According to the U.S. government, more than 300,000 entities across almost every major industry could be covered under the U.S. Cybersecurity and Infrastructure Security Agency’s recently published Notice of Proposed Rulemaking (Proposed Rule) to implement the requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. In this second installment of a two-part guest article series, Covington attorneys offer practical actions covered entities should consider taking to prepare for when the final rule takes effect. They also discuss key provisions of the Proposed Rule, including data and records preservation requirements, limited exceptions and enforcement mechanisms, as well as next rulemaking steps. Part one examined the Proposed Rule’s significant definitions, including what entities and incidents are covered, and the time, manner and content of required reports. See our two-part series on the new era of cyber incident reporting and cybersecurity regulation: “Key Provisions” (Oct. 12, 2022), and “How Companies Should Prepare and Engage” (Oct. 19, 2022).