mapping the impact of 10 NYCRR Part 5 – Appendix 5-E
March 16, 2026
What does New York’s new water cybersecurity regulation actually require?
I’ve been mapping out the practical impact of 10 NYCRR Part 5 – Appendix 5-E for municipal water systems.
At a high level, compliance falls into four areas:
1️⃣ Risk Assessment
Utilities must perform a Cybersecurity Vulnerability Analysis (CVA) covering both IT and operational technology systems.
2️⃣ Operational Security
Organizations must evaluate the security of SCADA systems and operational technology networks used to operate water infrastructure.
3️⃣ Incident Readiness
Utilities must establish incident response procedures and reporting protocols for cybersecurity events.
4️⃣ Workforce Preparedness
Certified operators must receive periodic cybersecurity training.
Most systems will need to meet these requirements by January 1, 2027.
The challenge is that many municipal systems rely on legacy industrial control environments that were never designed with cybersecurity protections in place.
For those working in water utilities or municipal government — how is your organization preparing?
Need help securing your critical infrastructure?
Contact Us. https://anjolen.com/contact/
