Overview of China’s Latest Regulations on Cybersecurity Incidents Reporting

ATTICUS ZHAO AND DANNI SIMA

In recent years, cybersecurity incidents have occurred frequently, with the scope of impact and degree of harm continuously escalating.

To regulate and respond to cybersecurity incidents in China, the Cyberspace Administration of China (CAC) issued the National Administrative Measures for Reporting Cybersecurity Incidents (the “Measures”) on September 1, 2025, which took effect on November 1, 2025.

1. Scope of Application and Management System

The Measures require that network operators that build, operate networks, or provide services through networks within the territory of the PRC shall report cybersecurity incidents in accordance with the provisions of the Measures when such incidents occur.

Under China Cybersecurity Law and the Measures, a network operator refers to the owner, manager, or network service provider of a network, and network refers to any internet or LAN or WAN used by a network operator. This means any entity that uses network in China will be a network operator under the said laws and regulations.

On September 15, 2025, the CAC issued a press Q&A regarding the Measures (the “Q&A”). In Q3 (scope and reporting entities covered by the Measures), the Q&A clarifies that the scope of application and reporting entity under the Measures are network operators that build, operate networks, or provide services via networks within the territory of the PRC.

Under the Measures, the CAC is responsible for overall coordination nationwide for cybersecurity incidents reporting, while provincial cyberspace administration departments are responsible for implementation within their respective administrative regions. In the meantime, a collaborative mechanism is formed with public security authorities and industry regulators.

2. Classification and Time Requirements for Reporting

The Measures stipulate that when a network operator identifies or becomes aware of a cybersecurity incident, it shall conduct a risk assessment based on the Cybersecurity Incident Classification Guidelines (the “Classification Guidelines”) which classify cybersecurity incidents into four levels based on severity and damage caused: extraordinarily significant, significant, relatively major and general, with assessment criteria and examples (non-exhaustive). See table.

For relatively major cybersecurity incidents or above, the Measures establish strict and differentiated reporting time limits:

For incidents involving critical information infrastructure, network operators shall immediately report to the protection authorities and public security agencies, within one hour at the latest.

For significant or extraordinarily significant cybersecurity incidents, the protection department shall report to the CAC and the public security department of the State Council immediately upon receiving the report, and no later than half an hour.

If a network operator is affiliated with central government departments or their directly subordinate units, they shall report to their respective departmental cyberspace administration bodies within two hours at the latest. For significant or extraordinarily significant cybersecurity incidents, the cybersecurity work units of all departments shall report to the CAC immediately upon receiving the report, and no later than one hour. Upon receiving the report, the CAC shall promptly notify relevant departments.

Other network operators shall promptly report to the local provincial cyberspace administration, with a maximum of four hours. For significant or extraordinarily significant cybersecurity incidents, provincial-level cyberspace administration departments shall report to the CAC immediately upon receiving the report within one hour, while simultaneously notifying relevant departments at the same level.

3. What to Report

The Measures specify eight mandatory elements to be reported, including:

The name of the involved unit and the basic information of the involved system or facility;
The time, location, type, and severity of a cybersecurity incident, along with its impact and harm, the measures taken, and their effectiveness. For ransomware attacks, the report should also specify the ransom amount, payment method, and date;
The trend of the situation and the possible further impact and harm;
Preliminary analysis of the causes of the cybersecurity incident;
Clues for attribution investigations, including but not limited to potential attacker information, attack paths, and existing vulnerabilities;
Proposed further countermeasures and requests for assistance;
Status of on-site protection for the cybersecurity incident;
Other circumstances requiring reporting.

Cybersecurity incident level	Assessment Criteria	Examples 1
Extraordinarily significant Cybersecurity Incident	(1) Critical networks and information systems suffer extraordinarily severe system damage, resulting in widespread system paralysis and loss of operational capability. (2) Core data, important data, or massive amounts of personal information of citizens are lost, stolen, tampered with, or forged, posing an extraordinarily severe threat to national security and social stability. (3) Other cybersecurity incidents that pose an extraordinarily severe threat or cause extraordinarily severe impact on national security, social order, economic development, and public interest.	Leakage of personal information of over 100 million citizens; or direct economic losses exceeding RMB 100 million.
Significant Cybersecurity Incident	(1) Critical networks and information systems suffer severe system damage, resulting in prolonged system interruptions or partial paralysis, with business processing capabilities significantly impaired. (2) Core data, important data, or a large volume of personal information of citizens are lost, stolen, tampered with, or forged, posing a serious threat to national security and social stability. (3) Other cybersecurity incidents that pose a serious threat or cause serious impact on national security, social order, economic development, or public interest.	Leakage of personal information of over 10 million citizens; or direct economic losses exceeding RMB 20 million.
Relatively Major Cybersecurity Incident	(1) Critical networks and information systems suffer significant system damage, resulting in system interruptions and reduced efficiency. (2) Important data and a relatively large volume of personal information are compromised, posing a relatively serious threat. (3) Other incidents causing relatively serious impacts on national security, social order, economic development, and public interest.	Leakage of personal information of over 1 million citizens; or direct economic losses exceeding RMB 5 million.
General Cybersecurity Incident	Cybersecurity incidents not falling under the above categories that pose a certain threat to national security, social order, economic development, or public interests, and cause a certain degree of impact.	Leakage of personal information of fewer than 1 million citizens; or direct economic losses of less than RMB 5 million.
1 More dimensions and classifications of the different level of cybersecurity incidents are set out in the Cybersecurity Incident Classification Guidelines attached to the Measures.

Notably, the Measures do not restrict reporting obligations to a one-time action. For incidents where circumstances cannot yet be fully ascertained, a preliminary brief report is permitted, with subsequent updates required. During the investigation process, if new significant developments emerge or progress is made, timely updates shall be provided. After the incident is resolved, the operator shall submit a systematic summary report within 30 days.

4. Harmonization with Other Legislation

The Measures form part of an integrated regulatory framework governing cybersecurity incident response in China, including the Cybersecurity Law, the Personal Information Protection Law (the “PIPL”), the Data Security Law, the Regulations on the Security Protection of Critical Information Infrastructure (the “CII Regulations”), and the Provisions on the Management of Network Product Security Vulnerabilities (the “Product Security Provisions”).

(1) Personal Information Protection Law

Article 57 of the PIPL requires personal information processors (equivalent to data controller under GDPR) to immediately adopt remedial measures and notify relevant regulatory authorities and affected individuals in the event of, or upon the likelihood of, personal information leakage, tampering, or loss. The notification shall include the categories of personal information involved, the causes and potential harm, remedial measures taken, and contact information of the personal information processor.

In practice, cybersecurity incidents involving data breaches may trigger overlapping obligations under both the Measures and the PIPL. For example, a network operator that also qualifies as a personal information processor may be required to report the incident to cyberspace administration authorities under the Measures while also perform the said obligations under the PIPL.

Notably, the PIPL does not impose a minimum threshold for the number of affected individuals before reporting obligations triggered. As the regulatory alignment between the PIPL and the Measures for cybersecurity incident reporting remains to be clarified by authorities, it is unclear so far whether incidents that fall below the quantitative thresholds for relatively major cybersecurity incidents under the Measures would still trigger mandatory notification obligations under the PIPL.

(2) Regulations on the Security Protection of Critical Information Infrastructure (CII)

Article 18 of the CII Regulations states that when a CII experiences a severe cybersecurity incident or identifies a significant cybersecurity threat, the operator of the CII shall report to the protection department and public security organs in accordance with relevant provisions.

In the event of an extremely severe cybersecurity incident involving the complete interruption of critical information infrastructure operations, failure of its primary functions, leakage of national foundational information or other important data, large-scale leakage of personal information, significant economic losses, or widespread dissemination of illegal information, or upon discovery of an exceptionally major cybersecurity threat, the protection department shall promptly report to the CAC and the public security department of the State Council upon receiving the report.

The Measures refine and operationalize these obligations by introducing clearer reporting timelines, hierarchical reporting pathways, and classification standards. Compared with the CII Regulations, which focus primarily on operators of CII, the Measures broaden the reporting framework to cover a wider range of network operators.

(3) Regulations on the Management of Network Product Security Vulnerabilities

Article 7 of the Product Security Provisions states that network product providers shall fulfill the following obligations regarding the management of network product security vulnerabilities to ensure that security vulnerabilities in their products are promptly patched and reasonably disclosed, and to guide and support product users in taking preventive measures, including reporting relevant vulnerability information to the Cybersecurity Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology within two days.

The Measures complement this regime by addressing incidents arising from the exploitation of such vulnerabilities. While the Product Security Provisions focus on pre-incident vulnerability disclosure and patch management, the Measures govern post-incident reporting and emergency response.

5. Suggestions

The Measures establish a mandatory and time-sensitive national framework for cybersecurity incident reporting in China. Non-compliance will be subject to the liability under the Cybersecurity Law, the PIPL, the Data Security Law and other relevant regulations. Companies are advised to take steps to ensure compliance and reduce risks:

(1) Update emergency response plans and internal reporting procedures

Companies should update their internal cybersecurity incident emergency response plans in accordance with the Measures as soon as possible. The core of the plan is to clearly define the process of “incident discovery → preliminary assessment (classification) → report initiation → simultaneous handling”.

(2) Establish incident classification and closed-loop management processes

Companies should establish internal incident classification operation manuals in accordance with the Classification Guidelines attached to the Measures. These manuals should correlate quantifiable metrics, such as system downtime duration, data breach scale, and economic losses, with their specific business systems, enabling frontline personnel to conduct rapid and accurate preliminary assessments.

(3) Define internal response personnel and cross-departmental collaboration mechanisms

Companies should establish a clearly defined cybersecurity incident response team with designated personnel to ensure rapid mobilization during incidents, with clearly assigned roles for technical handling, report drafting, legal review, and external communication. Additionally, a sound communication mechanism can be implemented to ensure the efficient and effective response within the organization to address any cybersecurity incident detected at any time.

Atticus Zhao, King Wood & Mallesons

Atticus Zhao is a partner at King Wood & Mallesons. Atticus specializes in data compliance and corporate.

Atticus has extensive experience in data compliance, including cybersecurity, personal information protection and cross-border data transfer, corporate data governance, and has provided services to many MNCs in a wide range of industries.

Email: atticus.zhao@cn.kwm.com

Danni Sima, King Wood & Mallesons