← The Rulebook
Resilience Rulebook · Coming up

Upcoming pipeline — Critical Infrastructure

What's coming but not yet binding — proposed rules, enacted-but-not-in-force rules, and phase-in deadlines. Forward-looking dates move; confirm against the primary source before acting.

A WSquare Advisory analysis In partnership with Resilis
For information purposes only. Forward-looking dates move — several items are proposed or scheduled and can shift or be withdrawn. Not legal advice.
What's coming but not yet binding — proposed rules, enacted-but-not-in-force rules, phase-in deadlines and open comment windows. Sorted by date.
14
forthcoming items
12
proposed
0
not yet in force
2
phase-in deadlines
4
international (EU/UK/CA)
2021-04-06
next deadline
DateWhenInRegulator Rule / milestoneType
2021-04-061920d agoUSFERCCybersecurity Incentives
Proposed rule (NPRM) — not yet final.
Proposed
2021-12-061676d agoUSFCCResilient Networks; Disruptions to Communications; Disruptions to Communications
Proposed rule (NPRM) — not yet final.
Proposed
2022-11-071340d agoUSFERCIncentives for Advanced Cybersecurity Investment; Cybersecurity Incentives
Proposed rule (NPRM) — not yet final.
Proposed
2022-12-091308d agoUSFCCThe Uniendo a Puerto Rico Fund and the Connect USVI Fund, Connect America Fund
Proposed rule (NPRM) — not yet final.
Proposed
2022-12-231294d agoUSFCCEmergency Alert System; Wireless Emergency Alerts; Protecting the Nation's Communications Systems From Cybersecurity Thr
Proposed rule (NPRM) — not yet final.
Proposed
2024-04-29801d agoUSFCCAmendments to Resilient Networks Disruptions to Communications; New Considerations Concerning Disruptions to Communicati
Proposed rule (NPRM) — not yet final.
Proposed
2024-06-03766d agoUSCISACyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements
Proposed rule (NPRM) — not yet final.
Proposed
2025-02-05519d agoUSTSAEnhancing Surface Cyber Risk Management
Proposed rule (NPRM) — not yet final.
Proposed
2025-11-24227d agoUSFERCVirtualization Reliability Standards
Proposed rule (NPRM) — not yet final.
Proposed
2025-11-24227d agoUSFERCCritical Infrastructure Protection Reliability Standard CIP-003-11-Cyber Security-Security Management Controls
Proposed rule (NPRM) — not yet final.
Proposed
2026-06-309d agoUKUK_TELECOMRevised UK Telecommunications Security Code of Practice (draft 2026)
FORTHCOMING (proposed): a draft revision of the 2022 Telecommunications Security Code of Practice, published June 2026, updating the technical guidance public telecoms providers follow to meet their d
Proposed
2026-09-11in 64dEUEU_CRARegulation (EU) 2024/2847 — Cyber Resilience Act (products with digital elements)
Reporting obligations apply — actively-exploited-vulnerability & severe-incident reporting to ENISA.
Phase-in
2026-12-31in 175dUKUK_NISUK Cyber Security and Resilience Bill — expansion of the NIS regime
FORTHCOMING (proposed): the most significant reform of the UK NIS regime since 2018. Broadens scope to data centres and managed service providers, tightens incident reporting (notify within 24h, full
Proposed
2027-12-11in 520dEUEU_CRARegulation (EU) 2024/2847 — Cyber Resilience Act (products with digital elements)
Main obligations apply — secure-by-design, conformity assessment, CE marking.
Phase-in
Read before using. Forward-looking dates move — several items are proposed or scheduled and can shift or be withdrawn (confirm against the primary source before acting). US items come from the Federal Register; EU/UK/CA items are hand-curated (no bulk API), so their forthcoming set is only as complete as the registry's review cadence. This is an operator's outlook, not legal advice.

Turning this into an operating plan?

Knowing which rules bind you is step one. WSquare Advisory builds the operating capability behind compliance — the continuity, third-party, and recovery disciplines these regimes expect. If that's your challenge, let's talk.

Start a Conversation →