Cybersecurity protections for US companies at risk as key law nears expiration
A critical US law protecting companies that share cyber threat data is set to expire, raising fears of reduced collaboration and heightened vulnerability amid growing, AI-driven cyber threats.
As cyber threats grow, a vital legal safeguard encouraging US companies to share threat intelligence is on the verge of expiring.
The US Cybersecurity Information Sharing Act of 2015 (CISA 2015), which grants liability protection to firms that voluntarily share cyber threat data with peers and the federal government, is set to lapse at the end of the month unless Congress acts swiftly.
The potential loss of this law could leave companies, especially small and mid-sized organisations, isolated in defending against cyberattacks, including those powered by emerging technologies like agentic AI. Companies may revert to lengthy legal reviews without liability protection or avoid information-sharing altogether.
On 3 September 2025, the House Homeland Security Committee unanimously approved a bill to extend these protections, but it still needs full congressional approval and the president’s signature.
According to Bloomberg, the Cybersecurity and Infrastructure Security Agency (CISA) has suffered budget cuts and workforce reductions under the Trump administration. Despite the administration’s criticism of the agency, its nominee to lead CISA, Sean Plankey, has publicly supported extending CISA 2015.
Industry leaders warn that losing these protections could slow down vital threat coordination. ‘This is the last line of defence,’ said Carole House, a former White House cybersecurity advisor.
With the potential expiration of CISA 2015, industry-focused Information Sharing and Analysis Centres (ISACs), now numbering at least 28 in the USA, may serve as a fallback for cybersecurity collaboration.
While some ISACs already offer legal protections like NDAs and anonymous sharing, experts warn that companies may hesitate to participate without federal liability protections.
Complex legal agreements could become necessary, potentially limiting engagement. ‘You run the risk of some companies deciding it’s too risky,’ said Scott Algeier, executive director of the IT-ISAC, despite hopes for continued collaboration.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!