Technology Public

Cybersecurity Breach Disclosure Rules Take Effect After Eighteen-Month Delay

The new rules require disclosure within 96 hours of a determination of material impact, a tighter window than industry had requested.

By Daniel Park

Published Apr 18, 2026

Updated 24 days ago · 2 min read

96-Hour Window: The new disclosure window is tighter than industry had requested but reflects what the agency considers the minimum useful timeliness. | Source: Markus Spiske

The Meridiān

Cybersecurity Breach Disclosure Rules Take Effect After Eighteen-Month Delay

WASHINGTON — The federal cybersecurity-incident disclosure rules that have, for nearly two years, been the subject of contested rulemaking and a brief litigation pause, took effect on Monday with a disclosure window meaningfully tighter than the industry's preferred framework but consistent with the agency's view that anything longer would render the requirement non-useful.

The rules apply to a defined category of critical-infrastructure operators and require disclosure to the agency within 96 hours of a determination that an incident has material impact. The 96-hour window applies from the determination, not from the incident itself, which the industry had sought as the principal concession on the timing question.

What the rules require

The required disclosure includes a summary of the affected systems, the assessed scope of the impact, the response actions underway, and an initial assessment of whether the incident appears to be the result of malicious activity or of accident. The disclosure is to the agency rather than to the public; public disclosure obligations remain governed by separate frameworks.

Updates are required as the underlying assessment matures. The structure of the update requirement gives operators flexibility on when to file updates while requiring that material new information be communicated within reasonable timeframes after it becomes available.

The materiality question

The materiality question is the part of the rules where the most operational interpretive work will happen. The agency has issued accompanying guidance that provides examples of incidents the agency considers material and incidents it does not, but the line between the categories is, in practice, fuzzy.

Operators are responding to the materiality uncertainty with a combination of caution — over-reporting where the line is unclear — and structured internal review processes that produce documented determinations. Both responses are, on the agency's framing, acceptable; the agency's position is that the rules will work themselves out through the accumulating practice of disclosure.

The international dimension

The international dimension of the rules has been, for the past several months, the subject of careful diplomatic conversation. Several allied jurisdictions have parallel frameworks that have, in some cases, evolved on different timelines and toward different specific requirements.

The agency has indicated it will work toward bilateral agreements with the most-affected jurisdictions to permit information-sharing arrangements that satisfy both jurisdictions' frameworks without requiring duplicate disclosures. The first such agreement is expected later this year.

The smaller-operator dimension

The smaller-operator dimension is the part of the framework that has been most consistently criticised. Smaller operators in the affected categories face compliance burdens that are, proportionally, substantially higher than the burdens larger operators face.

The agency has signalled it will issue scaled-compliance guidance for smaller operators within ninety days. Whether the scaling is sufficient to address the proportionality concerns is one of the questions the implementation will work through over the next year.