IL HB3576

Water purveyors (owners of public community water systems with more than 500 service connections) must develop a cybersecurity program within 120 days of the Act's effective date, including risk assessments, threat monitoring, and incident response plans

Within 180 days, water purveyors must obtain cybersecurity insurance and align their programs with recognized frameworks such as NIST, Center for Internet Security Critical Security Controls, or ISO/IEC 27000 standards

Cybersecurity incidents must be reported to the Illinois Commerce Commission within 48 hours, triggering a mandatory audit by an independent cybersecurity company at the water purveyor's expense

Annual compliance certifications signed by a senior security executive must be submitted to the Department of Natural Resources and the Commerce Commission, with annual status reports due by July 31 each year

Failure to comply subjects water purveyors to audits, civil administrative penalties, and other remedies under the Public Utilities Act, with all cybersecurity reports kept confidential from public inspection