China Issues Measures for the Administration of National Cybersecurity Incident Reporting – Published in collaboration with Shanghai Pacific Legal
In a significant regulatory development, the Cyberspace Administration of China (CAC) has officially issued the Measures for the Administration of National Cybersecurity Incident Reporting (the Final Reporting Measures), which will take effect on 1 November 2025. This follows the release of a draft version in late 2023 and marks the first comprehensive, cross-sector regulation governing cybersecurity incident reporting in China.
The Final Reporting Measures represent a major step forward in China’s cybersecurity governance framework, offering more detailed and operationally feasible guidance than the earlier draft, while also imposing stricter obligations on network operators.
Key highlights of the Final Reporting Measures include:
• Expanded definition of cybersecurity incident: The Final Reporting Measures broaden the scope of what constitutes a cybersecurity incident to include causes such as network attacks, vulnerabilities, software/hardware failures and force majeure. Importantly, incidents are defined not only by their impact on networks and systems but also on the data stored and their business application.
• Entities in scope: The Final Reporting Measures apply to network operators – entities that build, operate or provide services via networks within China. We consider that the scope encompasses not only entities that provide network-based services to third parties for consideration, but also those that offer such services within the same corporate group on a free-of-charge basis. The Final Reporting Measures further encourage both organizations and individuals to proactively report incidents that are classified as relatively serious or above. While the Final Reporting Measures do not explicitly extend to foreign entities, network operators with operations or data processing activities in China should assess their exposure carefully.
• Regulatory authorities to be notified: The CAC is designated as the national coordinating authority, with provincial CAC offices responsible for frontline incident management. Depending on the nature of the incident, public security bureaus and sectoral regulators must also be notified.
• Obligation to report triggered by knowledge or awareness of an incident: A notable development is the introduction of a knowledge or awareness requirement – network operators are required to report only on discovering or becoming aware of a reportable incident. This helps clarify the reporting obligation and timeline and is in line with international best practices. In this regard, we look forward to further regulatory clarification on what constitutes knowledge or awareness for reporting/notification purposes.
• Classification of cyber incidents severity and reporting timelines: According to the Final Reporting Measures, cybersecurity incidents are classified into four categories depending on their severity:
- General (not mandatorily reportable);
- Relatively serious;
- Serious; and
- Particularly serious.
Reporting timelines vary based on both the severity of the incident and the type of network operator. In the event of an incident that is classified as “relatively serious” or above:
- Critical information infrastructure operators must report within 1 hour;
- Central/state departments must report within 2 hours; and
- Other network operators must report within 4 hours.
• Details of ransom payment to be notified to regulatory authorities: Consistent with the earlier draft, the Final Reporting Measures mandate that in ransom cases, the ransom amount, payment method and demand date (among other things) must be notified by network operators to the relevant regulatory authorities. However, it remains unclear whether this reporting requirement implies that the legality of ransom payment has been endorsed or acknowledged by the CAC – this is an issue involving significant legal complexities under the current PRC legal framework. In this regard, further guidance by the relevant regulators would be welcomed as to how victims should handle ransom demands in a compliant manner to minimize harm to the victims and other stakeholders.
• Centralized reporting channels: To facilitate and streamline the reporting process, the Final Reporting Measures require all reports to be made to centralized reporting channels, including, in particular, the 12387 hotline, dedicated websites, email and fax.
• Submission of a post-incident report to the regulatory authorities: Under the Final Reporting Measures, network operators must submit a final incident report within 30 days following the conclusion of their incident response. This report should include a root cause analysis, mitigation measures and lessons learned, among other things.
• Exemptions and leniency: A network operator and its personnel responsible may be eligible for penalty exemptions or leniency if the network operator:
- has taken reasonable and necessary preventive measures;
- handles the incident according to its emergency plan;
- effectively mitigates the impact and harm caused by the incident; and
- reports the incident pursuant to the Final Reporting Measures.
The Final Reporting Measures provide more clarity to organisations in China on breach reporting timelines, which is welcome development. However, China’s 1-hour deadline for critical information infrastructure operators will require multinational corporations operating in China to invest in real-time monitoring, incident response protocols and readiness and other cybersecurity compliance protocols. Such a task can be challenging for multinational corporations with global operations, where tools which they may use outside mainland China are not available in China.