Following our previous article regarding the consultation draft of the Administrative Measures for Reporting Cybersecurity Incidents (https://www.hsfkramer.com/insights/2024-01/China-Releases-Draft-Measures-for-Cybersecurity-Incident-Reporting )(Draft), the Cyberspace Administration of China (CAC) has officially issued the final version of the measures (https://www.cac.gov.cn/2025-09/15/c_1759583017717009.htm) on September 11, 2025 (Measures), which will take effect on November 1, 2025, and marks a significant step toward formalizing China's cybersecurity incident reporting regime.
The final Measures retain the core structure of the Draft but introduce several notable refinements in terms of reporting thresholds, procedures, and liability exemptions. We summarize the key highlights and practical implications for network operators in this article.
Scope of Application
The Measures requires all network operators that build, operate networks, or provide services through networks within China shall report the cybersecurity incident according the Measures when such incident occurs (Article 2). The Measures further clarify that the term "network operators" refers to owners, administrators, and service providers of networks (Article 12).
Special provisions apply to Critical Information Infrastructure Operators (CIIOs) and central government agencies. (Article 4)
Reporting Regime
The Measures require the incidents classified as "Relatively Severe Cybersecurity Incidents" or above (i.e., "Extremely Severe Cybersecurity Incidents", "Severe Cybersecurity Incidents" and "Relatively Severe Cybersecurity Incidents", collectively "Critical Cybersecurity Incidents") must be reported to by the network operator to their local provincial CAC within 4 hours of identifying a qualifying incident (Article 4). This is a relaxation from the Draft's one-hour time limit.
In addition, the network operators must require service providers (e.g., cybersecurity vendors, system maintenance teams) to promptly report any detected cybersecurity incidents and assist in fulfilling their reporting obligations. This should be formalized through contracts or other binding arrangements (Article 5).
Double Layers of Reporting for Critical Cybersecurity Incidents
For Severe or Extremely Severe Cybersecurity Incidents, the provincial-level CAC must report the incident to the national CAC within one hour and simultaneously notify relevant departments at the same administrative level.
Where the incident involves Critical Information Infrastructure (CII), the CIIOs must report to the CII protection authority and the Public Security Bureau within one hour. For Severe or Extremely Severe Cybersecurity Incidents, these authorities must further report to the national CAC and the Ministry of Public Security within half an hour.
In addition, operators must report the incident to the relevant industry regulator, if required. Where the incident is suspected to involve criminal activity, it must be reported to the Public Security Bureau (Article 4).
Reporting Channels
To facilitate timely reporting, the CAC has established six official channels for cybersecurity incident reporting. Network operators, social organizations, and individuals may report incidents through any of the following: 12387 hotline, official website, WeChat official account, WeChat mini program, Email and fax (Article 9).
Classification of Cybersecurity Incidents
The Guidelines for the Categorization and Classification of Cybersecurity Incidents attached to the Measures divide cybersecurity incidents into four levels:
- Extremely Severe Cybersecurity Incidents
- Severe Cybersecurity Incidents
- Relatively Severe Cybersecurity Incidents
- General Cybersecurity Incidents
Mandatory reporting under the Measures begins with Relatively Severe Cybersecurity Incidents and extends to the Severe and Extremely Severe Cybersecurity Incidents. The thresholds that trigger reporting obligations are defined as follows:
- Portal websites of Party or government departments at or above the city level, or key news websites, become inaccessible for more than 2 hours due to attacks or failures.
- The overall operation of Critical Information Infrastructure (CII) is interrupted for more than 30 minutes, or its main functions are interrupted for more than 2 hours.
- Incidents affect the work and life of over 30% of the population in a single city-level administrative region, or impact water, electricity, gas, oil, heating, or transportation services for more than 100,000 people.
- Theft or leakage of important data poses a major threat to national security or social stability.
- Leakage of personal information involves more than 1 million individuals.
- Portal websites of Party or government departments at or above the city level, or key news websites, are tampered with, resulting in the large-scale dissemination of illegal or harmful content (e.g., appearing on the homepage for over 30 minutes, on other pages for over 2 hours, shared over 1,000 times on social media, or viewed over 10,000 times).
- Incidents cause direct economic losses exceeding RMB 5 million.
- Any other cybersecurity incident that poses a major threat to national security, social order, economic development, or public interest, and causes significant negative impact.
Report Contents
The final Measures specify the contents to be included in incident reports, including (Article 7):
- Name of the affected entity and basic information about the involved systems or facilities;
- Time, location, type, and severity level of the incident, as well as the impact and damage caused, and measures taken and their effectiveness; for ransomware attacks, the report shall also include the ransom amount, payment method, and payment date;
- The development trend of the incident and potential further impact or damage;
- Preliminary analysis of the cause of the incident;
- Clues for tracing the incident, including but not limited to possible attacker; information, attack paths, and existing vulnerabilities;
- Proposed further response measures and any requests for support;
- Status of on-site preservation of the incident;
- Any other information that should be reported.
If the cause, impact, or development trend of the incident cannot be determined within the specified timeframe, the information under Items 1 and 2 may be reported first, followed by timely supplementary reporting (Article 7). The previous 24-hour time limit for supplementary reporting required in the Draft no longer applies.
Post-Incident Report
A post-incident report must be submitted within 30 days after the incident is resolved. This report should include a comprehensive analysis and summary covering the causes, emergency response measures, damage caused, accountability handling, and rectification efforts. This replaces the "5 business days" requirement in the Draft (Article 8).
Who Can Report Critical Cybersecurity Incidents
Any organisation or individual is encouraged to report Critical Cybersecurity Incidents to the CAC (Article 6). Additionally, service providers should remind operators to report such incidents. If the operator intends to conceal or refuses to report an incident, the service provider may report it.
Benefits of Reporting
The final Measures retained the safe harbour clause in the Draft, namely: If the network operator has taken reasonable and necessary protective measures, responded according to the emergency plan, effectively reduced the impact and harm of the cybersecurity incident, and reported it in a timely manner as required by the Measures, the liability of the relevant entity and personnel may be mitigated or waived depending on the circumstances. (Article 11)Compared to the Draft, the final Measures strengthen the incentive for timely reporting by replacing the phrase "actively reporting" with "reporting in a timely manner." In addition, the wording "make best efforts to reduce harm" was revised to "effectively reduce harm," placing greater emphasis on actual outcomes rather than intent.
Penalties
Operators who fail to report cybersecurity incidents will be penalised in accordance with the relevant laws and regulations, with severe penalties for situations where an operator delays, omits, falsely reports, or conceals cybersecurity incidents leading to severe consequences (Article 10).
For the penalties section, the Measures also include the double-layer penalty structure—meaning that not only the operators (i.e., companies), but also the responsible individuals (such as the legal representative or DPO) may be held liable.
Practical Implications for Enterprises
The final Measures reflect a more pragmatic and risk-based approach to cybersecurity incident reporting. By clarifying procedures, the CAC aims to enhance regulatory efficiency while reducing unnecessary burdens on enterprises.
To prepare for the implementation of the Measures, network operators should consider the following actions:
- Review and update contracts with cybersecurity and IT service providers to ensure they include clear obligations for incident detection and reporting.
- Prepare or update incident response plans to ensure timely reporting within the four-hour window;
- Designate dedicated teams or individuals (e.g., cybersecurity, legal, compliance) to lead reporting efforts;
- Conducting simulation exercises and training;
- Maintain detailed records of incident handling to support post-incident reporting and potential exemption claims.
How Herbert Smith Freehills can help
- Cyber security is a high-ranking board agenda item which shows no sign of abating and the regulatory landscape is becoming ever more complex as organisations strive to respond to and mitigate the risks of cyber incidents.
- The global cyber and data security team in Herbert Smith Freehills has an unrivalled breadth and depth of expertise and includes specialists from our data privacy, financial services regulatory, corporate crime & investigations, insurance and employment practices, amongst others. Our team advises across the full cyber and data security lifecycle, including before-the-event cyber risk management, incident response and non-contentious transactional and project work.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.