On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered cyber incident” and 24 hours to report a ransom payment (even if it is not a payment associated with a covered incident). The proposed rule, if adopted in its current form, will substantially expand on existing US cyber incident reporting requirements and have important implications for how relevant companies respond to cyber incidents. CISA expects to publish a final rule by late 2025, with reporting likely beginning in 2026.