Critical Infrastructure Cybersecurity Requirements Expand for 2026

Critical infrastructure cybersecurity requirements expanded significantly in late 2025, establishing mandatory security baselines across multiple sectors. The Cybersecurity and Infrastructure Security Agency finalized sector-specific performance goals, the Transportation Security Administration updated pipeline security directives, and the Environmental Protection Agency clarified water system cybersecurity expectations. Organizations operating critical infrastructure must map applicable requirements, assess current security postures against new baselines, and develop compliance roadmaps for 2026 implementation deadlines.

CISA sector-specific performance goals

CISA published finalized sector-specific cybersecurity performance goals extending the cross-sector baseline goals released in 2024. These sector-specific goals address unique risk characteristics and operational requirements of different critical infrastructure sectors. Covered organizations must implement applicable goals according to sector-specific timelines.

The energy sector performance goals address operational technology security, supply chain risk management, and incident response capabilities. Electric utilities, oil and gas operators, and renewable energy facilities face specific security requirements reflecting energy sector threat landscapes. Goals include network segmentation between IT and OT environments, vendor security assessment processes, and coordinated incident response with sector information sharing organizations.

Healthcare sector goals emphasize medical device security, patient data protection, and operational continuity. Hospitals, health systems, and medical technology providers must implement security controls protecting both patient safety and health information. Goals address connected medical device inventory, network isolation capabilities, and ransomware resilience.

Water and wastewater sector goals focus on process control system security, remote access controls, and chemical handling safety. Water utilities must implement security measures preventing unauthorized process changes that could affect water quality or public safety. Goals include multi-factor authentication for remote access, monitoring for anomalous process behavior, and coordination with state drinking water programs.

TSA pipeline security directive updates

The Transportation Security Administration updated pipeline security directives in late 2025, establishing enhanced requirements for pipeline owner/operators. Security Directive 2021-02E incorporates lessons learned from implementation experience and evolving threat intelligence. Updates address incident reporting, access controls, and security assessment requirements.

Incident reporting timelines tightened with requirements for initial notification within 12 hours of cybersecurity incident discovery. Detailed incident reports must follow within 72 hours including technical indicators, impact assessment, and response actions. Pipeline operators must establish reporting procedures meeting these accelerated timelines.

Access control requirements now mandate multi-factor authentication for all remote access to pipeline control systems without exception. Previous directives allowed limited exceptions that created security gaps. Updated directives eliminate these exceptions requiring thorough MFA deployment.

Annual cybersecurity assessments must be conducted by qualified third parties beginning in 2026. Self-assessments no longer satisfy directive requirements for covered operators. Organizations must identify qualified assessment providers and schedule assessments meeting the annual requirement.

EPA water system requirements

The Environmental Protection Agency clarified cybersecurity requirements for public water systems through updated guidance and enforcement expectations. While EPA lacks direct cybersecurity regulatory authority, agency officials indicated cybersecurity deficiencies may constitute violations of Safe Drinking Water Act sanitary survey requirements. This interpretation creates effective cybersecurity mandates for water systems.

State drinking water programs received EPA guidance for incorporating cybersecurity into sanitary surveys. Survey teams will assess cybersecurity practices as part of routine water system evaluations. Systems with significant cybersecurity deficiencies may face compliance actions including required corrective measures and potential enforcement.

EPA's Water Sector Cybersecurity Task Force published best practices for water utility cybersecurity. While formally voluntary, these practices establish expectations that inform sanitary survey assessments. Water systems should implement task force recommendations to avoid compliance findings.

Small water systems face particular challenges meeting cybersecurity expectations with limited resources. EPA and state programs offer technical assistance for small system cybersecurity improvement. Systems should use available assistance programs while implementing foundational security measures.

Financial sector cybersecurity evolution

Financial regulators continued strengthening cybersecurity expectations during 2025 with focus on third-party risk management and operational resilience. The Federal Reserve, OCC, and FDIC interagency guidance on third-party risk management establishes thorough due diligence and monitoring requirements. Financial institutions must demonstrate effective oversight of technology vendors and service providers.

NYDFS Cybersecurity Regulation second amendment compliance deadlines occur throughout 2026. New York-regulated financial services companies face enhanced requirements for board oversight, access controls, and incident response. The November 2025 deadline for third-party service provider requirements marked the first phase with additional requirements following.

SEC cybersecurity disclosure requirements prompted financial services firms to enhance board-level cyber risk governance. Mandatory incident disclosure creates accountability pressure for cybersecurity investment. Boards now engage directly with cybersecurity matters given disclosure and liability implications.

PCI DSS 4.0 full enforcement began in 2025 with enhanced requirements for payment card security. Organizations processing payment card data must implement updated controls including customized security approaches and targeted risk analysis. Payment security programs require updating for 4.0 compliance.

Healthcare critical infrastructure protections

Healthcare cybersecurity received increased federal attention following continued ransomware attacks against hospitals and health systems. HHS published updated guidance reinforcing HIPAA Security Rule requirements and announcing enhanced enforcement focus on cybersecurity compliance. Healthcare organizations should anticipate increased audit and enforcement activity.

The Healthcare Cybersecurity and Resiliency Act introduced in Congress would establish mandatory cybersecurity requirements for healthcare organizations. While not yet enacted, the legislation signals direction for healthcare cybersecurity policy. Organizations should track legislative progress and prepare for potential requirements.

Healthcare information sharing improved through expanded Health-ISAC participation and improved threat intelligence sharing mechanisms. Organizations not participating in healthcare sector information sharing should evaluate membership benefits. Sector-specific threat intelligence improves defensive capabilities.

Medical device cybersecurity requirements established by FDA premarket guidance affect healthcare organizations acquiring new connected medical devices. Purchasing requirements should include cybersecurity specifications aligned with FDA expectations. Legacy device risks require assessment and mitigation planning.

State and local government requirements

State cybersecurity requirements for local governments expanded during 2025 with multiple states establishing mandatory security standards. Local governments receiving state funding or operating critical services face baseline security requirements. States now condition grants and assistance on cybersecurity compliance.

State cybersecurity grant programs funded by the Infrastructure Investment and Jobs Act require cybersecurity planning as a condition of funding. Grant recipients must develop and implement cybersecurity plans meeting state-established standards. Local governments should align cybersecurity investments with grant requirements.

Multi-state information sharing organizations expanded coverage providing threat intelligence and incident response assistance to state and local governments. MS-ISAC membership grew substantially providing smaller governments access to security resources otherwise unavailable. Non-member governments should evaluate membership benefits.

Election infrastructure security received continued focus ahead of the 2026 election cycle. Election officials face requirements for voting system security, voter registration database protection, and election night reporting security. Election administrators should verify compliance with applicable security requirements.

International critical infrastructure coordination

US-EU critical infrastructure cybersecurity coordination advanced through structured dialogs and information sharing arrangements. Cross-border incident coordination procedures improved enabling faster response to threats affecting infrastructure in multiple jurisdictions. Organizations with transatlantic operations benefit from improved coordination mechanisms.

NATO critical infrastructure protection initiatives expanded cybersecurity components following geopolitical developments. Allied nations strengthened commitments to collective infrastructure defense. Organizations operating infrastructure supporting defense activities should understand applicable NATO requirements.

Five Eyes intelligence sharing on critical infrastructure threats continued providing participating nations with enhanced threat visibility. Intelligence-derived threat information now reaches infrastructure operators through sanitized briefings. Organizations should engage with sector-specific information sharing to receive available intelligence.

International standards harmonization reduced compliance burden for multinational infrastructure operators. IEC 62443 industrial cybersecurity standards gained broader regulatory recognition enabling consistent approaches across jurisdictions. Standards-based security programs simplify multinational compliance.

Compliance resource planning

Critical infrastructure organizations face significant compliance investment requirements for 2026. Multiple overlapping requirements from different authorities create complex compliance landscapes. Organizations should inventory all applicable requirements and develop consolidated compliance programs avoiding duplicative efforts.

Cybersecurity workforce shortages affect compliance program implementation capacity. Organizations may need to use managed security services, consultants, or shared services arrangements to access required expertise. Workforce planning should account for compliance program staffing requirements.

Technology investments required for compliance span security tools, monitoring systems, and network infrastructure. Budget planning should incorporate capital and operating expenses for compliance-driven technology deployments. Multi-year investment planning enables sustained compliance capability.

Executive and board engagement requirements increased across regulatory frameworks. Leadership must demonstrate active oversight of cybersecurity programs. Board briefing practices should evolve to meet regulatory expectations for governance involvement.

60-day priority list

• Inventory all applicable critical infrastructure cybersecurity requirements including sector-specific CISA goals.
• Assess current security posture against applicable requirements identifying compliance gaps.
• Develop 2026 compliance roadmap with milestone dates aligned to regulatory deadlines.
• Budget cybersecurity investments required for compliance including technology, services, and staffing.
• Engage third-party assessment providers for required external assessments.
• Update incident response procedures meeting accelerated reporting timelines.
• Brief executive leadership and board on compliance obligations and resource requirements.
• Establish or verify sector information sharing organization membership for threat intelligence access.

Bottom line

Critical infrastructure cybersecurity requirements expanded substantially in late 2025 creating mandatory security baselines across multiple sectors. Organizations operating critical infrastructure face compliance obligations from multiple authorities with deadlines throughout 2026. early compliance planning enables systematic implementation avoiding last-minute scrambles and potential enforcement actions.

Sector-specific requirements reflect unique risk characteristics requiring tailored security approaches. Generic cybersecurity programs may not satisfy sector-specific goals addressing particular operational technologies, data types, and threat scenarios. Organizations should evaluate whether existing programs adequately address sector-specific requirements.

Resource implications of expanded requirements are significant. Technology investments, expert staffing, and third-party services create substantial compliance costs. Organizations should incorporate compliance costs in budget planning and executive communication. Compliance investment reduces breach risk providing return beyond regulatory satisfaction.

Federal, state, and international requirements create complex compliance landscapes for organizations with broad operational footprints. Consolidated compliance programs addressing multiple requirements efficiently prove more effective than siloed approaches. Compliance frameworks should enable requirement mapping and evidence reuse across regulatory obligations.

This analysis recommends that critical infrastructure operators treat 2026 compliance deadlines as immediate priorities requiring near-term planning and resource allocation. The combination of mandatory requirements, enforcement activity, and elevated threat environments makes cybersecurity investment both required and prudent.

Similar analysis

Additional analysis covering similar themes.

Policy · Credibility 93/100 · December 4, 2025

EU AI Act Prohibited Practices and Compliance Deadline Approaches

The EU AI Act prohibited practices provisions approach their February 2025 enforcement deadline requiring organizations to eliminate prohibited AI systems. Social scoring, manipulation systems, and certain biometric…

Policy · Credibility 93/100 · November 19, 2025

EU AI Act Compliance Update: Implementation Timelines and Simplification Proposals

EU AI Act compliance continues to evolve with additional guidance from the AI Office. Keep tracking implementation updates, FAQ publications, and enforcement precedents. AI compliance is a moving target.

Policy · Credibility 90/100 · August 15, 2025

Indiana Consumer Data Protection Act: Compliance Requirements and Implementation

Indiana's privacy law is live. Residents can access, correct, delete their data and opt out of sales. Another state to add to your compliance checklist alongside Virginia, Colorado, Connecticut, and the rest.

Policy · Credibility 94/100 · April 8, 2024

Singapore Consults on Cybersecurity (Amendment) Bill

Singapore's Cybersecurity Act amendments strengthen the regulatory framework for critical information infrastructure. Expanded scope, enhanced penalties, and new oversight powers. Singapore continues to be a leader in…

Policy · Credibility 91/100 · March 2, 2023

White House releases U.S. National Cybersecurity Strategy

The National Cybersecurity Strategy release in March 2023 outlined the Biden administration's vision. Shifting security burden to vendors, protecting critical infrastructure, and international cooperation. A strategic…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

December 25, 2025

Coverage pillar

Policy

Source credibility

93/100 — high confidence

Topics

Critical Infrastructure · CISA Requirements · TSA Pipeline Security · EPA Water Systems · Sector Security · Compliance

Sources cited

3 sources (cisa.gov, tsa.gov, epa.gov)

Reading time

8 min

Further reading

1. CISA Sector-Specific Cybersecurity Performance Goals — cisa.gov
2. TSA Pipeline Security Directive 2021-02E — tsa.gov
3. EPA Water Sector Cybersecurity Task Force Recommendations — epa.gov