China's Cybersecurity Incident Reporting Measures Come into Effect

The Cyberspace Administration of China (the "CAC") released the Measures on the Management of Cybersecurity Incident Reporting (the "Incident Reporting Measures") which came into force on 1 November 2025. The Measures provide a comprehensive framework for the classification, reporting, and management of cybersecurity incidents by network operators and critical information infrastructure operators ("CIIOs"). The primary reporting obligations relating to cybersecurity incidents are set out in the Cybersecurity Law ("CSL"), Data Security Law ("DSL"), Personal Information Protection Law ("PIPL"), and related regulations. The Incident Reporting Measures issued this year do not create new substantive obligations, but rather standardise and clarify the procedures, timelines, and content requirements for incident reporting. In this Legal Update, we discuss the key requirements set out in the Incident Reporting Measures, and their broader implications for businesses with a China nexus.

Key Reporting Obligations

Incident Classification and Risk Levels

The Measures introduce a detailed classification system for cybersecurity incidents, into four risk levels:

• Particularly Major: Incidents causing widespread paralysis of critical systems (e.g., where the overall operation of a critical information infrastructure is disrupted for six hours or more, or its main functions are disrupted for 24 hours or more), loss of core data, important data or massive loss of personal information (e.g., loss of personal information of over 100 million individuals), severe threats to national security, social order, public interests or significant economic loss (e.g., direct economic loss of over RMB 100 million (approx. US$14 million)).
• Major: Incidents causing serious system disruptions (e.g., the overall operation of critical information infrastructure was interrupted for one hour or more, or its main functions are disrupted for three hours or more), loss of core data, important data and large-scale loss of personal information (e.g., loss of personal information of over 10 million individuals), or significant threat to national security, social order, public interests or economic loss (e.g., direct economic loss of over RMB 20 million (approx. US$2.8 million)).
• Relatively Major: Incidents with considerable disruption (e.g., the overall operation of critical information infrastructure is disrupted for 10 minutes or more, or its main functions were interrupted for 30 minutes or more), loss of important data or relatively large-scale loss of personal information (e.g., loss of personal information of over 1 million individuals), other relatively serious threats to national security, social order, public interests, or direct economic loss exceeding RMB 5 million (approx. US$700,000).
• Ordinary: Incidents not meeting the above thresholds but still posing a definite threat to national security, social order, or economic activities or public interests.

Under the Incident Reporting Measures, a leak or theft of "important data" automatically elevates a cybersecurity incident to at least the "relatively major" level, while any incident involving the loss or theft of "core data" is deemed at least "major". These classifications trigger stricter reporting obligations and compressed timelines, reflecting the heightened national security and social stability risks associated with such datasets.

Reporting Timelines and Procedures

Reporting obligations and timelines vary by the type of the organisation involved in the incident, and the severity of the incident:

• CIIOs must report incidents at or above the "relatively major" level to the relevant department and public security bodies within one hour. For "major" or "particularly major" incidents, the relevant department must report to the national-level CAC and public security department within 30 minutes of receiving the report.
• Other Network Operators must report incidents at or above the "relatively major" level to the provincial CAC within four hours. The provincial CAC must report "major" or "particularly major" incidents to the national-level CAC and other relevant departments within one hour of receiving the report.
• The Incident Measures also set out the incident reporting obligations of central and state governmental departments.

Notably, the Incident Reporting Measures emphasise that organisations must comply with sector‑specific reporting obligations. As a result, even if some incidents fall below the reporting thresholds in the Incident Reporting Measures, they may still need to be reported under sectoral frameworks, reflecting concurrent duties beyond the general standards. 

Content of Incident Reports

The Incident Reporting Measures set out the information that network operators are required to provide in the incident reports, namely:

1. The name of the organisation and details of the systems or infrastructures involved;
2. Time, location, type, and severity level of the incident, the impact and harm, and remedial measures taken and effect of such measures, and (for ransomware attacks) details of ransom demands including the date, ransom amount and payment method requested;
3. Incident development trajectory and any possible further impact and harm;
4. Preliminary analysis of cause(s) of the incident;
5. Investigation findings relating to the source of the attack (e.g., attacker information, vulnerabilities);
6. Further response measures and requests for assistance;
7. Existing cybersecurity measures; and
8. Any other relevant information.

If a cybersecurity incident's cause, impact, or development trajectory cannot be ascertained within the reporting deadline, network operators should report item (a) and (b) first, and submit other remaining details promptly. If, after an initial incident report has been made, new significant developments arise or key investigation findings are obtained, the network operator should also make further reports.

Within 30 days of resolving an incident, network operators must conduct a comprehensive review covering root causes, response measures, impacts, accountability, remediation and lessons learnt, and submit the resulting report through the original reporting channels.

Managing Third-Party Service Providers

The Incident Reporting Measures also provide that network operators shall, by contract or other means, require vendors that provide cybersecurity, system operations and/or maintenance services to promptly report any cybersecurity incidents detected, and to assist network operators in reporting such incidents in accordance with the measures. Businesses that engage third‑party service providers should ensure contracts impose clear, enforceable obligations on vendors to promptly notify the business of any detected cybersecurity incidents and to assist with regulatory reporting, backed by defined timelines, escalation pathways, and audit rights.

Penalties for Non-Compliance

The Incident Reporting Measures have not set out specific penalties for non-compliance. The Measures specify that network operators that fail to report cybersecurity incidents may be penalised under applicable laws and regulations, including the CSL, DSL and PIPL.

Where a network operator delays, omits, falsifies, or conceals the reporting of a cybersecurity incident and such conduct results in serious harmful consequences, the network operator and the responsible persons shall be subject to heavier penalties in accordance with the law. If a network operator has taken reasonable and necessary protective measures, handled the matter in accordance with the emergency response plan, effectively mitigated the incident’s impact and harm, and promptly reported the incident in accordance with the Incident Reporting Measures, the relevant entity and personnel involved may be subject to a reduced penalty or be exempt from liability.

Takeaways

Network operators that establish or operate networks in China, or provide services via networks within China, should take immediate steps to strengthen their incident response readiness by taking the following steps: (i) maintaining up-to-date data and system inventories to assess severity thresholds quickly; (ii) identifying points of contact at the CAC and relevant regulators; (iii) preparing reporting templates that capture the prescribed particulars; and (iv) rehearsing rapid escalation procedures through regular tabletop exercises.

Companies with operations in China should finalise a clear incident response framework, and line up breach counsel and forensic experts in advance to meet the tight deadlines imposed by the Incident Reporting Measures.

The authors would like to thank Roslie Liu, Legal Practice Assistant at Mayer Brown Hong Kong LLP, for her assistance with this Legal Update.