The Cybersecurity Information Sharing Act of 2015 (CISA 2015) expires on September 30, 2025, raising alarms among lawmakers, security experts, and businesses who warn that its sunset could cripple the nation’s cyber defenses. The law has underpinned a decade of public-private collaboration, enabling fast threat intelligence sharing that has helped blunt attacks against critical infrastructure and private companies.

Emily Park, a Senate homeland security staffer, warned that a lapse could lead to “an 80–90% reduction in cyber threat information flows,” adding that a breakdown of trust between companies and government would be just as damaging as losing the legal protections themselves. Without CISA 2015’s liability and antitrust shields, experts say corporate legal teams are likely to halt intelligence sharing altogether, cutting off the flow of early warnings about new attack techniques.

John Miller, senior vice president of policy at the Information Technology Industry Council, echoed the urgency: “We’ve heard consistently from our members that CISA 2015 has been critical to building the trusted environment that supports robust threat sharing. A clean reauthorization is the clearest path to preserving that progress”.

Congressional committees are already moving. The House Homeland Security Committee, chaired by Andrew Garbarino, is preparing to mark up a 10-year extension in early September, aiming to keep existing privacy safeguards intact while clarifying provisions for future use. The House Permanent Select Committee on Intelligence has also convened hearings emphasizing that adversaries like China and Iran continue to evolve, making real-time threat sharing indispensable.

According to the Government Accountability Office, CISA 2015 has facilitated automated tools that remove personally identifiable information from shared reports while enabling real-time alerts across industries. Experts argue that its loss would leave small and medium-sized businesses particularly exposed, with ransomware already costing them an average of $432,000 per incident.