The final rule timeline remains fluid. CISA issued draft rules in April 2024 and originally faced a September 2025 deadline for finalization. The May 2026 target represents a shift, and enforcement mechanics—including penalty structures for noncompliance—have not yet been detailed.
Commercial real estate firms should treat this as imminent. The compliance window is narrow. Attorneys advising CRE clients should begin now: map data flows and systems, develop incident response protocols, and identify which properties or operations likely qualify as covered entities. Waiting for the final rule to act will leave clients exposed to both operational risk and regulatory penalties once enforcement begins.