IL HB3576

Bill

IL HB3576

WATER UTILITY CYBERSECURITY

Introduced
02/07/2025

In Committee
03/27/2026

Crossed Over

Passed

Dead

Introduced Session

104th General Assembly

Bill Summary

Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes.

AI Summary

This bill addresses cybersecurity requirements for water utilities in Illinois by mandating that water purveyors (water system owners with more than 500 service connections) develop comprehensive cybersecurity programs within 120 days of the bill's effective date. The bill requires water purveyors to create detailed cybersecurity policies that identify responsible personnel, conduct risk assessments, maintain awareness of cyber threats, and develop incident response plans. Additionally, water purveyors must obtain cybersecurity insurance, update their programs to conform to recognized industry cybersecurity frameworks like the NIST Framework, and submit annual compliance certifications to the Department of Natural Resources and the Illinois Commerce Commission. The bill also mandates that water purveyors report significant cybersecurity incidents within 48 hours, undergo potential audits if non-compliant, and provide annual reports detailing their cybersecurity approach, training efforts, organizational structure, and any notable security events. Violations of these requirements can result in penalties, and the Department of Natural Resources will develop a schedule of civil administrative penalties within 18 months of the bill's enactment. The legislation aims to protect public community water systems from potential cyber threats and ensure robust cybersecurity practices across water utilities in Illinois.

Committee Categories

Military Affairs and Security

Sponsors (3)

Dee Avelar (D)*, Michael Crawford (D), Kimberly du Buclet (D),

Last Action

Rule 19(a) / Re-referred to Rules Committee (on 03/27/2026)

Official Document

https://www.ilga.gov/legislation/BillStatus.asp?DocNum=3576&GAID=18&DocTypeID=HB&SessionID=114&GA=104

Version:

Document Type	Source Location
State Bill Page	https://www.ilga.gov/legislation/BillStatus.asp?DocNum=3576&GAID=18&DocTypeID=HB&SessionID=114&GA=104
BillText	https://www.ilga.gov/legislation/104/HB/10400HB3576.htm

Bill > HB3576

summary

Introduced Session

Bill Summary

AI Summary

Committee Categories

Sponsors (3)

Last Action

Official Document

bill text

bill summary

bill summary

bill summary