Your utility just received notice that PFAS monitoring requirements take effect in 2027. Your lead service line inventory is due for update under the revised Lead and Copper Rule. And your IT director reminded you last week that EPA sanitary surveys now include a cybersecurity review. Meanwhile, you have the same staff you had three years ago and a compliance calendar that keeps getting longer.
This is the reality for utility directors at small and mid-sized municipal water systems across the US right now. Regulatory requirements are not easing, they are accelerating. Knowing which rules are active, what they require, and when they apply is the first step. Understanding how your operational software can carry the reporting burden is the second.
This guide covers the five US water utility regulations with the most direct operational impact in 2026, with specific deadlines, thresholds, and a clear explanation of how modern utility management software reduces the compliance workload for each one.
US water utilities must comply with five primary regulatory frameworks in 2026: the PFAS National Primary Drinking Water Regulation, the Lead and Copper Rule Revisions, Safe Drinking Water Act reporting requirements, America's Water Infrastructure Act resilience mandates, and EPA's cybersecurity guidance for water systems. Non-compliance can result in EPA enforcement actions, fines, and mandatory corrective measures.
Each of these regulations imposes specific documentation, reporting, or operational requirements and each one creates a measurable administrative burden for utilities that rely on manual processes or disconnected legacy systems. Here is what each rule requires and what it means for your day-to-day operations.
The PFAS National Primary Drinking Water Regulation is defined as the first legally enforceable federal standard for per- and polyfluoroalkyl substances (PFAS) in drinking water, finalized by the EPA in April 2024. It sets a Maximum Contaminant Level (MCL)of 4 parts per trillion (ppt) for PFOA and PFOS individually, the two most common PFAS compounds and combined limits for four additional PFAS. (EPA, April 2024)
This regulation affects an estimated 66,000 public water systems nationwide. For small and mid-sized utilities, the compliance timeline is tight:
1. Initial monitoring must begin no later than 2027.
2. Utilities must notify the public of PFAS levels exceeding the MCL within 30 days of receiving results.
3. Utilities exceeding MCL limits must install treatment solutions within five years of the compliance date.
4. Utilities must include PFAS data in annual Consumer Confidence Reports.
How software addresses this: Utility management platforms with integrated laboratory data management can automatically ingest PFAS monitoring results and flag exceedances against EPA MCL thresholds in real time, eliminating the manual spreadsheet tracking that creates compliance gaps. Automated CCR report generation ensures PFAS data flows directly into annual reporting without separate data collection efforts.
The Lead and Copper Rule Revisions (LCRR) and the subsequent Lead and Copper Rule Improvements (LCRI) are defined as updates to the original 1991 Lead and Copper Rule, requiring US water utilities to complete full lead service line inventories and implement accelerated replacement programs. The LCRI, finalized in October 2024, requires all lead service lines to be replaced within 10 years. (EPA)
For utility directors, the LCRR and LCRI create three distinct compliance obligations:
1. Complete and maintain an accurate lead service line inventory — including service lines classified as 'unknown material' — and make it publicly available.
2. Replace all lead service lines within 10 years, regardless of water quality test results.
3. Notify all customers served by a lead service line within 30 days of confirmation.
The inventory obligation is where most small utilities struggle. Systems that have relied on paper records or aging GIS data face significant data-quality challenges. Utilities that cannot produce a complete inventory are at immediate enforcement risk. (AWWA)
How software addresses this: Asset management modules with GIS integration allow utilities to build and maintain a complete, auditable lead service line inventory mapped to individual service addresses. Field mobile apps enable crews to update material records during routine visits, turning existing fieldwork into inventory data. Automated customer notifications are triggered directly from service line status updates, removing the manual notification burden.
The Safe Drinking Water Act( SDWA), first enacted in 1974 and administered by the EPA, is the primary federal law governing the quality of public drinking water in the United States. It establishes National Primary Drinking Water Regulations (NPDWRs) — legally enforceable standards for over 90 contaminants — and requires public water systems to conduct regular testing, maintain records, and report results to state primacy agencies. (EPA)
The SDWA's most visible annual obligation is the Consumer Confidence Report (CCR). Every community water system serving at least 25 customers must publish a CCR by July 1 each year, covering water source information, detected contaminant levels, and any violations from the prior calendar year. For a Utility Director at a small system, compiling the CCR from disconnected billing records, laboratory reports, and field data can consume weeks of staff time.
How software addresses this: Integrated utility platforms centralize billing, metering, and compliance data in a single system, reducing the time spent preparing annual CCRs from weeks to hours. Utilities using SMART360 report a 50% improvement in billing accuracy, which directly reduces the data discrepancies that create CCR reconciliation problems. Automated exception flags identify reporting anomalies before submission deadlines, not after.
America's Water Infrastructure Act (AWIA), signed into law in 2018, is defined as federal legislation requiring community water systems serving more than 3,300 connections to conduct comprehensive risk and resilience assessments of their physical infrastructure, cybersecurity posture, and operational capabilities — and to develop emergency response plans based on those assessments. (EPA)
AWIA compliance deadlines are tiered by system size:
• Systems serving more than 100,000 connections: risk assessments certified to EPA by March 31, 2020; emergency response plans by June 30, 2020.
• Systems serving 50,000–99,999 connections: certified by December 31, 2020.
• Systems serving 3,300–49,999 connections: certified by June 30, 2021.
• Emergency response plans must be reviewed and updated every five years.
Critically, the Consolidated Appropriations Act of 2024 strengthened AWIA's cybersecurity provisions. EPA sanitary surveys now formally evaluate cybersecurity controls as part of AWIA compliance — meaning utilities without documented cybersecurity practices for their operational technology (OT) and IT systems face regulatory scrutiny.(EPA)
How software addresses this: Cloud-native utility platforms eliminate a significant category of physical infrastructure risk, there is no on-premise server room to protect, no aging hardware to patch, and no single point of physical failure. SMART360's cloud-native architecture means your operational data is hosted in SOC2-compliant infrastructure with encrypted data transmission and documented access controls, all of which are directly relevant to AWIA cybersecurity documentation requirements. Internal link to
How software addresses this: Cloud-native utility platforms eliminate a significant category of physical infrastructure risk, there is no on-premise server room to protect, no aging hardware to patch, and no single point of physical failure. SMART360's security and compliance capabilities are documented and auditable, providing the evidence trail AWIA assessors require.
EPA cybersecurity guidance for water systems is defined as a series of directives from the US Environmental Protection Agency requiring public water systems to evaluate and address cybersecurity vulnerabilities in their operational technology (OT) and information technology (IT) infrastructure, now formally incorporated into SDWA sanitary surveys as of 2024. (EPA)
The operational reality for most small water utilities is stark: many run billing and SCADA systems on the same network, use default passwords on industrial control equipment, and have no formal incident response plan. These are exactly the vulnerabilities EPA inspectors are now documenting during sanitary surveys. In 2021, a threat actor accessed the water treatment system in Oldsmar, Florida and attempted to increase sodium hydroxide levels to dangerous concentrations. The incident triggered national attention to the cybersecurity exposure of small water utilities.
What EPA guidance now requires utilities to address:
1. Identify all IT and OT systems connected to water operations.
2. Evaluate access controls, password management, and network segmentation.
3. Document cybersecurity incident response procedures.
4. Include cybersecurity findings in AWIA risk and resilience assessments.
How software addresses this: Legacy on-premise billing and CIS systems running on local servers are a primary cybersecurity liability — they require in-house patching, are frequently behind on security updates, and provide limited audit logging. Cloud-based utility management platforms transfer server-level security management to certified infrastructure providers, enforce role-based access controls, and provide complete audit trails of all system activity. This is the most direct available risk reduction for a small utility IT team.
Each of the five regulations above imposes a distinct documentation, reporting, or monitoring obligation. What they share is a common dependency: accurate, accessible, well-organized operational data. Compliance fails — not because utilities are unaware of the rules but because the data needed to demonstrate compliance lives in disconnected spreadsheets, paper files, and aging systems that cannot talk to each other.
A unified utility management platform addresses this at the root. When billing records, meter data, asset information, work orders, and customer accounts all live in a single system:
• PFAS and lead monitoring data flows directly from laboratory integrations into compliance dashboards and CCR reports — no manual re-entry.
• Lead service line inventory is maintained in a GIS-integrated asset register, with field updates captured via mobile app in real time.
• Consumer Confidence Report data is drawn automatically from verified system records rather than assembled manually from multiple sources.
• AWIA cybersecurity documentation is supported by cloud-native infrastructure with SOC 2 compliance, built-in access controls, and complete audit logs.
• EPA sanitary survey inquiries are answered with documented, timestamped system records rather than reconstructed paper trails.
SMART360's regulatory reporting and analytics module is built specifically for this compliance consolidation challenge. With 25+ pre-built integrations connecting AMI systems, GIS platforms, and laboratory data feeds, SMART360 eliminates the manual data assembly that consumes staff time and creates compliance exposure for small and mid-sized utilities.
The result is a compliance posture that does not depend on institutional memory or heroic manual effort from a two-person compliance team. It is systematic, auditable, and sustainable, even as the regulatory calendar continues to grow.
If your utility is managing PFAS monitoring, lead service line replacement planning, or AWIA documentation on spreadsheets, see what a purpose-built platform looks like: water utility management software.
For most small and mid-sized USwater utilities, the PFAS National Primary Drinking Water Regulation is themost operationally urgent. Initial monitoring must be in place by 2027, publicnotification is required within 30 days of any MCL exceedance, and PFAS datamust now be included in annual Consumer Confidence Reports. Utilities that havenot yet established baseline PFAS monitoring programs should prioritize thisimmediately.
Yes. America's WaterInfrastructure Act applies to all community water systems serving more than3,300 connections. The compliance deadlines for smaller systems (3,300–49,999connections) were June 30, 2021 for risk and resilience assessments andemergency response plan certification. Utilities in this tier must review andupdate their emergency response plans every five years and — under 2024 EPAguidance — must now document cybersecurity controls as part of their AWIAassessment.
EPA's 2024 cybersecurityguidance means that cybersecurity practices are now formally evaluated duringSDWA sanitary surveys. Inspectors are looking for documented access controls,network segmentation between IT and operational technology systems, andincident response procedures. A small utility running legacy on-premise billingand SCADA on a shared network with default credentials is at meaningfulenforcement risk. Cloud-based utility platforms reduce this exposure byeliminating on-premise server infrastructure and providing built-in accesscontrols and audit logging.
Consumer Confidence Reportsrequire utilities to compile water quality testing data, source waterinformation, and detected contaminant levels from the prior calendar year andpublish them annually by July 1. For utilities using disconnected billing,laboratory, and field systems, this is a significant manual effort. Integratedutility management platforms draw CCR data directly from verified systemrecords — including new PFAS monitoring data — generating compliant reportswithout manual data assembly from multiple sources.
