ARTICLE
26 September 2025

China's New Cyber Incident Reporting Rules

AB
AnJie Broad Law Firm

Contributor

AnJie Broad Law Firm logo
AnJie Broad Law Firm is a full-service law firm with a wide range of practice areas. We are committed to delivering high-quality bespoke legal solutions to clients. AnJie Broad has extensive experience serving clients in practice areas such as Capital Market & Securities, Antitrust & Competition, Private Equity & Venture Capital, Intellectual Property, Dispute Resolution, Labor & Employment, Cross-border Investment & Acquisition, Insurance & Reinsurance, Maritime & Shipping, Banking & Finance, Energy, International Trade, Technology Media & Telecommunications, Life Sciences & Healthcare, Private Wealth Management, Real Estate & Construction, Hotels Resorts & Tourism and Media, Game and Entertainment & Sports.
Explore Firm Details
Protecting the integrity of networks and data has become a global imperative. China, recognising this, has promulgated the "Administrative Measures...
China Technology
Samuel Yang ,Chris Fung, and Bill Zhou
Your Author LinkedIn Connections

Introduction

Protecting the integrity of networks and data has become a global imperative. China, recognising this, has promulgated the "Administrative Measures for the Reporting of National Cybersecurity Incidents " ("Measures"; effective 1 November 2025). The Measures outline a comprehensive approach to reporting cybersecurity incidents, aiming to minimise losses, incentivise legal compliance, protect national cybersecurity, and align with existing legal frameworks. This article provides an analysis of the Measures' key provisions and offers insights into China's rapidly evolving cybersecurity framework.

Purpose

Article 1 of the draft describes the rationale behind these Measures. It emphasises the Measures' alignment with foundational privacy, data, and cyber security laws in China, such as the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and Regulations on the Protection of the Security of Critical Information Infrastructure.

Scope

Article 2 sets the Measures' scope of application to entities involved in development (Note: The meaning of the Chinese also captures planning, deployment and putting-into-service.), operating, or providing services through networks within the PRC ("Network Operators").

Defining Cybersecurity Incidents

Article 12 of the Measures clarifies that cybersecurity incidents are events that causes harm to a network, information system, or its data and business application due to human factors, cyberattacks, vulnerabilities, software or hardware defects or malfunctions, force majeure, or other causes, resulting in adverse impacts on the State, society, or the economy.

Regulators

Under Article 3, the national cyberspace authorities coordinate and supervise national cybersecurity incident reporting. In contrast, local cyberspace administrations coordinate and supervise cybersecurity incident reporting within their administrative regions.

Incident Classification

Article 4 contains requirements for reporting incidents categorised as significant or higher, namely: (1) incidents impacting critical information infrastructure, (2) incidents impacting central or state authorities, and (3) incidents impacting other Network Operators.

The sole Annexe to the Measures provides granular guidelines for incident classification based on severity, impact and extent, as described below, in descending order of severity:

Particularly Major Cybersecurity Incidents: These can be identified by important networks and systems facing widespread failure, causing large scale paralysis and loss of functionality, core data, important data or a massive amount of personal information being lost, stolen, tampered with or counterfeited, posing a particularly serious threat to national security and social stability, and the occurrence of other particularly serious threats such as:

  • Party and government websites at the provincial level or above or enterprises and public institutions or news platforms at the central level are inaccessible 24 hours or more.
  • Critical infrastructure failure for over 6 hours or main function disruption for 24 hours or more.
  • Impact felt by over 50% of a province's populace.
  • Impact on transport, amenities and utilities affecting over 10 million individuals.
  • Leakage, theft, tampering or counterfeiting of important data posing a particularly serious threat to national security and social stability.
  • Leakage of personal information affecting 100 million individuals or more.
  • Impact on Party and government information systems at the provincial level or above or key news websites at the central-level resulting in the extensive dissemination of illegal or harmful information (i) for six hours or more on a homepage or 24 hours or more on other pages, (ii) involving 100,000 or more reposts on social platforms, (iii) involving 1 million clicks or views, or (iv) the CAC determines large scale dissemination to have occurred.
  • Direct economic losses exceeding CNY100 million.
  • Other particularly serious threats.

Major Cybersecurity Incidents: These can be identified by important networks and systems facing partial failure or prolonged functionality interruptions, core data, important data and a large amount of personal information being lost, stolen, tampered with or counterfeited, posing a serious threat to national security and social stability, and the occurrence of other serious threats, such as:

  • Party and government websites at the prefectural level or above or enterprises and public institutions or news platforms at the provincial level are inaccessible for 6 hours or more.
  • Critical infrastructure failure for over 1 hours or main function disruption for over 3 hours.
  • Impact felt by over 50% of a prefecture’s populace.
  • Impact on transport, amenities, and utilities affecting over 1 million individuals.
  • Leakage, theft, tampering or counterfeiting of important data posing a relatively serious threat to national security and social stability.
  • Leakage of personal information affecting over 10 million individuals.
  • Impact on Party and government information systems at the prefectural level or above or key news websites at the provincial-level or above resulting in the relatively large scale dissemination of harmful information (i) for 2 hours or more on a homepage or 12 hours or more on other pages, (ii) involving 10,000 or more reposts on social platforms, (iii) involving 100,000 clicks or views, or (iv) the CAC determines large scale dissemination to have occurred.
  • Direct economic losses exceeding CNY20 million.
  • Other serious threats.

Significant Cybersecurity Incidents: These can be identified by important networks and systems facing significant system losses, impacting operational capabilities, important data and a large amount of personal information being lost, stolen, tampered with or counterfeited posing a relatively serious threat to national security and social stability, and the occurrence of other significant threats, such as:

  • Disruption to Party and government websites at the prefectural level or above or enterprises and public institutions or major news platforms at the provincial level for 2 hours or more.
  • Critical infrastructure failure for over 10 minutes or main function disruption for over 30 min.
  • Impact felt by over 30% of a prefecture’s populace.
  • Impact on transport, amenities and utilities affecting over 100,000 individuals.
  • Leakage or theft of important data posing a significant threat to national security and social stability.
  • Leakage of personal information affecting over 1 million individuals.
  • Impact on Party and government information systems at the prefectural level or above or key news websites at the provincial-level or above resulting in the relatively large scale dissemination of harmful information (i) for 30 min or more on a homepage or 2 hours or more on other pages, (ii) involving 1,000 or more reposts on social platforms, (iii) involving 10,000 clicks or views, or (iv) the CAC determines relatively large scale dissemination to have occurred
  • Direct economic losses exceeding CNY5 million.
  • Other particularly serious threats.

General Cybersecurity Incidents: These can be understood as not meeting the criteria of any of the above categories. This is, in essence, a residual category.

Reporting Deadlines

Cybersecurity Incidents involving critical information infrastructure should be reported to the relevant regulator and the public security authorities within one hour.

Network Operators who are central or state authorities or their direct affiliates must report incidents within 2 hours.

Other Network Operators must report incidents categorised as significant or above to the provincial-level cyberspace authorities of their locality within 4 hours.

We note that 12387.cert.org.cn, the official cybersecurity incident reporting platform, only provides the following categorisation options: Particularly Major, Major, and Significant. This appears to suggest that General Cybersecurity Incidents might not be subject to reporting obligations. However, as there is currently no explicit exemption provided under Measures, organisations may wish to report General Cybersecurity Incidents until the CAC provides further guidance if they wish to take a more cautious approach to handling Cybersecurity Incidents.

Industry Specific Requirements

Where industry specific reporting requirements apply, they apply in addition to the Measures.

Crime Reports

The Measures clarify that where illegal or criminal activities occur, reports must also be promptly made to the public security authorities.

Entrusted Processing

Article 5 of the Measures requires Network Operators to require their entrusted processors providing network security, system operation, maintenance or other services to promptly report any incidents they detect and assist Network Operators in making reports.

Detailed Reporting Requirements

Article 7 of the Measures outlines the information Network Operators must include in their reports as follows:

  • The name of the entity involved and basic information about the relevant systems or facilities;
  • The time and place of discovery or occurrence of the cybersecurity incident, type and level of the incident, as well as the impact and harm caused, and the measures taken and their effectiveness; for ransomware attacks, information such as the demanded ransom amount, payment method, and date shall also be included;
  • Trends in the development of the situation and potential further impact and harm;
  • A preliminary analysis of the cause of the cybersecurity incident;
  • Clues for traceability investigations, including but not limited to possible attacker information, attack paths, and existing vulnerabilities;
  • Proposed further response measures and any support requested;
  • The preservation of the scene of the cybersecurity incident; and
  • Any other circumstances that should be reported.

Where the cause, impact, or development trend of a cybersecurity incident cannot be determined within the prescribed time limits, Network Operators should make an initial report containing the information outlined in (1) and (2) and may report other matters later and in a timely manner.

Where important new circumstances arise after a report is made, a supplementary report should be submitted.

We note that the official cybersecurity incident reporting platform provides a reporting form. A translated version of that form is shown below.

Cybersecurity Incident Report Form

I. Basic information of the entity where the incident occurred

* Name of the unit

 

* The location where the incident occurred

 

Head of cybersecurity

 

Cybersecurity lead phone number

 

Fax

 

2. Initial assessment of cyber security incidents

* Type of initial incident

 

* Initial event level

 

Criteria for judgment

 

* Basic information about the entity where the incident occurred and the facility where the cyber security incident occurred

 

* Time, location and brief course of events

 

* The impact and harm caused by the incident

 

* Measures taken and effects

 

3. Further assessment of the cyber security incident (if it cannot be determined within 4 hours of the incident, a supplementary report must be made within 72 hours after the first report.)

Initial determination of the cause of the incident

 

The development of the situation and the possible further impact and harm

 

Other additions

 

4. Basic information of the reporter

* The organization to which the presenter belongs

 

* Name of the reporter

 

* The reporter's mobile phone number

 

Reporter’s landline phone

 

Incident Disposal Reports

Article 8 mandates Network Operators to conduct a thorough analysis and summary within 30 days of the incident, covering incident causes, emergency response measures, harm caused, liability, rectification status, lessons learned, and other relevant matters (“Incident Disposal Reports”). Incident Disposal Reports should be submitted through the original reporting channel.

Reporting Channel

Article 9 states that the cyberspace authorities should establish the 12387 hotline, as well as websites, email, fax, and other channels, to uniformly receive reports of cybersecurity incidents. Based on a press release by the Cyberspace Administration of China, the following reporting channels now exist:

Tel: 12387

URL: 12387.cert.org.cn

WeChat Mini Program: Search for “12387”

Email: 12387@cert.org.cn

Fax: 010-82992387

Enforcement and Consequences

Article 10 state that Network Operators who fail to report cybersecurity incidents shall be subject to penalties in accordance with applicable law and regulations, while any delay, omission, false report, or withholding of information about cybersecurity incidents which leads to major adverse consequences will result in severe penalties for Network Operators and relevant responsible persons.

The Personal Information Protection Law (“2021 PIPL”) is the applicable law with the highest penalties. It states the following:

If the illegal activity… is of a grave nature, the violator will be ordered to make a correction, confiscated of any illegal again, and fined up to [the higher of] CNY50 million, or 5% of last year's annual revenue… and may also be ordered to suspend any related activity or to suspend business for rectification, and/or be reported to the relevant authority for the revocation of the related business permit or the business license; and any person in charge or any other individual directly liable for the violation will be fined [and banned from certain roles for a time].

The above should be read with the Provisions on the Application of Discretionary Criteria for Administrative Penalties by Cyberspace Authorities (“Discretionary Criteria”), which describes the factors that the CAC will consider when issuing penalties. Due to the nature of the reporting requirements under the Measures, it seems that there might be less scope for mitigating penalties and more scope for aggravating them under the Discretionary Criteria.

Safe Harbour

Article 11 provides for discretionary liability exemptions and reductions for Network Operators who have implemented reasonable and necessary protective measures, handled incidents in accordance with contingency plans, effectively mitigated the incident’s impact, and reported the incident per the Measures. Article 11 can be viewed as an incentive for actively developing and documenting a robust internal compliance framework.

Conclusion

China has finalised the Administrative Measures for the Reporting of National Cybersecurity Incidents, which enter into force on 1 November 2025. These Measures oblige any organisation that develops, operates or supplies network services in the PRC to notify significant-or-higher level incidents within 1 to 4 hours, depending on the entity’s status, and to file a full Incident Disposal Report within 30 days.

Failure to report on time can trigger penalties that, in principle, can reach up to 5 % of annual turnover under the 2021 PIPL, while prompt disclosure and documented mitigation steps may result in exemption or leniency.

A unified 12387 hotline, portal and e-mail address have been set up to receive filings. These contact details should be saved by DPOs and IT managers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Samuel Yang
Samuel Yang
Photo of Chris Fung
Chris Fung
Photo of Bill Zhou
Bill Zhou
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More