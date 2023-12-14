ARTICLE

On December 8, 2023, the Cyberspace Administration of China (CAC) introduced Administrative Measures for the Reporting of Cybersecurity Incidents (Draft) ("Measures"). This significant draft, now open for public commentary, mandates specific reporting requirements for network operators in the event of a cybersecurity incident. It clearly outlines the categories of incidents that need to be reported, the information that must be included in these reports, and the consequences for failing to report. This Measures marks a critical enhancement in China's approach to managing and mitigating cybersecurity risks.

1. Identifying the Key Subjects: Who Does the Measures Apply To

The Measures specifically target key subjects within the PRC jurisdiction responsible for network-related activities. These subjects, when facing incidents that jeopardize network security, is obligated to report per the Measures. The primary subjects include:

Subjects How to Identify Network Infrastructure Builders those involved in the construction of network systems within China Network Service Providers entities providing network services, including ISPs, data centres, etc Network Operators owners and administrators of networks and network service providers

above subjects will hereinafter be collectively referred to as "Operators"

Each of these Operators must promptly report any 'cybersecurity incident', defined by the Measures as events causing harm to networks or information systems due to human error, technical failures, natural disasters, and other similar causes.

2. Reporting Procedure: How Should the Cybersecurity Incident Be Reported

The Measures require Operators to adhere to specific reporting procedures, which vary depending on the severity of the cybersecurity incident. Each category of incident demands distinct reporting protocols, as outlined in the table below: