Measures on National Cybersecurity Incident Reporting and its key compliance points.

As the ‘Measures of the Administration of the Reporting of Cybersecurity Incidents in the Business Fields of the People’s Bank of China’ targeting the cybersecurity of the financial industry came into force on 1^st August 2025, the Cyberspace Administration of China (CAC) officially released the ‘Measures on National Cybersecurity Incident Reporting’ on 15^th September 2025, setting the specific requirements of the scope of application, supervisory responsibilities, reporting entities, channels and progresses etc. for different levels of cybersecurity incident reporting. The new measures further improved the Article 25 of the ‘Cybersecurity law of the People’s Republic of China’ regarding the reporting obligations of network operators upon incidents endangering network security. Compared to the draft for comment issued on 8^th December 2023, the new measures also put forward higher and more specific compliance requirements in response to the impact of current cybersecurity incidents, shortening the minimum reporting timespan from 1 hour in the 2023 draft for comment to 30 minutes.

For the first time, the CAC released typical enforcement cases regarding cybersecurity, network security and personal information protection. Among the 10 typical cases, 7 of which involve cybersecurity incidents, including website tampering, data leakage and data theft, reflecting the emphasis of the national regulatory authorities on reporting cybersecurity incidents.

As an attachment, the new measures clarify the ‘Guidelines for category and classification of cybersecurity incidents’, which reference the national standards in ‘Information security technology - Guidelines for category and classification of cybersecurity incidents’ (GB/T 20986-2023). They provide quantitative criteria for classifying cybersecurity incidents into 4 levels, naming particularly major, major, relatively major and normal using a limited enumeration approach.

Measures on National Cybersecurity Incident Reporting – compliance points:

Scope of application and subjects for incident reporting (Article 2 and 12)

• Network operators who construct, operate or provide services via the network within the territory of the People’s Republic of China. Network operators are defined as the owners, managers of the network, or the provider of network services.

Cybersecurity incidents (Article 12)

• Are referred to incidents due to human factors, network attacks and vulnerabilities, software defects or failures, force majeure etc., which causes damage to the network and information system, or the data and chain operations within them, negatively impacting the country, society or economy.

Time limits for incident reporting （Article 4）

According to the ‘Guidelines for Cybersecurity Incident Classification’,

• For incidents involving critical information infrastructure, network operators must report to the protection department and public security department immediately, and no later than 1 hour. For major or particularly major security incidents, after receiving the reports, the protection department should immediately report to the national cybersecurity authority and the State Council public services department no later than 30 minutes.

• Network operators within the central and state organs, their various departments and their directly affiliated departments should immediately report to cyber information agency of their department organization no later than 2 hours. For major or particularly major incidents, upon receiving the reports, all cyber information agencies must immediately report to the national cybersecurity authorities no later than 1 hour. The national cybersecurity authorities should promptly inform the relevant departments.  

• Other network operators should immediately report to their provincial-level cybersecurity authorities of the local jurisdiction no later than 4 hours. For major or particularly major cybersecurity incidents, upon receiving the report, the provincial-level cybersecurity authorities must immediately report to the national cybersecurity authorities no later than 1 hour and simultaneously inform the relevant departments at the same level.

Incident reporting channels (Article 9)

• The cybersecurity department built 12,387 cybersecurity incidents reporting hotlines, websites, email addresses, fax etc., to uniformly receive cybersecurity incident reports.

Penalties

• Heavier penalties for late or concealer reporting. If network operators delay, omit, falsely report or conceal a cybersecurity incident, causing significant harmful consequences, the network operator and responsible individuals shall be punished more severely according to the law.

• Exemption from penalties for timely reporting. If the department responsible for reporting cybersecurity incidents fails to report the incidence in accordance with the provisions of these measures, the relevant units and personnel shall be held accountable with relevant laws, administrative regulations and the cybersecurity work responsibility systems.

The full text of ‘Measures on National Cybersecurity Incident Reporting’ references the National Internet Information Office: https://www.cac.gov.cn/2025-09/15/c_1759583017717009.htm