HB2594 would establish a federal Water Risk and Resilience Organization (WRRO) to develop cybersecurity risk and resilience requirements for the water sector. Covered water systems are defined as community water systems or treatment works serving 3,300 or more people.
The bill directs the Administrator to issue a final rule within 270 days to govern WRRO certification and oversight.
The WRRO would submit proposed cybersecurity risk and resilience requirements along with an implementation plan, and the Administrator could approve, remand, or require amendments. The legislation creates enforcement mechanisms, monitoring obligations, and annual reporting, funded by a dedicated appropriation.
At a Glance
What It Does
Defines the WRRO and key terms, sets up a rulemaking timeline, and establishes the certification process for a single WRRO. It also inventories the mechanism for proposing, approving, modifying, or remanding cybersecurity risk and resilience requirements and implementation plans.
Who It Affects
Covers water utilities that operate community water systems or treatment works serving 3,300+ people, plus their owners/operators, WRRO members, and the EPA Administrator.
Why It Matters
Creates a formal, federally governed, technically driven framework to address cybersecurity risks in the water sector, with a single certified body providing centralized rulemaking and oversight while balancing public comment and due process.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates the Water Risk and Resilience Organization (WRRO), a federally certified body, to develop cybersecurity risk and resilience requirements for the water sector. A key design feature is that one WRRO may be certified, provided it meets specific independence, governance, cost-sharing, and transparency requirements.
The WRRO would file proposed requirements and implementation timelines with the EPA Administrator, who can approve, remand, or require changes, with the final implementation date set in the approved plan.
The Five Things You Need to Know
The Administrator may certify not more than one WRRO that meets defined independence and governance criteria.
Final rule to carry out the Act must be issued within 270 days of enactment.
WRRO must file proposed cybersecurity requirements and an implementation plan for approval, with phased rollouts allowed.
Penalties for noncompliance are capped at $25,000 per day and collected penalties support WRRO training and capacity.
Annual self-attestations and a 5-year third-party assessment are required, with aggregated, non-sensitive reporting to the Administrator.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Water Risk and Resilience Organization – Definitions
Defines the Administrator as the EPA Administrator and the WRRO as the certification-recipient organization. It also sets out defined terms like ‘covered water system,’ ‘cyber resiliency,’ ‘cybersecurity incident,’ and ‘cybersecurity risk and resilience requirement,’ establishing the scope for future rulemaking.
Applicability and Rulemaking Timeline
Requires the Administrator to issue a final rule within 270 days of enactment to carry out the section, including the process for WRRO certification and the regulatory framework that will govern cybersecurity risk and resilience rules for covered water systems.
Certification Process
Provides the application pathway for WRRO certification, with the Administrator certifying not more than one organization that demonstrates advanced technical knowledge, governance independence, reasonable dues, and transparent procedures, including public comment and balanced representation.
Cybersecurity Risk and Resilience Requirements
Outlines the process for WRRO-filed proposed requirements and implementation plans, including approval criteria, deference to WRRO’s technical expertise, potential remand, and a structured path for amendments and resubmission.
Monitoring and Assessment
Requires the WRRO to monitor implementation of approved requirements, collect annual self-attestations, and conduct or commission third-party assessments every five years, with annual aggregated reporting to the Administrator that omits sensitive data.
Enforcement
Authorizes penalties for violations of cyber resilience requirements, with due process protections, access to counsel, and a capped maximum of $25,000 per day. Penalties are directed to the WRRO to support its capacity and training.
Savings, Status, Appropriations
Clarifies that the WRRO does not become a federal agency; preserves State authority, and provides for a dedicated $10 million appropriation to remain available to the WRRO for the section’s purposes.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Public water utilities operating covered water systems (community water systems serving 3,300+ people and similar treatment works) gain a centralized, technically rigorous framework for cybersecurity and resilience.
- Utility cybersecurity and compliance staff gain clearer rules, governance structures, and an implemented timeline for compliance.
- WRRO member organizations and their affiliations benefit from formal governance and a role in setting cybersecurity standards.
- EPA and federal regulators gain a single, expert body to guide cybersecurity risk and resilience for the water sector.
- Water-sector cybersecurity vendors and consultants benefit from a defined, standards-based market for services.
Who Bears the Cost
- Covered water systems bear the upfront and ongoing costs of implementing the WRRO’s cybersecurity requirements, including potential system upgrades and compliance labor.
- End-users may incur reasonable dues or charges to cover WRRO activities under the implementation framework.
- Local and state authorities coordinating with WRRO-related activities may incur staff time and administrative costs to align with federal standards.
- The WRRO’s operations require funding and staffing supported by the appropriated resources; mismatch with actual costs could affect implementation pace.
- Third-party assessors and consultants engaged by WRRO-based monitoring would face demand growth and pricing considerations.
Key Issues
The Core Tension
The central tension is between building a technically specialized, centralized rulemaking engine (the WRRO) to achieve consistent cyber resilience across the water sector and preserving state and local autonomy, while ensuring accountability, avoiding undue regulatory burden, and preventing captive enforcement or excessive costs for ratepayers.
The bill hinges on centralizing cyber risk and resilience standards within a single federally certified body, which accelerates expertise but concentrates authority. That design risks misalignment with state roles and existing local water-system governance, so the savings provisions and State authority guardrails are crucial.
The conflict-resolution provisions aim to harmonize WRRO rules with existing functions, but in practice, many water systems operate under mixed regimes; the effectiveness will depend on how the final rule handles preemption and cooperative federalism.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.