Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

development and it is currently estimated they will go into effect at the end of 2026. The regula - tion, released in draft form on 4 April 2024, pur - ports to further define the categories of entities and incidents subject to the reporting regime. The scope of application under CIRCIA is inten - tionally broad, encompassing entities across all 16 critical infrastructure sectors, as identified by the DHS. These sectors include industries vital to public safety, economic stability, and national security, such as the chemical, critical manu - facturing, defence industrial base (DIB), energy, financial services, healthcare, and IT industries. Sector-Specific Regulations • Energy – the Federal Energy Regulatory Com - mission (FERC) enforces the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, requiring electric utilities to secure cyber- assets, manage supply chain risks, and report incidents under Section 215 of the Federal Power Act (FPA). • Transportation – the Transportation Security Administration (TSA) mandates cybersecu - rity for pipeline, rail and aviation operators through directives requiring incident report - ing, risk mitigation, and security plans. • Water and waste water systems – the Envi - ronmental Protection Agency (EPA) enforces cybersecurity requirements under America’s Water Infrastructure Act (AWIA), requiring utili - ties serving more than 3,300 people to assess risks and enhance cybersecurity protections. • Nuclear – the National Nuclear Security Administration (NNSA) and Nuclear Regula - tory Commission (NRC) enforce cybersecurity for nuclear facilities and contractors handling classified data, with strict protections under Title 10, Code of Federal Regulations (CFR)

Part 73 and the Department of Energy Cyber - security Program Plan (CSP). • DIB – the Cybersecurity Maturity Model Certification (CMMC) and DFARS 252.204- 7012 require defence contractors handling Controlled Unclassified Information to meet National Institute of Standards and Technol - ogy (NIST) SP 800-171 standards for cyber - security and separate departmental require - ments obligate certain entities to report identified categories of cyber-incidents. • Healthcare – HIPAA mandates cybersecurity protections for electronic protected health information (“ePHI”) under the HIPAA Security Rule, with breach reporting obligations under the HIPAA Breach Notification Rule. See 6.3 Cybersecurity in the Healthcare Sector for more on HIPAA. • Other entities handling personal health records – entities not regulated by HIPAA that handle personal health records (PHRs) are required to notify affected individuals under the FTC’s Health Breach Notification Rule (HBNR). 2.2 Critical Infrastructure Cybersecurity Requirements In the USA, critical infrastructure cybersecu - rity is governed by sector-specific regulations designed to address the unique risks faced by each industry. These requirements aim to enhance resilience against cyberthreats by mandating proactive risk management, incident reporting, and adherence to best practices. There are a number of sector-specific cyberse - curity requirements, as follows. • Energy sector – the FERC’s CIP Standards require cybersecurity plans, access controls, and periodic risk assessments.

348 CHAMBERS.COM

Powered by