CIRCIA Compliance for Medical Device Manufacturers: Preparing for Mandatory Cyber Incident Reporting to CISA

Why CIRCIA Matters for Medical Device Manufacturers

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022, but its implementing regulations have been in development for years. CISA published its Notice of Proposed Rulemaking (NPRM) in April 2024, originally targeting final rule publication by October 2025. That deadline slipped to May 2026, and as of April 2026, the final rule is likely to be delayed further due to federal appropriations lapses that forced CISA to cancel planned sector-specific town halls.

Despite the timeline uncertainty, the core reporting obligations are not expected to change from the proposed rule. Medical device manufacturers, as participants in the Healthcare and Public Health critical infrastructure sector, will be directly affected. Companies that use the remaining runway as preparation time will be in a fundamentally better position than those waiting for the final rule to appear.

This article explains what CIRCIA requires, how it overlaps with and differs from existing FDA cybersecurity obligations, which medical device companies are covered, and what practical steps you should take now.

What CIRCIA Requires

CIRCIA establishes two mandatory reporting obligations for covered entities:

72-Hour Cyber Incident Reporting

Covered entities must report any "substantial" cyber incident to CISA within 72 hours of reasonably believing the incident occurred. For healthcare and medical device companies, "substantial" means incidents likely to cause significant harm to national security, economic security, or public health. This includes:

• Major loss of system confidentiality, integrity, or availability
• Serious impacts on clinical operations or patient safety
• Large-scale protected health information (PHI) breaches
• Disruption of medical device functionality affecting patient care
• Compromise of connected device infrastructure at scale

24-Hour Ransomware Payment Reporting

Covered entities must report any ransom payment resulting from a ransomware attack to CISA within 24 hours. This requirement is designed to help authorities track and analyze ransomware trends and patterns across critical infrastructure sectors.

Required Information in Reports

CIRCIA reports must include specific data points:

The "Substantially Similar" Exemption

CIRCIA includes a narrow exemption: if you have already reported a cyber incident to another federal agency under a separate law, and CISA has a formal agreement with that agency establishing equivalence, you may not need to file a separate CIRCIA report. However, these interagency agreements are still being developed, and the exemption is expected to be narrow. Do not assume your HIPAA breach notification, SEC cyber disclosure, or FDA medical device report satisfies CIRCIA — in most cases, dual reporting will be required.

Relationship to HIPAA Breach Notification

Healthcare entities are already subject to HIPAA's 60-day breach notification requirement. CIRCIA's 72-hour timeline is dramatically faster. A HIPAA-compliant organization that discovers a cyber incident on day 1 and files a HIPAA breach notification on day 45 would still need to file a separate CIRCIA report within 72 hours. These are independent obligations with different timelines, different recipients (HHS Office for Civil Rights vs. CISA), and different information requirements.

SEC Cyber Disclosure Rules

Publicly traded medical device companies face an additional layer: SEC cyber incident disclosure rules require reporting material cyber incidents on Form 8-K within 4 business days. This means a publicly traded device manufacturer could face simultaneous reporting obligations to CISA (72 hours), the SEC (4 business days), and potentially the FDA (if the incident involves a device vulnerability). Plan for this layered compliance reality.

CISA Enforcement Tools

CIRCIA empowers CISA to compel information from covered entities about unreported cyber incidents or ransom payments that fall outside its proposed reporting requirements. This means CISA can proactively investigate incidents it learns about through other channels — including FDA safety communications, media reports, or third-party disclosures — and require entities to provide information even if they did not self-report.

Data Preservation Requirements

The proposed rule includes data preservation requirements. Covered entities must preserve specific types of data related to covered cyber incidents and ransom payments for a required period (proposed at 2 years in the NPRM). This includes logs, forensic data, incident documentation, and remediation records. Organizations that lack centralized logging and audit trail retention will struggle to meet both the reporting and preservation requirements.

Report Types

CISA proposed four report types under CIRCIA:

1. Covered Cyber Incident Report — Filed within 72 hours of a substantial incident
2. Ransom Payment Report — Filed within 24 hours of making a ransom payment
3. Joint Report — Combining both incident and ransom payment when timing allows
4. Supplemental Report — Required when substantial new information becomes available or when a ransom payment follows a previously reported incident

Who Is Covered: Medical Device Manufacturers

CIRCIA applies to organizations within 16 critical infrastructure sectors. The Healthcare and Public Health sector is explicitly covered. Within this sector, medical device manufacturers fall under CIRCIA's scope in several ways:

Direct Coverage

Medical device manufacturers that operate as "covered entities" under CIRCIA will be required to report. The proposed rule defines coverage based on the size and nature of the entity, and the specific criteria are still being refined through the rulemaking process. CISA had scheduled sector-specific town halls for March and April 2026 (including a Healthcare and Public Health Sector session on March 17, 2026) to gather input on coverage thresholds, but these were cancelled due to federal appropriations lapses.

Supply Chain Coverage

Manufacturers that supply connected medical devices to hospitals and health systems may face indirect obligations. Healthcare providers experiencing incidents involving your devices may identify your product as the affected system in their CIRCIA reports, triggering downstream inquiry from CISA.

Overlap with FDA Section 524B

CIRCIA sits alongside FDA's existing cybersecurity requirements under Section 524B of the FD&C Act, which requires manufacturers of "cyber devices" to have processes for:

• Designing, developing, and maintaining processes and procedures to ensure device cybersecurity
• Submitting a software bill of materials (SBOM) to the FDA
• Implementing a coordinated vulnerability disclosure program
• Providing postmarket cybersecurity updates and patches

The key difference: Section 524B governs how manufacturers design and maintain secure devices. CIRCIA governs how entities report incidents after they happen. Both apply simultaneously.

How CIRCIA Intersects with FDA Cybersecurity Obligations

Medical device manufacturers in 2026 face a layered cybersecurity compliance landscape:

Where They Overlap

CIRCIA and FDA cybersecurity requirements share common ground in incident response planning. The FDA's February 2026 cybersecurity guidance (updated for QMSR) already requires manufacturers to have postmarket vulnerability management, coordinated vulnerability disclosure programs, and incident response processes. These same processes will form the operational backbone of CIRCIA compliance.

Where They Differ

The CIRCIA Timeline: What Has Happened and What Comes Next

The key takeaway: the regulatory timeline has shifted repeatedly, but the direction is clear. Mandatory cyber incident reporting for healthcare entities is coming. The reporting obligations (72-hour incident, 24-hour ransom) are not expected to change.

Practical Preparation Steps for Medical Device Manufacturers

1. Build an Incident Decision Tree

Create a clear internal decision framework that separates reportable covered cyber incidents from non-reportable events. The tree should reflect:

• CIRCIA's proposed impact thresholds (substantial harm to public health, loss of system availability)
• Your device-specific risk scenarios (what constitutes a patient safety impact for your product)
• Severity ratings mapped to CIRCIA's "substantial incident" definition
• Escalation rules from detection to legal review to CISA reporting
• Clear role assignments for who makes the reporting decision

2. Map Existing FDA Cybersecurity Processes to CIRCIA

If you already comply with FDA's cybersecurity guidance and Section 524B, you have much of the infrastructure CIRCIA requires. Conduct a gap analysis:

3. Prepare Reporting Templates

Draft CIRCIA report templates in advance so you are not assembling them from scratch during a 72-hour window. Pre-populate the static fields (entity identification, sector, point of contact) and create fill-in sections for incident-specific data.

4. Establish Legal Review Workflow

CIRCIA reports have legal implications. Your incident response plan must include legal review of any report before submission to CISA. With only 72 hours (or 24 hours for ransom payments), this review needs to be fast and pre-authorized. Options include:

• Pre-clearing report templates with outside counsel
• Establishing standing authorization for your Chief Information Security Officer (CISO) to file reports meeting pre-agreed criteria
• Creating a decision matrix for when legal review is required versus when the CISO can file directly

5. Coordinate with Customers and Supply Chain

If a hospital using your device experiences a cyber incident, they may file a CIRCIA report that names your product. Prepare for this by:

• Establishing communication protocols with key hospital customers for incident notification
• Creating a process to rapidly determine whether an incident involving your device is a device defect (FDA reportable) or a hospital infrastructure issue (CIRCIA reportable by the hospital)
• Documenting these protocols in your Quality Management System

6. Align with State Breach Notification Laws

CIRCIA does not preempt state reporting requirements. Dual reporting — to both CISA and state regulators — will be required in most situations. Map your state breach notification obligations alongside CIRCIA requirements and build a unified reporting calendar that accounts for both.

7. Integrate into QMS Under QMSR

With the FDA's QMSR effective since February 2, 2026 (incorporating ISO 13485:2016), CIRCIA compliance should be built into your QMS as a regulatory requirement. Specifically:

• ISO 13485 Clause 7.2.3 (Customer communication): Include incident notification obligations to CISA as part of your regulatory communication procedures
• ISO 13485 Clause 7.3.3 (Design inputs): Consider CIRCIA reporting capabilities as a design input for connected devices (e.g., logging capabilities that support 72-hour reporting)
• ISO 13485 Clause 8.2 (Monitoring): Include CIRCIA compliance metrics in your management review inputs
• ISO 13485 Clause 8.5.2 (Corrective action): Integrate CIRCIA-reportable incidents into your CAPA system

Common Mistakes to Avoid

Waiting for the Final Rule

The most common and costly mistake is treating CIRCIA as a future problem. Building incident classification processes, reporting templates, legal review workflows, and QMS integration takes months. Organizations that start now will meet compliance deadlines comfortably. Those that wait will be racing against the clock.

Confusing FDA and CISA Reporting

FDA cybersecurity requirements and CIRCIA serve different purposes. FDA focuses on device design and lifecycle security. CISA focuses on national-level incident visibility. Complying with one does not satisfy the other. Both are mandatory.

Incomplete Incident Records

CIRCIA reports require detailed technical information about the incident. Organizations that lack centralized logging, audit trail retention, or incident documentation practices will struggle to compile accurate reports within the required timelines.

Ignoring Supply Chain Exposure

Medical device manufacturers may face CIRCIA exposure not just from their own incidents but from incidents at customers, suppliers, or cloud service providers that affect their devices. Build visibility into your supply chain's incident response posture.

Key Takeaways

1. CIRCIA is coming for medical device manufacturers in the Healthcare and Public Health critical infrastructure sector. The final rule is expected by late 2026 or early 2027, with an implementation period before reporting requirements take effect.
2. 72-hour incident reporting and 24-hour ransom payment reporting are the core obligations. These timelines are not expected to change.
3. CIRCIA does not replace FDA cybersecurity requirements — it adds a separate reporting layer on top of existing device security obligations.
4. Build CIRCIA compliance into your QMS now under QMSR/ISO 13485, not as a standalone process.
5. Prepare reporting templates, decision trees, and legal workflows before the final rule arrives.
6. Coordinate with customers and supply chain to manage indirect reporting exposure.
7. Dual reporting to CISA and state regulators will be required in most situations — plan for both.