CIRCIA readiness plan for NC businesses

Week	Action	Outcome
1 to 2	Confirm whether your entity is in scope (NAICS + SBA size)	Documented determination
3 to 4	Build the covered incident decision tree with counsel	Triage capability
5 to 6	Name and train the incident response lead	Authority in place
7 to 8	Draft the CISA reporting template and evidence procedure	Ready to file
9	Tabletop exercise with executive team	Validated readiness

For most NC businesses in scope, the total effort runs 40 to 80 internal hours plus an MSP engagement of similar size.

Why CIRCIA matters even if you are exempt

The SBA small business exemption excludes many NC firms by design. Two reasons even exempt businesses should care:

Vendor flow-down. Larger covered entities will push CIRCIA-aligned reporting expectations into their supplier contracts. An exempt 80-person manufacturer selling into a 1,000-person Tier 1 will face the same operational requirements through contract, not regulation.
Reputational baseline. CIRCIA is rapidly becoming the de facto standard for what a "responsible" incident response program looks like. Insurance carriers, lenders, and customers all reference it.

Key takeaway: Whether or not CIRCIA technically applies to your business, the 72-hour reporting expectation has become the cybersecurity governance benchmark. Building toward it is good business hygiene either way.

About Preferred Data Corporation

Preferred Data Corporation (PDC) is a managed IT and cybersecurity services provider headquartered in High Point, North Carolina, serving small and mid-sized businesses across the Piedmont Triad, Research Triangle, and Charlotte metro. PDC has supported NC manufacturers, defense contractors, healthcare networks, and water utilities for more than 37 years, including incident response planning, CMMC compliance, and federal cyber reporting readiness. BBB A+ accredited.

Talk to a CIRCIA readiness specialist:

Call (336) 886-3282
Visit preferreddata.com/contact
Email [email protected]

Frequently Asked Questions

When exactly does CIRCIA take effect?

CISA delayed the final rule to May 2026 to harmonize with other federal reporting frameworks. Final publication is expected in the coming weeks, with the rule effective shortly thereafter. NC businesses should treat May 2026 as the operative go-live and begin readiness work immediately.

How is "covered cyber incident" defined?

A covered cyber incident is broadly a substantial cyber event affecting confidentiality, integrity, or availability of information systems or operational technology, or unauthorized access through a third-party service provider or supply chain compromise. CISA's official rulemaking page maintains the operative definitions.

Does CIRCIA apply to a 75-person NC manufacturer?

It depends on the manufacturer's NAICS code and revenue. Critical manufacturing is a covered sector, and the SBA size standard for most manufacturing NAICS codes is 500 to 1,500 employees. A 75-person manufacturer with under $40M in revenue is typically exempt. Above the SBA standard, the manufacturer is in scope.

What happens if we miss the 72-hour reporting deadline?

The final rule will include enforcement mechanisms, including potential subpoenas, civil penalties, and referral to the Attorney General. The bigger practical risk for most NC businesses is reputational and contractual: missing the deadline often becomes a discovery item in subsequent insurance, customer, and government interactions.

Do we need an incident response retainer to comply with CIRCIA?

Not strictly, but most NC critical infrastructure businesses use one. A retained DFIR firm plus an MSP partner shortens the time from incident discovery to defensible CISA report from days to hours, and the contractual relationship eliminates the procurement friction during a live incident.

How does CIRCIA interact with our cyber insurance?

Carriers are already updating policy language and questionnaires to align with CIRCIA expectations. Your renewal will likely ask whether you have a CIRCIA-aligned incident response program, even if you are technically exempt. Cyber insurance premium hikes in 2026 reward businesses that can document a real program.