Title: Cybersecurity and Critical Infrastructure: Legal Obligations under the Cyber Incident Reporting for Critical Infrastructure Act, 2022
Authors: Chinelo Patience Umeanozie ,Chuma Akana ,Chukwuemezie Charles Emejuo
Volume: 9
Issue: 4
Pages: 38-54
Publication Date: 2025/04/28
Abstract:
In response to the increasing frequency and intensity of cyber threats in our international digital space, many countries have instituted laws requiring the mandatory reporting of cyber incidents. All these legislative measures have been put in place for improved resilience both nationally and sectorally. Cyberattacks against very important infrastructure in the United States of America set off the passage of significant legislative measures including the Cybersecurity and Infrastructure Security Agency Act of 2022 (CIRCIA) and the Cyber Incident Reporting for Critical Infrastructure Act. The law was supposed to stop the federal government from lacking sufficient situational awareness on major cyberattacks. This paper will explore the legal obligations imposed by CIRCIA, especially the obligations on covered entities to report significant cyber incidents and any related payments regarding ransomware. In addition to using comparative practices in similar jurisdictions, the analysis assessed relevant jurisprudence, legislative history, regulatory guidance, and statutory provisions using a doctrinal research methodology. It was discovered that CIRCIA established a new federal requirement requiring covered entities to report significant cyber incidents within 72 hours of a reasonable determination and any ransomware payments within 24 hours. Along with protecting submitted reports under statutory confidentiality provisions, the legislation also gave the Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue subpoenas in cases of non-compliance. Ambiguities in the criteria for "covered entities" and the definitional scope of "covered cyber incidents" were noted as possible barriers to successful implementation, despite its progressive intentions. In order to guarantee consistent compliance across industries, the study suggested that CISA's upcoming rulemaking process adopt explicit, sector-specific guidance. Furthermore, it helped to create threat intelligence-sharing systems that support anonymizing and more public and private sector cooperation so that the Act will be successful without compromising private or sensitive commercial data under danger.