Cyber Incident Regulatory Clocks 2026
A cyber incident at a US-incorporated mid-market company with EU customers, payment-card data, or healthcare records routinely triggers six to nine regulatory clocks in parallel. This page lists all eight major clocks: the window each one runs, the trigger event that starts it, the source paragraph in law or regulation, and what a defensible response looks like. Updated May 2026.
SEC 8-K Item 1.05 - 4 Business Days
- Window
- 4 business days from materiality determination
- Trigger
- Materiality determination by the registrant (not incident discovery)
- What to file
- Form 8-K, Item 1.05, describing the material aspects of the incident's nature, scope, and timing, plus material impact or reasonably likely material impact on the registrant.
- Who files
- Registrant (the public company itself)
- Delayed disclosure
- Available only with a written determination by the U.S. Attorney General that disclosure poses a substantial risk to national security or public safety. Notify SEC in writing.
- Penalty
- SEC enforcement action, shareholder derivative suits, class actions citing untimely disclosure
- Source
- 17 CFR 229.106 (Item 106 of Regulation S-K) and 17 CFR 240.13a-11 (8-K filing). SEC Final Rule 33-11216 (effective December 2023).
GDPR Article 33 - 72 Hours
- Window
- Not later than 72 hours after becoming aware
- Trigger
- Awareness of a personal data breach by the controller
- What to file
- Notification to the competent supervisory authority including nature of breach, categories and approximate numbers of data subjects and records, likely consequences, and measures taken or proposed.
- Who files
- Data controller. Processors must notify their controller without undue delay.
- Late notification
- Permitted if accompanied by reasons for the delay
- Article 34 trigger
- Notification to data subjects required when breach is likely to result in high risk to rights and freedoms
- Penalty
- Up to 20 million euros or 4 percent of global annual turnover, whichever is higher (Article 83)
- Source
- GDPR Articles 33 and 34. EDPB Guidelines 9/2022 on personal data breach notification under the GDPR.
NY DFS 23 NYCRR 500 - 72 Hours
- Window
- 72 hours from determining a cybersecurity event has occurred
- Trigger
- Determination that a cybersecurity event has occurred at the covered entity OR at a third party affecting the covered entity (expanded November 2023 amendment)
- Covered entities
- Banks, insurance companies, money service businesses, and other entities regulated by NYDFS
- What to file
- Notification to the NYDFS Superintendent via the DFS Cybersecurity Portal
- Additional reports
- 72 hours for ransomware payments made by the covered entity. Annual CISO certification (Part 500.17(b)).
- Penalty
- Fines, consent orders, and remediation requirements
- Source
- 23 NYCRR 500.17(a) (notice) and 500.17(c) (ransomware payment). Amendment effective November 2023.
HIPAA Breach Notification Rule - 60 Days
- Window
- Without unreasonable delay and no later than 60 days from discovery
- Trigger
- Discovery of breach of unsecured protected health information (PHI)
- Individual notification
- Required for all affected individuals within 60 days
- HHS Secretary notification
- 500+ affected individuals: contemporaneously with individual notice. Under 500: annual log submitted within 60 days after year-end.
- Media notification
- Required for breaches affecting 500+ residents of a state or jurisdiction. Notify prominent media outlets without unreasonable delay and within 60 days.
- Business Associate trigger
- Business Associate must notify Covered Entity without unreasonable delay and no later than 60 days from discovery
- Penalty
- $100 to $50,000 per violation, annual caps from $25,000 to $1.5 million per violation type
- Source
- 45 CFR 164.404 (individual notice), 164.406 (media notice), 164.408 (HHS notice), 164.410 (BA notice)
PCI DSS Requirement 12.10 - Immediate (Brand-Dependent)
- Window
- Immediate per payment-brand contracts; typically within hours of confirmed compromise
- Trigger
- Confirmed or suspected compromise of cardholder data
- Required notifications
- Acquiring bank, affected payment brands (Visa, Mastercard, American Express, Discover, JCB), payment processor
- Forensic investigation
- Must engage a PCI Forensic Investigator (PFI) per brand requirements
- Penalty
- Brand fines, ALLOC (Account Data Compromise) costs, increased interchange, loss of acquiring bank relationship
- Source
- PCI DSS v4.0 Requirement 12.10 (Incident Response Plan and Notification). Brand-specific rules in Visa Core Rules, Mastercard SDP Program, American Express DSOP.
EU NIS2 Directive - 24h / 72h / 30d
- Stage 1
- Early warning within 24 hours of becoming aware of the significant incident
- Stage 2
- Incident notification within 72 hours with initial assessment
- Stage 3
- Final report no later than one month after the incident notification
- Trigger
- Significant incident affecting an essential or important entity (sector-specific criteria apply)
- Covered entities
- Essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space) and important entities (postal, waste management, chemicals, food, manufacturing, digital providers, research)
- Recipient
- National CSIRT or competent authority
- Penalty
- Up to 10 million euros or 2 percent of global annual turnover for essential entities; up to 7 million euros or 1.4 percent for important entities
- Source
- Directive (EU) 2022/2555 (NIS2) Article 23 (reporting obligations) and Article 21 (cybersecurity risk-management measures)
EU DORA Article 19 - 4h / 72h / 1mo
- Stage 1
- Initial notification within 4 hours of classification as major ICT-related incident (and no later than 24 hours from awareness)
- Stage 2
- Intermediate report within 72 hours of the initial notification
- Stage 3
- Final report no later than one month after the intermediate report
- Trigger
- Classification of an ICT-related incident as "major" per Joint Technical Standards classification criteria
- Covered entities
- Credit institutions, payment institutions, investment firms, central counterparties, trading venues, insurance and reinsurance undertakings, crypto-asset service providers, and other financial entities under DORA scope
- Recipient
- Competent authority of the financial entity's home Member State
- Significant cyber threat
- Optional notification under Article 19(2)
- Effective
- January 17, 2025
- Source
- Regulation (EU) 2022/2554 (DORA) Article 19. European Banking Authority Joint Technical Standards on major incident reporting (2024).
US CIRCIA - 72 Hours
- Window (covered incident)
- 72 hours from reasonably believing the covered cyber incident has occurred
- Window (ransom payment)
- 24 hours from making a ransom payment
- Covered entities
- Entities in the 16 critical infrastructure sectors defined by Presidential Policy Directive 21
- What to report
- Covered Cyber Incident Reports and Ransom Payment Reports to CISA
- Effective
- Notice of Proposed Rulemaking published April 2024. Final rule and effective date depend on rulemaking completion.
- Source
- Cyber Incident Reporting for Critical Infrastructure Act of 2022, 6 USC 681b. CISA NPRM published April 4, 2024.
Parallel Clock Scenarios
Most mid-market organizations underestimate how many clocks fire on a single incident. Three representative scenarios:
Ransomware at a US public retailer with EU customers
- SEC 8-K Item 1.05 (4 business days from materiality determination)
- GDPR Article 33 (72 hours from awareness)
- PCI DSS (immediate per acquiring bank contract)
- OFAC ransomware advisory screening (before any payment)
- State breach laws for every US state with affected residents
- CIRCIA (72 hours if covered critical-infrastructure sector)
- Cyber insurance first-notice (per policy, typically 24 to 72 hours)
Healthcare data exfiltration at a covered entity with EU operations
- HIPAA Breach Notification Rule (60 days, plus 500+ media notice)
- GDPR Article 33 (72 hours)
- GDPR Article 34 (data subject notification if high risk)
- State breach laws for every US state with affected residents
- OCR investigation (HHS Office for Civil Rights)
- Cyber insurance first-notice
Wire fraud at a NYDFS-regulated financial institution with EU operations under DORA
- NY DFS 72-hour notification (23 NYCRR 500.17(a))
- DORA Article 19 (4h / 72h / 1mo)
- FinCEN Suspicious Activity Report
- SEC 8-K Item 1.05 if public and material
- Cyber insurance first-notice
- OFAC sanctions screening on the threat actor
Frequently Asked Questions
When does the SEC 8-K Item 1.05 four-business-day clock start?
The SEC clock starts at the materiality determination, not at incident discovery. SEC guidance and the Compliance and Disclosure Interpretations from the Division of Corporation Finance indicate the materiality determination must be made without unreasonable delay. Companies cannot indefinitely defer the determination to delay disclosure. The four business days run from the date of the materiality determination.
Which cyber incidents typically trigger multiple clocks at once?
A ransomware incident at a US-incorporated public company with EU customers, payment-card data, and healthcare records can trigger SEC 8-K Item 1.05, GDPR Article 33, HIPAA (60 days), PCI DSS (immediate), NY DFS (72 hours) if applicable, CIRCIA (72 hours) if critical infrastructure, OFAC sanctions screening before any ransom payment, and state breach laws for every state where affected residents reside. Six to nine clocks running in parallel is common.
What is the penalty for missing a cyber breach notification deadline?
Penalties vary by regulator. GDPR maximum fines are 20 million euros or 4 percent of global annual turnover, whichever is higher. SEC penalties include enforcement actions and shareholder derivative suits. HIPAA tiers range from 100 dollars to 50,000 dollars per violation with annual caps from 25,000 dollars to 1.5 million dollars per violation type. NY DFS can impose fines and consent orders. Beyond fines, missing first-notice on cyber insurance can void coverage, and missed disclosures expose officers and directors to derivative suits.
Do these clocks apply to private companies?
GDPR, NY DFS, HIPAA, PCI DSS, NIS2, DORA, and CIRCIA apply regardless of public or private status, subject to each regulator's covered-entity definition. SEC 8-K Item 1.05 applies only to SEC registrants (public companies). However, private companies with SEC-registrant customers may face contractual notification obligations, and any company with cyber insurance has first-notice obligations under the policy.
How is the materiality standard for SEC 8-K Item 1.05 determined?
Materiality under federal securities law is whether a reasonable investor would consider the information important in making an investment decision (TSC Industries v. Northway). The SEC clarified in Item 1.05 that the assessment considers both quantitative impact and qualitative factors including reputational harm, customer or vendor relationships, and litigation or regulatory risk. The determination is the registrant's. Documentation of the determination is critical for defense if challenged.
How does IR-OS help with parallel regulatory clocks?
IR-OS runs all 8 clocks in parallel from a single incident record. Each clock cites its source paragraph in law or regulation. Clocks compute from materiality determinations, not from alert arrival. Auto-pause and resume on declared materiality changes. Counsel of record reviews each draft. Submissions to regulators are captured back in the hash-chained ledger so the defensible record is complete.
Run every clock from one record
IR-OS tracks SEC, GDPR, NY DFS, HIPAA, PCI, NIS2, DORA, and CIRCIA in parallel from a single incident. Hash-chained defensible record. Counsel-reviewed drafts. Public verifier at app.ir-os.com/verify.
Start your 7-day free trial