Back to Illinois

HB3576 • 2026

WATER UTILITY CYBERSECURITY

WATER UTILITY CYBERSECURITY

Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Dagmara Avelar
Last action
2026-03-27
Official status
Rule 19(a) / Re-referred to Rules Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

WATER UTILITY CYBERSECURITY

WATER UTILITY CYBERSECURITY

What This Bill Does

  • WATER UTILITY CYBERSECURITY

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-03-27 Illinois General Assembly

    Rule 19(a) / Re-referred to Rules Committee

  2. 2026-03-05 Illinois General Assembly

    Added Co-Sponsor Rep. Michael Crawford

  3. 2026-02-27 Illinois General Assembly

    Added Co-Sponsor Rep. Kimberly Du Buclet

  4. 2026-02-24 Illinois General Assembly

    Assigned to Cybersecurity, Data Analytics, & IT Committee

  5. 2025-03-21 Illinois General Assembly

    Rule 19(a) / Re-referred to Rules Committee

  6. 2025-03-11 Illinois General Assembly

    Assigned to Cybersecurity, Data Analytics, & IT Committee

  7. 2025-02-18 Illinois General Assembly

    First Reading

  8. 2025-02-18 Illinois General Assembly

    Referred to Rules Committee

  9. 2025-02-07 Illinois General Assembly

    Filed with the Clerk by Rep. Dagmara Avelar

Official Summary Text

WATER UTILITY CYBERSECURITY

Current Bill Text

Read the full stored bill text
Illinois General Assembly - Full Text of HB3576

Select Language

×

The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.

Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.

The English language version is always the official and authoritative version of this website.

NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.

Choose Language

English

Afrikaans

Albanian

Arabic

Armenian

Azerbaijani

Basque

Bengali

Bosnian

Catalan

Croatian

Czech

Danish

Dutch

Esperanto

Estonian

Filipino

Finnish

French

Galician

Georgian

German

Greek

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hungarian

Icelandic

Indonesian

Interlingua

Interlingue

Inuktitut

Irish

Italian

Japanese

Javanese

Kannada

Khmer

Korean

Latin

Latvian

Lithuanian

Luxembourgish

Macedonian

Malagasy

Malayalam

Maltese

Maori

Marathi

Myanmar

Nepali

Norwegian

Odia

Pashto

Punjabi

Romanian

Russian

Samoan

Sango

Sanskrit

Sardinian

Sindhi

Sinhala

Slovak

Slovenian

Somali

Southern Sotho

Spanish

Sundanese

Swahili

Swedish

Tamil

Telugu

Thai

Tigrinya

Tonga

Turkish

Ukrainian

Urdu

Vietnamese

Welsh

Xhosa

Yiddish

Yoruba

Zulu

Powered by
Translate

Close

Illinois General Assembly

Top Navigation Bar

Translate

Learn

Select General Assembly

Search the 104th General Assembly

Enter search terms for legislation, members, committees, or schedules.

ILGA.GOV

LEGISLATION & LAWS

Bills & Resolutions

Public Acts

Illinois Compiled Statutes

Illinois Constitution

Search Legislation

Glossary

Guide

Reports & Inquiry

Legislative Reports

Special Reports

FTP Site

Legislator Lookup

Capitol Complex Phone Numbers

Rules & Regulations

Illinois Register

Administrative Rules

Senate

Members

Schedules

Committees

Request for Remote Testimony

Journals

Transcripts

Rules

Audio/Video

FOIA Information

Senate Employment Opportunities

Media Guidelines

House

Members

Schedules

Committees

Submit testimony for House Committees

Journals

Transcripts

Rules

Audio/Video

FOIA Information

House Employment Opportunities

Log In

Mobile Top Bar

Search the 104th General Assembly

Enter keywords to search the Illinois General Assembly website.

Full Text of HB3576

Home

Legislation

Full Text

HB3576 - 104th General Assembly

Bill Status

Full Text

Votes

Witness Slips

Select Menu

Bill Status

Full Text

Votes

Witness Slips

Printer Friendly Version

Introduced

Printer Friendly Version

Introduced

Open PDF

104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB3576

Introduced 2/18/2025, by Rep. Dagmara Avelar

SYNOPSIS AS INTRODUCED:

220 ILCS 5/4-101

from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new

Amends the Public Utilities Act. Provides that, within 120 days after
the effective date of the amendatory provisions, each water purveyor shall
develop a cybersecurity program that defines and implements organizational
accountabilities and responsibilities for cyber risk management
activities, and establishes policies, plans, processes, and procedures for
identifying and mitigating cyber risk to its public community water
system. Provides that, within certain time periods after the effective
date of the amendatory provisions, a water purveyor shall create a
cybersecurity incident reporting process; obtain a cybersecurity insurance
policy that meets certain standards; reasonably conform to the most recent
version of one or more of specified industry-recognized cybersecurity
frameworks; submit a compliance report; submit an incident report; and
submit an annual status report. Sets forth provisions concerning
violations of the amendatory provisions and rulemaking abilities of the
Department of Natural Resources and the Illinois Commerce Commission.
Makes other changes.
LRB104 08875 AAS 18930 b

A BILL FOR

HB3576
LRB104 08875 AAS 18930 b
1

AN ACT concerning regulation.

2

Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:

4

Section 5.
The Public Utilities Act is amended by changing
5
Section 4-101 and by adding Section 4-102 as follows:

6

(220 ILCS 5/4-101)

(from Ch. 111 2/3, par. 4-101)
7

Sec. 4-101.
The Commerce Commission shall have general
8
supervision of all public utilities, except as otherwise
9
provided in this Act, shall inquire into the management of the
10
business thereof and shall keep itself informed as to the
11
manner and method in which the business is conducted. It shall
12
examine those public utilities and keep informed as to their
13
general condition, their franchises, capitalization, rates and
14
other charges, and the manner in which their plants, equipment
15
and other property owned, leased, controlled or operated are
16
managed, conducted and operated, not only with respect to the
17
adequacy, security and accommodation afforded by their service
18
but also with respect to their compliance with this Act and any
19
other law, with the orders of the Commission and with the
20
charter and franchise requirements.
21

Whenever the Commission is authorized or required by law
22
to consider some aspect of criminal history record information
23
for the purpose of carrying out its statutory powers and

HB3576
- 2 -
LRB104 08875 AAS 18930 b
1
responsibilities, then, upon request and payment of fees in
2
conformance with the requirements of Section 2605-400 of the
3
Illinois State Police Law, the Illinois State Police is
4
authorized to furnish, pursuant to positive identification,
5
such information contained in State files as is necessary to
6
fulfill the request.
7

The Commission shall require all public utilities to
8
establish a security policy that includes on-site safeguards
9
to restrict physical or electronic access to critical
10
infrastructure and computerized control and data systems. The
11
Commission shall maintain a record of and each regulated
12
entity shall provide to the Commission an annual affidavit
13
signed by a representative of the regulated entity that
14
states:
15

(1) that the entity has a security policy in place;
16

(2) that the entity has conducted at least one
17

practice exercise based on the security policy within the
18

12 months immediately preceding the date of the affidavit;
19

and
20

(3) with respect to any entity that is an electric
21

public utility, that the entity follows, at a minimum, the
22

most current security standards set forth by the North
23

American Electric Reliability Council.
24

A water public utility's security policy shall also meet
25
the requirements set forth in Section 4-102.

26
(Source: P.A. 102-538, eff. 8-20-21.)

HB3576
- 3 -
LRB104 08875 AAS 18930 b
1

(220 ILCS 5/4-102 new)
2

Sec. 4-102.
Cybersecurity policy for water purveyors.
3

(a) As used in this Section:
4

"Cybersecurity incident" means an event occurring on or
5
conducted through a computer network that jeopardizes the
6
integrity, confidentiality, or availability of computers,
7
information systems, communications systems, networks,
8
physical or virtual infrastructure controlled by computers or
9
information systems, or information residing on such computers
10
or information systems.
11

"Cybersecurity insurance policy" means an insurance policy
12
designed to mitigate losses from cybersecurity incidents,
13
including, but not limited to, data breaches, business
14
interruption, and network damage.
15

"Department" means the Department of Natural Resources.
16

"Industrial control system" means an information system
17
used to control industrial processes such as manufacturing,
18
product handling, production, or distribution.
19

"Industrial control system" includes supervisory control
20
and data acquisition systems used to control geographically
21
dispersed assets, and distributed control systems and smaller
22
control systems using programmable logic controllers to
23
control localized processes.
24

"Information resource" means information and related
25
resources, such as personnel, equipment, funds, and

HB3576
- 4 -
LRB104 08875 AAS 18930 b
1
information technology.
2

"Information system" means a discrete set of information
3
resources organized for the collection, processing,
4
maintenance, use, sharing, dissemination, or disposition of
5
information.
6

"Public community water system" means a public water
7
system which serves at least 15 service connections used by
8
year-round residents or regularly serves at least 25
9
year-round residents.
10

"Public water system" means a system for the provision to
11
the public of water for human consumption through pipes or
12
other constructed conveyances, if such system has at least 15
13
service connections or regularly serves an average of at least
14
25 individuals daily at least 60 days out of the year. "Public
15
water system" includes (i) any collection, treatment, storage
16
and distribution facilities under control of the operator of
17
such system and used primarily in connection with such system,
18
and (ii) any collection or pre-treatment storage facilities
19
not under such control which are used primarily in connection
20
with such system.
21

"Water purveyor" means any person that owns a public
22
community water system with more than 500 service connections.
23

(b) Within 120 days after the effective date of this
24
amendatory Act of the 104th General Assembly, each water
25
purveyor shall develop a cybersecurity program that defines
26
and implements organizational accountabilities and

HB3576
- 5 -
LRB104 08875 AAS 18930 b
1
responsibilities for cyber risk management activities, and
2
establishes policies, plans, processes, and procedures for
3
identifying and mitigating cyber risk to the water purveyor's
4
public community water system. As part of the cybersecurity
5
program, a water purveyor shall do the following:
6

(1) identify the individual directly responsible for
7

ensuring that the policies, plans, processes, and
8

procedures established pursuant to this Section are
9

executed in a timely manner;
10

(2) conduct risk assessments and implement appropriate
11

controls to mitigate identified risks to the public
12

community water system;
13

(3) maintain situational awareness of cyber threats
14

and vulnerabilities to the public community water system;
15

and
16

(4) create and exercise incident response and recovery
17

plans.
18

A water purveyor shall submit a copy of the cybersecurity
19
program developed pursuant to this subsection (b) to the
20
Commission in a form and manner as determined by the
21
Commission.
22

(c) Within 60 days after developing the cybersecurity
23
program required pursuant to subsection (b) of this Section,
24
each water purveyor shall create a cybersecurity incident
25
reporting process.
26

(d) No later than 180 days after the effective date of this

HB3576
- 6 -
LRB104 08875 AAS 18930 b
1
amendatory Act of the 104th General Assembly, each water
2
purveyor shall obtain a cybersecurity insurance policy that
3
meets any applicable standards adopted by the Commission.
4

(e) No later than 180 days after the effective date of this
5
amendatory Act of the 104th General Assembly, each water
6
purveyor shall update its cybersecurity program developed
7
pursuant to this Section to apply to all of the public
8
community water system's industrial control systems and to
9
reasonably conform to the most recent version of one or more of
10
the following industry-recognized cybersecurity frameworks:
11

(1) the Framework for Improving Critical
12

Infrastructure Cybersecurity developed by the National
13

Institute of Standards and Technology;
14

(2) the Center for Internet Security Critical Security
15

Controls for Effective Cyber Defense; or
16

(3) the International Organization for Standardization
17

and International Electrotechnical Commission 27000 family
18

of standards for an information security management
19

system.
20

Whenever a final revision to one or more of the frameworks
21
listed in this subsection (e) is published, a water purveyor
22
whose cybersecurity program conformed to that framework shall
23
revise its cybersecurity program to reasonably conform to the
24
revised framework, and submit a copy of the revised
25
cybersecurity program to the Commission, no later than 180
26
days after publication of the revised framework.

HB3576
- 7 -
LRB104 08875 AAS 18930 b
1

(f) No later than one year after the effective date of this
2
amendatory Act of the 104th General Assembly, and each year
3
thereafter, each water purveyor shall submit to the Department
4
and the Commission a certification demonstrating that the
5
water purveyor is in compliance with the requirements of this
6
Section. The certification shall be made in a form and manner
7
as determined by the Department, in consultation with the
8
Commission. The certification shall be signed by a senior
9
executive responsible for security of the regulated entity.
10

(g) The Commission shall cause to be audited any public
11
community water system that fails to submit a cybersecurity
12
program, a revision, or a certification pursuant to this
13
Section. Any audit shall be conducted by a qualified and
14
independent cybersecurity company, at the water purveyor's
15
expense. Following the audit, the water purveyor shall submit
16
the audit and any corrective action plans derived from the
17
audit to the Commission.
18

(h) A water purveyor shall, upon the request of the
19
Department or the Commission, provide proof of compliance with
20
the requirements of this Section, in a form and manner as
21
determined by the Department or by the Commission.
22

(i) On and after 90 days after the effective date of this
23
amendatory Act of the 104th General Assembly, a water purveyor
24
shall inform the Commission, in a written or oral report,
25
within 48 hours or as soon as practicable after the discovery
26
or occurrence of any notable, unusual, or significant

HB3576
- 8 -
LRB104 08875 AAS 18930 b
1
cybersecurity incident or any cybersecurity incident that must
2
be reported to another regulatory agency, including the
3
following:
4

(1) any cybersecurity incident that results in the
5

compromise of the confidentiality, integrity,
6

availability, or privacy of the water purveyor's utility
7

billing, communications, data management, or business
8

information systems, or the information on such systems;
9

and
10

(2) any cybersecurity incident against the water
11

purveyor's industrial control systems, including
12

monitoring, operations, and centralized control systems,
13

that adversely impacts, disables, or manipulates
14

infrastructure, resulting in loss of service,
15

contamination of finished water, or damage to
16

infrastructure.
17

(j) No later than 30 days after receiving a report of a
18
cybersecurity incident from a water purveyor pursuant to
19
subsection (i), the Commission shall cause to be audited the
20
water purveyor's cybersecurity program and any actions the
21
water purveyor took in response to the cybersecurity incident.
22
The audit shall identify cyber threats and vulnerabilities to
23
the public community water system, weaknesses in the public
24
community water system's cybersecurity program, and strategies
25
to address those weaknesses so as to protect the public
26
community water system from the threat of future cybersecurity

HB3576
- 9 -
LRB104 08875 AAS 18930 b
1
incidents. Any audit shall be conducted by a qualified and
2
independent cybersecurity company at the water purveyor's
3
expense. After the completion of the audit, the water purveyor
4
shall submit the audit and any corrective action plans derived
5
from the audit to the Commission.
6

(k) By July 31 of each year, a water purveyor shall provide
7
to the Commission a report that identifies the following:
8

(1) an overview of the water purveyor's approach to
9

cybersecurity awareness and protection;
10

(2) a description of cybersecurity awareness training
11

efforts for the water purveyor's staff members,
12

specialized cybersecurity training for cybersecurity
13

personnel, and participation by the water purveyor's
14

cybersecurity staff in emergency preparedness exercises in
15

the previous calendar year;
16

(3) an organizational diagram of the water purveyor's
17

cybersecurity organization, including positions and
18

contact information for primary and secondary
19

cybersecurity emergency contacts;
20

(4) a description of the water purveyor's internal and
21

external communications plan regarding unauthorized
22

actions that result in interruption, degradation of
23

service, financial harm, or breach of sensitive business
24

or customer data, including the water purveyor's plan for
25

notifying the Commission and customers;
26

(5) a redacted summary of any unauthorized actions

HB3576
- 10 -
LRB104 08875 AAS 18930 b
1

that resulted in material interruption, financial harm, or
2

breach of sensitive business or customer data, including
3

the parties that were notified of the unauthorized action
4

and any remedial actions undertaken;
5

(6) key performance indicators and other metrics
6

related to physical security and cybersecurity;
7

(7) any notable cybersecurity information not included
8

in paragraphs (1) through (6); and
9

(8) any other information as directed by the
10

Commission.
11

(l) The Department or the Commission shall create a
12
centralized portal allowing for electronic submittal of the
13
report required under this Section. The lack of a centralized
14
portal pursuant to this subsection (l) shall not negate the
15
requirement for a water purveyor to submit a report.
16

(m) Any person who violates the provisions of this
17
Section, or any rule or regulation adopted pursuant thereto,
18
shall be subject to the penalties and other remedies set forth
19
in Sections 4-202 and Section 4-203. No later than 18 months
20
after the effective date of this amendatory Act of the 104th
21
General Assembly, the Department shall adopt a schedule of
22
civil administrative penalties for specific violations of this
23
Section.
24

(n) Reports and other submissions made under this Section
25
shall not be open to public inspection unless otherwise
26
ordered by the Commission. Regulated entities shall not report

HB3576
- 11 -
LRB104 08875 AAS 18930 b
1
information otherwise required under this Section if
2
prohibited by law or court order or instructed otherwise by
3
law enforcement personnel.
4

(o) The Department or the Commission may adopt rules to
5
implement this Section.

Footer

Disclaimer

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.

Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn