Executive Summary
- China’s Cyberspace Administration has issued new cybersecurity measures effective November 1, 2025.
- The rules mandate rapid reporting of cybersecurity incidents, with deadlines as short as one hour for critical infrastructure operators and four hours for other network operators.
- Incidents are classified into four tiers based on severity, considering factors like data leakage, economic loss, and service disruption.
- Failure to comply with the reporting timelines can result in significant liabilities for organizations and individuals under Chinese law.
The Cyberspace Administration of China (CAC) has established a new comprehensive framework for reporting cybersecurity incidents, set to take effect on November 1, 2025. The new measures mandate that network operators in the People’s Republic of China (PRC) report security breaches to authorities within exceptionally short timeframes, in some cases as little as one hour after discovery.
Scope and Reporting Deadlines
The regulations apply to all network operators within the PRC, including owners and administrators of networks, service providers, state organs, and designated critical information infrastructure operators (CIIOs). The reporting timelines vary based on the type of operator. CIIOs face the strictest deadline, required to report incidents to their protection department and the Public Security Bureau within one hour. Other network operators must report to the provincial CAC within four hours, while state organs have a two-hour window.
Incident Classification System
A core component of the new framework is a four-tiered system for classifying cybersecurity incidents based on their severity and impact. Incidents are categorized as particularly major, major, relatively major, or general. The classification depends on various thresholds, including the scale of data leakage, direct economic loss, and the duration of disruption to essential services or critical infrastructure. For example, a leak of personal information affecting over 100 million citizens would be deemed a “particularly major” incident.
Reporting Requirements and Penalties
Initial incident reports must contain detailed information, including the time, place, type, and impact of the event, as well as measures taken and a preliminary analysis of the cause. If all information is not immediately available, a preliminary report must be filed, followed by supplemental updates. Failure to report incidents within the specified timeline or submitting false information can lead to significant liabilities for both the organization and relevant individuals under China’s Cybersecurity Law and other data security regulations. The measures also state that penalties may be mitigated for operators who took reasonable protective measures and reported the incident promptly.
Impact on Businesses
The regulations require network operators to include contractual terms with their IT and security service providers, ensuring these third parties promptly notify them of any detected incidents to facilitate timely official reporting. In light of these accelerated timelines, operators in the PRC are advised to review and update their incident response plans, internal escalation procedures, and third-party vendor contracts to ensure compliance.