China Issues New Cybersecurity Incident Reporting Framework

The National Cybersecurity Incident Reporting Management Measures (《国家网络安全事件报告管理办法》) were promulgated by the Cyberspace Administration of China (CAC) on September 11, 2025 and will take effect on November 1, 2025. These regulations establish a standardized framework for reporting cybersecurity incidents to ensure timely responses, minimize damages, and enhance national cybersecurity resilience.

The National Cybersecurity Incident Reporting Management Measures (the Measures) require all network operators in China (including domestic and foreign entities) to report cybersecurity incidents that reach the relatively large threshold (e.g., when the personal information of more than 1 million citizens is leaked). If the reporting requirement is triggered, operators must report the incident within no more than four hours, followed by a comprehensive follow-up report.

Additionally, they must ensure that third-party suppliers or service providers involved in network security, system operations, or maintenance promptly report any discovered incidents, enforceable through contracts or binding agreements. To ensure compliance and mitigate risks, operators should develop and test incident response plans, clearly define reporting requirements in vendor contracts, and provide cybersecurity training to employees, enabling them to recognize threats and understand reporting thresholds and procedures.

This LawFlash summarizes the key points from the Measures.

1. WHAT CONSTITUTES A REPORTABLE CYBERSECURITY INCIDENT?

The Measures apply to all network operators (网络运营者) within China. This includes both domestic entities and foreign companies operating networks or providing online services in China.

A cybersecurity incident is defined as an event that causes harm to networks and information systems or the data and business applications therein due to human factors, network attacks, network vulnerabilities, software and hardware defects or failures, force majeure, etc., and has a negative impact on the country, society, and economy.

Under the Measures, not all cybersecurity incidents require reporting. Only those classified as relatively large (较大), major (重大), or particularly major (特别重大) under the Cybersecurity Incident Grading Guide (Appendix 1) are subject to mandatory reporting.

2. INCIDENT CLASSIFICATION AND REPORTING DEADLINES

A. Incident Classification

The Measures classify cybersecurity incidents into four tiers, based on the Cybersecurity Incident Grading Guide. The cybersecurity incidents reaching the following relatively large threshold should be reported.

A relatively large cybersecurity incident is one that meets any of the following circumstances but falls short of a major cybersecurity incident:

1. Major system losses in important networks and information systems, resulting in system outages that significantly impact system efficiency and business processing capabilities
2. Important data or a relatively large amount of personal information of citizens is lost, stolen, tampered with, or forged, posing a significant threat to national security and social stability
3. Other cybersecurity incidents that pose a relatively significant threat to or have a relatively significant impact on national security, social order, economic development, and the public interest

Generally, a relatively large cybersecurity incident is considered one that meets any of the following conditions:

1. The portal websites of party and government agencies, enterprises, and institutions at or above the municipal level, or key news websites at or above the provincial level, are inaccessible for more than two hours due to an attack or failure
2. The entire critical information infrastructure experiences a disruption in operation for more than 10 minutes or a disruption in its main functions for more than 30 minutes
3. The impact on water, electricity, gas, oil, heating, transportation, medical care, shopping, and other work and daily life for more than 30% of the population of one or more municipal-level administrative regions, or for more than 100,000 people.
4. Important data is leaked or stolen, posing a serious threat to national security and social stability

B. Mandatory Reporting Timelines

A cybersecurity incident reaching the relatively large threshold must be reported within the following timelines.

C. Additional Requirements

Network operators shall, through contracts or other means, require organizations or individuals providing them with network security, system operation, and maintenance services to promptly report any network security incidents discovered during monitoring and assist the operators in reporting such incidents.

Individuals/organizations are encouraged to report major incidents via the 12387 hotline, email, or the CAC’s online portal.

3. WHAT TO REPORT?

Reports must include the following:

1. Basic Information: Affected organization name, system, or facility details
2. Incident Details: Discovery time, location, type, severity, current impact, mitigation steps taken, and their effectiveness. For ransomware, information about the ransom amount, payment method, and deadline should also be included
3. Risk Assessment: Potential escalation risks and projected damages
4. Suspected causes (e.g., malware, insider threat)
5. Clues for the source tracing investigation, including but not limited to information about possible attackers, attack paths, and existing vulnerabilities
6. Proposed further response measures and requests for support
7. Security measures for the cybersecurity incident site
8. Other matters that should be reported

Note:

• If full details are unavailable within the reporting deadline, submit a preliminary report with Items 1–2 and supplement later
• Within 30 days of resolving an incident, operators must submit a comprehensive review report covering the following:
  • Cause
  • Response effectiveness
  • Damages
  • Accountability
  • A comprehensive analysis and summary of rectification status and lessons learned

4. PENALTIES FOR NONCOMPLIANCE

A network operator failing to meet reporting requirements shall face administrative fines as stipulated in applicable laws.

If a network operator delays reporting, fails to report, or submits false/misleading reports regarding a cybersecurity incident, and such actions result in significant consequences, both the operator and relevant responsible personnel shall face enhanced penalties under applicable laws.

Entities may qualify for reduced or waived penalties if they have taken reasonable and necessary protective measures, handled it in accordance with the emergency plan, effectively reduced the impact and harm of the cybersecurity incident, and reported it in a timely manner.

5. PRACTICAL RECOMMENDATIONS

To align with the Measures and minimize legal/operational risks, network operators should implement the following safeguards:

• Conduct a risk assessment: Map critical systems and data flows to identify high-risk areas
• Develop an incident response plan (IRP), assign roles (e.g., IT, legal, and PR teams), and simulate breach scenarios
• Update vendor contracts: Require third-party providers to adhere to reporting requirements
• Train employees: Educate staff on identifying incidents (e.g., phishing, unusual system behavior) and understanding reporting thresholds and procedures

Appendix 1

Cybersecurity Incident Classification Guidelines

I. Particularly Major Cybersecurity Incidents

A cybersecurity incident is considered particularly major if any of the following circumstances are met:

1. Important networks and information systems suffer particularly severe system damage, resulting in widespread system paralysis and loss of business processing capabilities.
2. Core data, important data, or massive amounts of personal information of citizens are lost or stolen, tampered with, or forged, posing a particularly serious threat to national security and social stability.
3. Other cybersecurity incidents that pose a particularly serious threat to, or have a particularly severe impact on, national security, social order, economic development, and the public interest.

Generally, a cybersecurity incident is considered particularly major if any of the following conditions are met:

1. The portal websites of provincial-level or higher party and government agencies, or key central news websites, are inaccessible for more than 24 hours due to an attack or failure
2. The entire critical information infrastructure experiences a disruption in operation for more than six hours, or its main functions are interrupted for more than 24 hours
3. The incident affects more than 50% of the population of one or more provincial-level administrative regions, or the water, electricity, gas, oil, heating, transportation, medical care, shopping, and other aspects of daily life for more than 10 million people.
4. Core data or important data is leaked or stolen, tampered with, or counterfeited, posing a particularly serious threat to national security and social stability
5. The personal information of more than 100 million citizens is leaked
6. The portal websites of provincial-level or higher party and government agencies, key central news websites, and “super large” network platforms are attacked and tampered with, resulting in the dissemination of illegal and harmful information on an extraordinary large scale; any of the following situations can be considered an “extraordinary large-scale” attack:
   1. Appears on the homepage for more than six hours or appears on other pages for more than 24 hours
   2. Retweeted more than 100,000 times through social platforms
   3. Viewed or clicked more than 1 million times
   4. Recognized as “extraordinary large-scale dissemination” by provincial-level or higher cybersecurity departments and public security organs
7. Causing direct economic losses of more than 100 million renminbi
8. Other cybersecurity incidents that pose a particularly serious threat to national security, social order, economic development, and public interests, or cause particularly serious impacts

II. Major Cybersecurity Incidents

A major cybersecurity incident is one that meets any of the following circumstances but falls short of being a particularly major cybersecurity incident:

1. Severe system damage to important networks and information systems, resulting in prolonged system outages or partial paralysis, significantly impacting business processing capabilities
2. Core data, important data, or large amounts of personal information of citizens are lost, stolen, tampered with, or forged, posing a serious threat to national security and social stability
3. Other cybersecurity incidents that pose a serious threat to or have a significant impact on national security, social order, economic development, and the public interest

Generally, a major cybersecurity incident is considered one that meets any of the following conditions:

1. The portal websites of party and government agencies, enterprises, and institutions at or above the municipal level, or key news websites at or above the provincial level, are inaccessible for more than six hours due to an attack or failure
2. The entire critical information infrastructure experiences a disruption in operation for more than one hour or a disruption in its main functions for more than three hours
3. The incident affects more than 50% of the population of one or more municipal-level administrative regions or the water, electricity, gas, oil, heating, transportation, medical care, shopping, and other aspects of daily life for more than 10 million people
4. Core data or important data is leaked or stolen, tampered with, or counterfeited, posing a serious threat to national security and social stability
5. The personal information of more than 10 million citizens is leaked
6. The portal websites of party and government agencies, enterprises, and institutions at or above the municipal level; key news websites at or above the provincial level; and large-scale network platforms are attacked and tampered with, resulting in the widespread dissemination of illegal and harmful information; any of the following situations can be considered “widespread”:
   1. Appearing on the homepage for more than two hours or appearing on other pages for more than 12 hours
   2. Forwarded more than 10,000 times through social platforms
   3. Viewed or clicked more than 100,000 times
   4. Recognized as “widespread” by the provincial-level or higher cybersecurity departments and public security organs
7. Causing direct economic losses of more than 20 million renminbi
8. Other network security incidents that pose a serious threat to or have a serious impact on national security, social order, economic development, and the public interest

III. Relatively Large Cybersecurity Incidents

A relatively large cybersecurity incident is one that meets any of the following circumstances but falls short of a major cybersecurity incident:

1. Major system losses in important networks and information systems, resulting in system outages that significantly impact system efficiency and business processing capabilities
2. Important data or a relatively large amount of personal information of citizens is lost, stolen, tampered with, or forged, posing a significant threat to national security and social stability
3. Other cybersecurity incidents that pose a relatively significant threat to or have a relatively significant impact on national security, social order, economic development, and the public interest

Generally, a relatively large cybersecurity incident is considered one that meets any of the following conditions:

1. The portal websites of party and government agencies, enterprises, and institutions at or above the municipal level, or key news websites at or above the provincial level, are inaccessible for more than two hours due to an attack or failure
2. The entire critical information infrastructure experiences a disruption in operation for more than 10 minutes or a disruption in its main functions for more than 30 minutes
3. The impact on water, electricity, gas, oil, heating, transportation, medical care, shopping, and other work and daily life for more than 30% of the population of one or more municipal-level administrative regions, or for more than 100,000 people
4. Important data is leaked or stolen, posing a serious threat to national security and social stability
5. The personal information of more than 1 million citizens is leaked
6. The portal websites of party and government agencies, enterprises and institutions, key news websites, online platforms, etc., are attacked and tampered with, resulting in the dissemination of illegal and harmful information on a relatively large scale; any of the following situations can be considered as a “relatively large-scale” incident:
   1. Appearing on the homepage for more than 30 minutes or appearing on other pages for more than two hours
   2. Forwarded more than 1,000 times through social platforms
   3. Viewed or clicked more than 10,000 times
   4. Recognized as “relatively large-scale dissemination” by provincial-level or higher cybersecurity departments and public security organs
7. Causing direct economic losses of more than 5 million yuan
8. Other cybersecurity incidents that pose a relatively serious threat to national security, social order, economic development, and public interests, or cause a relatively serious impact

IV. General Cybersecurity Incidents

Apart from the above-mentioned cybersecurity incidents, cybersecurity incidents that pose a certain threat to national security, social order, economic development, and public interests, or cause a certain impact, are general cybersecurity incidents.

Note: “Above” in this guide includes this number.