Network data processors in China are legally required to report cybersecurity incidents to authorities under the China Data Security Law, the China Personal Information Protection Law, the China Cybersecurity Law and other applicable Chinese laws and regulations, such as the Network Data Security Management Regulations (which came into effect on 1 January 2025 and which oblige network data processors to report to the competent Chinese authorities within 24 hours if they discover risks in their network products or services that may cause (but have not necessarily materialized in) threats to national security or the public interest.
The new Measures on National Cybersecurity Incident Reporting issued by the Cyberspace Administration of China (CAC) and coming into effect on 1 November 2025 require much faster action - between 1 and 4 hours if network operators detect a cybersecurity incident that has caused harm to networks and information systems, or their data and business applications, and has a negative impact on the country, society, or economy due to human factors, network attacks, vulnerabilities, software or hardware defects or failures, force majeure, etc.
All network operators are governed by the new Measures, that is, everyone who, as an owner or administrator of networks or network services, builds, operates, or provides services through networks within China. This includes but is not limited to critical information infrastructure (CII) operators (so-called CIIOs, i.e., enterprises that operate CIIs and that have been notified by the competent authorities that they are categorized as CIIOs) as well as government entities.
The new Measures divide such incidents into four different levels based on their severity and impact:
Threshold | Exceptionally Major | Major | Relatively Major | General |
Impact
| Important network & information systems suffer exceptionally severe system losses, causing large-scale system unresponsiveness and loss of business processing capabilities; other incidents posing exceptionally severe threats or impacts on national security, social order, economic construction, and public interests | Important networks and information systems suffer severe system losses, causing long-term system disruption or partial unresponsiveness, substantially affecting business processing capabilities; other incidents posing a severe threat or impact on national security, social order, economic construction, and public interests | Important networks and information systems suffer large system losses, causing system disruption, significantly affecting system efficiency and business processing capabilities; other incidents posing a relatively severe threat or impact on national security, social order, economic construction, and public interests | Other cybersecurity incidents that pose certain threats or impact on national security, social order, economic construction, and public interests, but do not meet the thresholds of the higher categories to the left |
| Data leaked | Core/important data & extensive personal information are leaked, posing an exceptionally severe threat to national security and social stability | Core/important data & large numbers of personal information are leaked, posing a severe threat to national security and social stability | Important data and a relatively large number of personal information are leaked, posing a relatively severe threat to national security and social stability | |
| Personal information leaked | > 100 mil data subjects | > 10 mil data subjects | > 1 mil data subjects | |
| Direct economic loss | > RMB 100 mil | > RMB 20 mil | >RMB 5 mil | |
| CII disruption | Disruption of the entire CII of > 6 hours or disruption of main functions of > 24 hours | Disruption of the entire CII of > 1 hour or disruption of main functions of > 3 hours | Disruption of the entire CII for > 10 min. or disruption of main functions of > 30 min. | |
| Disruption of essential service for: | > 50% of the population of one or more provinces or > 10 mil people | > 50% of the population of one or more municipalities or > 1 mil people | > 30% of the population of one or more municipalities or >100k people |
Note: If any one threshold is met for one of the four incident levels, the network operator must be classified under the higher level of cybersecurity incident that has been met. In other words, the thresholds for each incident level should be read independently, not cumulatively.
Once a network operator becomes aware of a cybersecurity incident involving its own network/business, it must conduct an incident assessment following the Guidelines for the Classification of Cybersecurity Incidents which are appended to the new Measures.
The new Measures allocate different reporting obligations depending on the nature of the network operator and the severity of the incident:
CIIOs | Central & State Government and direct Affiliates | Other network operators |
Incidents at or above “relatively major” levels must be reported within 1 hour to the CAC protection department & PSB.
Incidents at “major or exceptionally major” levels must be reported within 30 minutes to the CAC protection department & PSB and they shall report the incident to national CAC and the PSB department of the State Council.
| Incident at or above “relatively major” levels must be reported within 2 hours to the cybersecurity work unit of their department.
Incidents at the “major or exceptionally major” levels shall be reported within 1 hour by the cybersecurity work units of the relevant department to the national CAC department who shall conduct the onward reporting. | Incidents at or above the “relatively major” level shall be reported within 4 hours the provincial CAC department.
Incidents at the “major or exceptionally major” levels shall be reported within 1 hour to the provincial CAC department who shall report to the national CAC department and to the relevant departments at the same level. |
CAC provides different reporting channels such as the telephone hotline reachable at 12387, as well as email (12387@cert.org.cn) and other reporting modes, all accessible via the CAC’s website https://12387.cert.org.cn/index.html.
The reporting timelines are calculated from the point in time when the network operator becomes aware of the incident. If the circumstances of the incident cannot be determined in full within the statutory notification deadlines, the network operator shall submit a preliminary report (containing whatever information is available at that time) and then provide an updated comprehensive report as soon as possible once more information becomes available.
In addition, interim updates on major developments, as well as a final summary report, shall be provided within 30 days after the incident has been remedied (including information on the cause of the incident, remedial measures taken, scope of impact, accountability, and improvements made).
Reports should include the following information:
In addition, if for certain industry sectors special reporting obligations apply, these shall be followed as well and in case of any illegal or criminal activities being suspected, PSB must always also be notified.
If network operators employ external IT service providers, the contracts between them must require such providers to immediately notify the network operators of any incidents in their networks and to assist with the mandatory reporting thereof.
Any failure to comply with reporting obligations under the new Measures exposes network operators and their responsible employees or agents to liabilities under the Chinese Cybersecurity Law, Data Security Law, Personal Information Protection Law and other applicable Chinese laws and regulations. Fines can range from RMB 50k to RMB 50 mil depending on the seriousness of the incident and the type of data involved and network operators are exposed to heavier consequences if they delay of proper reporting caused more serious consequences. Any reasonable and necessary protective measures taken by the network operator may mitigate such liability.
Considering the new Measures, network operators should review, revise, prepare and verify:
Susanne Rademacher
Dr Jenna Wang-Metzner
Kelly Tang
