Intended Audience: Municipal leaders, water and wastewater utility managers, and IT professionals responsible for operational continuity, risk management, or compliance with DOH and DEC cybersecurity rules.

Cyber threats against water and wastewater systems are increasing nationwide—and New York is taking decisive action. Two major rulemakings introduced by the Department of Health (DOH) and the Department of Environmental Conservation (DEC) will, for the first time, establish mandatory cybersecurity requirements for the state’s public water and wastewater providers.

If you operate a community water system, a wastewater treatment facility, or manage municipal utilities, these proposals will affect you. Understanding what’s coming—and how to prepare now—can save you significant time, cost, and compliance stress later.

Two Different Rulemakings, One Common Goal

Drinking Water Systems – Department of Health (DOH)

Proposal ID: HLT-28-25-00012-P

Action: Amendment to 10 NYCRR Subpart 5-1
Purpose: Establish enforceable cybersecurity requirements to protect public water systems that serve the people of New York.
Statutory Authority: Public Health Law §§ 225 and 1125
Status: Proposed Rule Making published July 16, 2025. Public comment period closed September 16, 2025.

This proposed regulation applies to community water systems serving more than 3,300 people. Larger systems—those serving more than 50,000—will face additional governance requirements, such as designating a qualified executive responsible for cybersecurity.

Wastewater Systems – Department of Environmental Conservation (DEC)

Action: Proposed amendments to 6 NYCRR Parts 616, 650, and 750
Purpose: Enhance cybersecurity for publicly owned treatment works (POTWs) and other State Pollutant Discharge Elimination Systems (SPDES) permit holders through formalized cyber controls, training, and reporting.
Status: A Notice of Proposed Rule Making was filed on June 10, 2025 and published in the State Register on June 25, 2025. Public comment period closed September 3, 2025 (DEC wastewater cybersecurity resources page)

Key Requirements for Both Drinking Water and Wastewater Systems

Despite being separate rulemakings, both agencies’ proposals share similar themes: strengthening preparedness, formalizing cyber hygiene, and ensuring operational continuity.

Common Requirements

• Written cybersecurity program tailored to system risk

• Incident response planning integrated with emergency plans

• Operator cybersecurity training

• Regular vulnerability or risk assessments to identify and mitigate weaknesses

• 24-hour incident reporting to regulators following a cyber event

Drinking Water Highlights (DOH)

• Annual Cybersecurity Vulnerability Analysis (CVA), and within 30 days of major system changes

• 24-hour incident reporting; 48-hour vulnerability reporting

• Implementation of authentication and access management controls

• At least one hour of cybersecurity training for certified operators every three years
  Larger systems (>50,000 served) must designate a Qualified Executive for Cybersecurity

Wastewater Highlights (DEC)

• Integration of cybersecurity into SPDES permit compliance

• Cybersecurity requirements embedded in Emergency Response Plans (ERPs) and Incident Response Plans (IRPs)

• Confidentiality protections for sensitive cyber information (via Part 616)

• Updated operator certification and training requirements under Part 650

Timelines and What Comes Next

• The DOH proposal was published July 16, 2025, in the State Register; compliance is expected by January 1, 2027.

• The DEC proposal followed shortly after; its compliance timeline is likely to align closely with DOH’s, creating a coordinated advancement of cybersecurity across both sectors.

Both agencies will finalize rules after reviewing submitted comments. Utilities should begin preparing now, since implementing controls, policies, and training programs can take months.

State and Federal Resources to Get You Started

New York has assembled an impressive range of free or low-cost cybersecurity resources for water and wastewater systems, consolidated on the DEC’s Wastewater Cybersecurity Resources page

These include:

• Free risk assessments through EPA, CISA, and NY DHSES

• Training and awareness programs tailored for water sector operators

• Self-paced tools and templates (asset inventories, security control worksheets, gap analyses)

• Funding and technical assistance from the New York Environmental Facilities Corporation (EFC) Cybersecurity Hub

How Natsar Extends These Efforts

While the state’s programs are an excellent foundation, they’re not designed to scale or customize for every local water provider. This is where Natsar bridges the gap.

Natsar offers:

• Customized vulnerability and risk assessments built for your specific infrastructure and control systems

• Implementation support that goes beyond assessment to actually deploy security controls

• Tailored incident response and tabletop exercises designed for your operational environment

• Operator and management training aligned with DOH and DEC requirements

• Policy and program development that strengthens long-term cyber resilience

Natsar is based in New York’s Capital Region — a local, independent small business that understands the realities faced by New York’s water and wastewater utilities. You don’t need to look to a large consulting firm that charges enterprise-level rates for generic solutions. With Natsar, you’ll work directly with experts who combine decades of public-sector cybersecurity experience — including leadership of the Multi-State Information Sharing and Analysis Center (MS-ISAC) — with personalized attention to deliver practical, affordable cybersecurity support.

Schedule a consultation with Natsar to evaluate your cybersecurity posture, develop a compliance roadmap, or plan a tabletop exercise. Together, we can turn these new regulations into an opportunity to build stronger, more resilient infrastructure for New York communities.

Key Compliance Dates at a Glance

Department of Health (DOH) – Drinking Water Systems

• Immediate Requirements: Cybersecurity training (Section 5-E.7) and cybersecurity incident notification (Section 5-E.9) take effect immediately upon adoption.

• Full Compliance Deadline: All other requirements in Appendix 5-E must be met by January 1, 2027.

Department of Environmental Conservation (DEC) – Wastewater Systems

• Immediate Requirements: Cybersecurity incident reporting (6 NYCRR 750-2.7(h)) and confidentiality provisions for cybersecurity information (6 NYCRR 616.7) take effect immediately upon publication of the Notice of Adoption.

• Full Compliance Deadline: Core cybersecurity controls (6 NYCRR 750-2.9) take effect one year after the Notice of Adoption is published.

What These Dates Mean for You

Some obligations—especially training and incident reporting—take effect as soon as the rules are adopted, leaving no time to delay preparation. Other technical and programmatic requirements phase in through 2026 and 2027, giving utilities a window to conduct assessments, plan budgets, and implement security upgrades.

Now is the best time to start organizing your assessments, training, and incident response planning so your systems are compliant before the deadlines arrive.

What’s Next

This post provides a high-level overview of New York’s proposed cybersecurity regulations for water and wastewater systems.

In our next article, we’ll dive deeper into the specific requirements — from vulnerability analyses and operator training to cost estimates and compliance flexibility — and explain exactly how each rule applies to drinking water systems (DOH) and wastewater systems (DEC).

→ Read Part 2: Comparing DOH and DEC Cybersecurity Requirements for New York’s Water Sector

Bottom Line

New York’s proposed cybersecurity rules for drinking water and wastewater represent a major shift for the state’s water sector. They mandate formal cybersecurity programs, operator training, risk assessments, and incident response plans. State and federal resources can help you start—but they stop at the assessment stage. Natsar takes the next step, offering customized, hands-on solutions that strengthen your compliance posture and safeguard your operations from real-world cyber threats.

Subscribe to Natsar's Blog for more practical guidance, expert tips, and resources.If you found this helpful, please share your thoughts in the comments section. Your engagement guides future content!