Ampyx Cyber Blog
The Intersection of Regulation & Resilience
Cyber on Tap, Part Two: New York's Water Cybersecurity Regulation Is Now in Force
New York's Appendix 5-E cybersecurity regulation for public water systems took effect March 11, 2026, making it the first mandatory, enforceable water cybersecurity framework in the country. This post covers who is in scope, what is required, when it is due, and what resources are available to help. It also examines what New York's action means in the context of a federal policy environment that is actively stepping back from sector-specific cybersecurity regulation.
Cyber on Tap: NY's Water Utilities Face New Cyber Rulebook
New York has proposed the first mandatory cybersecurity regulation for water and wastewater systems, targeting utilities serving over 3,300 people. With requirements for vulnerability assessments, incident reporting, and executive oversight, this rule signals a shift toward enforceable cyber resilience and other states may soon follow.
Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector
New York's new cybersecurity law, Chapter 177 of 2025 (S.7672A / A.6769A), introduces mandatory incident reporting, ransom payment disclosures, annual training, and data protection requirements for public-sector entities. Its broad definitions suggest applicability to both IT and OT systems, signaling a significant expansion in cybersecurity oversight for municipalities and public authorities.
Should the water sector follow the cybersecurity path of NERC CIP?
Water is essential for life – in so many ways. It’s so essential, we should do whatever is necessary to have a safe, reliable, and secure water/wastewater system, right? But from what I have seen both personally and in many public reports, we’re far from it. So, what is necessary to secure the water sector in the US?