Privacy & Cybersecurity Law Blog

Congress has extended the Cybersecurity Information Sharing Act of 2015 (“CISA 2015”) through September 30, 2026 as part of the Consolidated Appropriations Act (the “Act”), a government funding package enacted in early February 2026. The Act revises the statute’s sunset date, allowing its provisions to remain in effect for an additional nine months.

CISA 2015 establishes a statutory framework for the voluntary sharing of cyber threat indicators and defensive measures between private entities and federal government agencies. The law provides certain liability protections and other legal safeguards for entities that share qualifying cybersecurity information in accordance with the statute’s requirements, including protections related to disclosure, privilege and regulatory use. The law also provides certain authorizations and protections for engaging in cybersecurity monitoring and operating defensive measures.

The statute was originally enacted with a ten-year sunset that expired on September 30, 2025. Following the expiration, Congress enacted a series of short-term extensions to maintain the law’s protections while lawmakers considered longer-term reauthorization. A temporary extension enacted in late 2025 reauthorized CISA 2015 through January 30, 2026, prior to the most recent extension.

The Act does not amend the substantive provisions of CISA 2015. The law’s existing framework, definitions and conditions remain unchanged. The Act solely extends the sunset date.

Absent further congressional action, CISA 2015 is now scheduled to expire on September 30, 2026.