Expiry of the US Cybersecurity Information Sharing Law (CISA)

By Carlotta Kozlowskyj | 27 October 2025

Summary

• The Cybersecurity Information Sharing Act of 2015 (CISA) expired on 1 October 2025, as Congress failed to reach a consensus for its renewal. 

• The absence of CISA 2015 risks weakening information sharing between the United States (US) government and the private sector, as companies no longer benefit from legal protection. 

• This will highly likely affect US cyber resilience and fragment the threat intelligence process.

Context

The 2015 Cybersecurity Act was a voluntary information-sharing framework which allowed companies to share information with the US government and each other to help identify and defend against cyber threats. It protected companies from lawsuits, regulatory enforcement actions, and public disclosures related to threat indicators shared with the US government. The Department of Homeland Security was responsible for collecting and transmitting information on cyber threats to relevant agencies and organisations, thereby increasing cyber resilience capacity. The CISA framework led to an increase in the sharing of cyber threat information from approximately 1m in 2023 to more than 10m in 2024. 

The legal protections encouraged an information-sharing dynamic between the federal government and the private sector by granting private entities the explicit right to not only share cyber threat information but also to monitor and defend their information systems, regardless of legal measures that would typically restrict such actions. It enabled a faster, freer sharing of cyber threat indicators across sectors. The law included a 10-year lifespan, which expired on 1 October 2025, as Congress failed to reach a compromise on the agreement's renewal, despite months of debate and almost universal support from cybersecurity experts and the Trump administration. It is estimated that failure to renew the CISA 2015 Act could lead to an 80% decrease in information sharing.  Nonetheless, the 2015 CISA Act still applies to the sharing of relevant information that predates its expiration on 1 October.

Implications 

The failure to renew CISA 2015 implies that the new legal framework within which information sharing will operate remains unclear, leaving institutional gaps and unawareness, as there is currently no alternative for automated sharing continuity. Companies will no longer benefit from immunity for providing cyber information-sharing and defensive measures, as they no longer have a legal basis for it. This will likely limit and slow the information companies provide to the government, and information sharing is crucial to protecting critical infrastructure from cyberattacks. The 2015 law established an automatic process for sharing cyber threats in real time among its partners, including Federal agencies. Thus, the absence of CISA 2015 will likely leave the US critical infrastructure more exposed to cyberattacks, a vulnerability that US adversaries may seek to exploit. It will also likely fragment cyber threat assessment, as different companies, states, and local governments might adopt divergent protocols to assess cyber threats. This would leave some companies better prepared to defend against cyber threats, potentially creating a weak link in the overall cybersecurity chain.

Forecast

• Short-term (Now - 3 months)

  • It is likely that the institutional gap left by the expiry of CISA 2015 will undermine the cross-sector cooperation between the US government and the private sector, significantly reducing threat intelligence sharing. 

  • It will likely leave US companies and infrastructure more vulnerable to cyberattacks due to slower threat assessment.

• Long-term (>1 year)

  • There is a realistic possibility that Congress will renew CISA 2015, as the Trump administration widely supports it, or that an alternative information-sharing model will be adopted.  

  • It is highly likely that, without a replacement for the 2015 CISA Act, US cyber defence will be fragmented, with uneven resilience across sectors and agencies. 

  • It is likely that US cyber adversaries will try to exploit this cyber fragmentation to target organisations with slower or weaker cyber defence mechanisms.