New Cybersecurity Incident Reporting Measures in China: Critical Compliance Updates for Businesses

On 11 September 2025, the Cyberspace Administration of China (CAC) issued the National Cybersecurity Incident Reporting Management Measures (the “Measures”), which will come into effect on 1 November 2025. These new regulations establish clear cybersecurity incident reporting obligations for all network operators within China's territory, marking a further improvement in China's cybersecurity regulatory framework.

BACKGROUND

Whilst existing laws including the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) already impose reporting obligations for cybersecurity incidents, data security incidents, and personal information breaches respectively, these laws lacked unified reporting procedures, standardised classification criteria, and centralised reporting channels. The absence of clear procedural guidance has created compliance uncertainties for organisations operating in China's digital landscape.

The Measures build upon the foundation established by the 2023 national standard "Information Security Technology - Guidelines for Classification of Cybersecurity Incidents" (GB/T 20986-2023), which provided technical specifications for incident classification. Following public consultation on a draft regulation in 2023, the CAC has now finalised these comprehensive reporting requirements that harmonise existing legal obligations whilst establishing practical implementation mechanisms for cybersecurity incident management across all sectors.

KEY PROVISIONS AND OBSERVATIONS

1. SCOPE OF APPLICATION AND REGULATORY FRAMEWORK

The Measures apply to all network operators within China, adopting the definition of "network operator" under the CSL, which includes network owners, administrators, and network service providers.

The regulatory framework adopts a tiered management approach:

• The national cyberspace administration coordinates national cybersecurity incident reporting management
• Provincial cyberspace administrations coordinate relevant work within their administrative regions

2. INCIDENT CLASSIFICATION

The Measures establish a four-tier cybersecurity incident classification system with specific quantitative thresholds. 

Each tier also encompasses incidents involving core data, important data breaches, or other circumstances that pose corresponding levels of threat to national security and social stability. The table below provides a concise overview of the key thresholds, whilst the Measures contain more detailed classification criteria.

3. REPORTING PROCEDURES AND REPORTING TIMEFRAMES

The Measures stipulate the following procedures for reporting incidents categorised as major and above. Note that the timeframes specified below commence from the time when the network operator discovers or becomes aware of the cybersecurity incident.

Additional Requirements:

• Industry-specific reporting requirements must also be followed where applicable
• Suspected illegal or criminal activities must be promptly reported to public security authorities

4. REPORTING CONTENT REQUIREMENTS

Cybersecurity incident reports must include the following core information:

1. Name of affected organisation and basic information about affected systems

2. time and place of discovery or occurrence of the cybersecurity incident, type and level of the incident, as well as the impact and harm caused, and the measures taken and their effectiveness; for ransomware attacks, information such as the demanded ransom amount, payment method, and date shall also be included

3. Development trends and potential further impacts

4. Preliminary analysis of incident causes

5. Investigation leads for source tracing

6. Proposed response measures

7. Scene protection status

8. Other relevant circumstances

Where incident details cannot be determined within prescribed timeframes, operators may initially report the information outlined in subparagraphs (a) and (b) and report other information subsequently in a timely manner. Within 30 days of incident resolution, operators must submit a comprehensive post-incident analysis report through the original reporting channel. This report must include a comprehensive analysis of: (i) the incident causes; (ii) emergency response measures taken; (iii) harm and damages caused; (iv) accountability and responsibility determinations; (v) rectification and improvement measures implemented; and (vi) lessons learned from the incident.

5. LEGAL LIABILITIES

The Measures outline legal consequences for violations:

• Failure to report as required will result in penalties from relevant authorities
• Late reporting, omissions, false reporting, or concealment causing serious harmful consequences will result in severe penalties
• Exemption conditions are also specified: taking reasonable protective measures, responding according to emergency plans, and timely reporting may result in lenient treatment or exemption from liability 

6. COMPLIANCE RECOMMENDATIONS

Network operators in China are advised to establish incident detection and classification capabilities to identify cybersecurity events according to the four-tier system, implement 24-hour monitoring systems, and designate responsible personnel with clear reporting authority. Organisations must develop internal reporting procedures that meet the strict timeframes—ranging from one to four hours depending on incident severity and organisational type—and ensure all reports contain the eight mandatory content elements specified in the Measures.

The Measures also require network operators to establish contractual obligations requiring their cybersecurity service providers and system maintenance vendors to promptly report discovered incidents and to assist with reporting such incidents according to the Measures.

7. REPORTING CHANNELS AND MECHANISMS

The CAC has established six comprehensive reporting channels to facilitate compliance with the Measures. Network operators, social organisations, and individuals can report cybersecurity incidents through any of the following channels:

1. Hotline Telephone: Dial the 12387 cybersecurity incident reporting hotline and follow voice prompts for reporting.

2. Website: Access the 12387 cybersecurity incident reporting platform at: https://12387.cert.org.cn.

3. WeChat Mini-Program: Search for "12387" mini-program on WeChat, enter the homepage and click "Incident Reporting"

4. WeChat Official Account: Follow the "National Internet Emergency Response Centre CNCERT" (国家互联网应急中心CNCERT) WeChat official account and click "Incident Reporting" 

5. Email: Send reports to 12387@cert.org.cn

6. Fax: Send fax reports to 010-82992387

    

OUR RECOMMENDATIONS

The implementation of the Measures will further standardise cybersecurity incident reporting management and improve the nation's cybersecurity incident emergency response framework. Organisations should attach great importance to this development and promptly adjust internal systems and processes to ensure compliant operations. Early preparation and systematic implementation of the required reporting mechanisms will be essential for maintaining regulatory compliance in China's evolving cybersecurity landscape.