Executive Summary
- China’s Cyberspace Administration has issued new cybersecurity incident reporting rules, effective November 1, 2025.
- The measures establish strict reporting deadlines, requiring Critical Information Infrastructure Operators to report incidents within one hour of discovery.
- Incidents are categorized into four tiers—from general to particularly major—based on impact, data loss, and economic damage.
- Non-compliance can lead to liabilities under China’s existing data security and cybersecurity laws.
The Cyberspace Administration of China (CAC) has established a new comprehensive framework for reporting cybersecurity incidents, set to take effect on November 1, 2025. The “Measures on National Cybersecurity Incident Reporting,” issued on September 11, 2025, mandate significantly shorter reporting deadlines for network operators within the People’s Republic of China (PRC), requiring some to notify authorities within one hour of discovering an incident.
Incident Classification System
The new regulations create a four-tiered classification system for cybersecurity incidents based on their severity and impact: particularly major, major, relatively major, and general. The assigned level is determined by specific qualitative and quantitative thresholds, including the extent of system paralysis, the volume and type of data leaked, direct economic loss, and the disruption of essential services. For instance, a data leak involving the personal information of more than 100 million citizens would be classified as “particularly major,” whereas a leak affecting over 1 million would be considered “relatively major.”
Strict Reporting Timelines
A key component of the measures is the imposition of strict, accelerated reporting timelines that vary by the type of operator. Critical Information Infrastructure Operators (CIIOs) are required to report incidents to their protection department and the Public Security Bureau immediately, and no later than one hour after discovery. Other network operators have a maximum of four hours to report incidents to their provincial CAC office. These deadlines apply to all incident levels, from “general” to “particularly major,” that have a negative impact on the country, society, or economy.
Reporting Requirements and Liabilities
Incident reports must contain detailed information, including the time, place, and type of incident, its assessed impact, responsive measures taken, and available forensic leads. If all information is not immediately available, a preliminary report must be filed within the deadline and supplemented later. The measures also require network operators to include clauses in contracts with IT and security service providers that ensure assistance with prompt notification. Failure to report in a timely or accurate manner can result in liabilities under existing laws, though penalties may be mitigated if an operator demonstrates effective response and timely reporting.
Recommendations for Operators
The new framework necessitates that all network operators in the PRC enhance their incident response capabilities. It is recommended that organizations review and update internal policies, response plans, and third-party contracts to ensure compliance with the accelerated notification requirements. This proactive approach can help avoid significant penalties under China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law.