Just to clarify the headline, it's Congress and President Biden who are requiring critical infrastructure to report ransom and other cyber incidents, per a law enacted inside must-pass legislation in 2022: https://www.govtrack.us/congress/bills/117/hr2471/text/enr#l.... The law requires CISA to issue a regulation for how that would work in practice, which is what this is.