China: Draft Incident Reporting Regulation

Written By

harry qu Module
Harry Qu

Associate
China

I am a data associate in our Beijing office. My practice focuses on data privacy, cybersecurity, TMT, as well as antitrust and anti-competition law.

On 18 December 2023, the Cyberspace Administration of China (“CAC”) publicly released the Cybersecurity Incident Reporting Management Measures (Draft for Comments) (“Measures”), providing detailed guidance for reporting cybersecurity incidents.

Who should report?

The obligation to report applies to network operators engaged in constructing and operating networks within the territory of the People’s Republic of China, or those providing services via these networks (collectively referred to as “Operators”).

The Measures classify Operators with reporting obligations into three categories:

  1. Central Governmental Entities: Central and state organs and their affiliated public institutions;
  2. Critical information infrastructure operators (“CIIO”): The Operator of critical information infrastructure. The competent authorities and supervisory and management authorities of critical industries and fields are responsible for identifying CIIOs and informing them of their status; and
  3. Other Operators.

Reporting to whom?

The Measures specify the regulatory authorities that each category of entity is required to report to.

No. Type of Operator Reporting Authorities
1 Central Governmental Entities
  • The functional branch responsible for network and information security within the sector-specific regulator; and
  • Public security authorities (if there is suspicion of crimes)
CIIOs
  • The competent authorities. supervisory and management authorities; and
  • Public security authorities
3 Other Operators
  • Local cyberspace administration;
  • Public security authorities (if there is suspicion of criminal activity); and
  • Sector-specific regulatory authorities (if applicable).

 

How to report?

Overview

The Measures offer a succinct overview of the reporting process after a cybersecurity incident occurs:

  1. Incident classification: Operators should classify the incident based on Annex 1 Cybersecurity Incident Classification Guide of the Measures, which categorises cybersecurity incidents into four levels from highest to lowest severity: extremely significant, significant, relatively significant, and general.

  2. Initial report: Operators should implement appropriate security Measures and initiate reporting based on the classified level of the cybersecurity incident. The information should be included in the report and enterprises could rely on the Annex 2 Cybersecurity Incident Information Report Form of the Measures to the conduct report.

  3. Supplementary report: If the cause, impact, or tendency of the incident cannot be determined during the initial report, or if new developments arise or significant progress is made in the investigation, Operators should submit a supplementary report.

  4. Summary report: Once the incident has been resolved, Operators need to summarise and analyse, including the cause of the incident, contingency response Measures, harm, allocation of responsibilities, rectification status, lessons learned, etc.

Timeframe

The Measures specify different timeframes for three categories of reports.

  1. Initial report: When relatively significant or extremely significant cybersecurity incidents occur, Operators shall report to the authorities within one hour. Considering the complexity of the reporting content, the 1-hour timeframe is extremely stringent for enterprises. Therefore, enterprises are recommended to formulate and implement contingency response plans, and ensure rapid identification of the facility, system, or platform where the security incident occurred.

  2. Supplementary report: If applicable, Operators are required to submit a supplementary report within 24 hours.

  3. Summary report: Operators need to summarise and analyse the incident within five working days and report to the authorities.

Next Steps, Impacts and Our Suggestions

The Measures has now completed its call for public comment, and the CAC will make further revisions based on the public comments. Although the exact timing of the release of the final version is uncertain, the issuance of the Measures indicates that enforcement activities related to cybersecurity incidents might become more frequent and stringent in the future.

We advise enterprises to continuously monitor further legislative developments and establish a comprehensive incident contingency response and reporting mechanism. It is recommended that enterprises conduct a prior mapping and prepare templates with basic information on each network and system in advance so that they can respond to incidents quickly and fulfil reporting obligations promptly. At the same time, enterprises should pay attention to the following aspects:

  • Establishing data security management policy, especially emergency plans related to cybersecurity incidents.
  • Conducting regular drills for cybersecurity incidents.
  • Strengthening employees’ awareness of cybersecurity and data security through regular training and other means.
  • Enhancing security risk detection during significant events, such as product launches, to prevent incidents like zero-day attacks.

For more information, please contact James Gong and Harry Qu.

SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM

Latest insights

More Insights
Curiosity line green background

A Deep Dive into China’s Network ID Proposal

Nov 06 2024

Read More
mountain scape

European Union Artificial Intelligence Act Guide

Nov 06 2024

Read More

California’s AI bill vs. the EU AI Act: a cross-continental analysis of AI regulations

Nov 06 2024

Read More