CHINA: New Stricter and 4-hour Data Breach Reporting Requirements for Certain Incidents

The Cyberspace Administration of China (“CAC“) has recently published the Administrative Measures for Network Security Incident Reporting (“Measures“), which provide further guidance on when and how to report network security incidents under existing laws such as the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. The Measures will take effective on 1 November 2025.

Under the Measures, a network security incident refers to an event that causes harm to networks, information systems, or the data and business applications within them, which may arise from human factors, cyberattacks, network vulnerabilities, software/hardware defects or failures, or force majeure and result in negative impacts on the nation, society, and economy.

Any network operator establishing, operating or providing services via networks within China’s territory must report and handle a network security incident in accordance with the steps set out below:

Step 1: Classifying the incident

The Measures classify incidents as particularly significant incidents, significant incidents, major incidents or general incidents. The following factors should be considered when classifying incidents:

• System outages, malfunctions or loss of service capabilities in important systems or critical networks;
• Number of individuals whose personal data is affected;
• Scale of important data affected;
• Economic loss; and
• Other harms and threats to national security, public interests or social stability.

The Measures provide some examples of each type of incidents, but this is not an exhaustive list. For example, the following incidents would be classed as major incidents:

• a complete outage of critical information infrastructure lasting over 10 minutes, or disruption to its primary functions lasting over 30 minutes;
• an incident impacting over 30% of the population in one or more prefecture-level administrative regions, or disrupting the daily lives and work of over 100,000 people in areas such as water supply, electricity, gas, heating, transportation, medical care or shopping;
• a leakage of personal data affecting over one million citizens;
• an incident resulting in direct economic losses exceeding 5 million RMB; or
• an attack on a company’s official website resulting in illegal content being shared over 1,000 times on social media platforms or receiving over 10,000 views or clicks.

Step 2: Reporting the incident

The Measures set out the processes for reporting a major incident or an incident of a more severe level of classification (i.e. a particularly significant incident or a significant incident).

The network operator must report such an incident to the CAC at the provincial level within four hours of becoming aware of it. If the network operator is a department of the central or state authorities, or one of their directly affiliated units, the report must be made within two hours. If the incident affects critical information infrastructure, the report must be made within one hour.

If there are suspected cyber crimes involved, a report must also be made to the local police in time. If there are special sectoral rules regarding incident reporting, these must also be complied with.

At least the following items must be reported:

• Name of the network operator and basic information about the affected system or facility;
• Time, location, type, and severity level of the incident upon discovery or occurrence, along with its impact and harm, the measures taken and their effectiveness; for ransomware attacks, this should also include the ransom amount demanded, payment method, and date;
• Projected development of the situation and potential further impacts and harms;
• Preliminary analysis of the cause of the incident;
• Clues for attribution investigations, including but not limited to information about potential attackers, attack paths and existing vulnerabilities;
• Proposed further response measures and requests for assistance; and
• Status of on-site preservation of evidence related to the incident.

For incidents where the cause, impact or development trends cannot be determined within the specified timeframe, the first two items may be reported initially, with additional details provided promptly. If significant new developments arise during the investigation after an incident report has been submitted, the network operator shall promptly report any relevant updates.

Reports should be made via the 12387 incident reporting hotline, the dedicated website, the WeChat mini program and public account, or the email address or fax number designated by the CAC.

The Measures do not specify how general incidents should be reported. However, this does not affect network operators’ obligations under other applicable laws to report all incidents (including general incidents).

Step 3: Reporting how the incident is resolved

Once the incident has been resolved, the network operator must conduct a comprehensive analysis and summary of the causes of the incident, the emergency response measures taken, the resulting harm, accountability, the corrective actions taken and the lessons learned. This must be completed within thirty days. This report must be compiled and submitted via the original reporting channels.

The Measures do not introduce any new penalties. Instead, they state that, where a network operator fails to report an incident as required, the authorities may impose penalties in accordance with applicable data protection and cybersecurity laws. If a network operator’s delayed reporting, failure to report, false reporting or concealment of an incident results in significant harmful consequences, the authorities may impose more severe penalties on the network operator and the responsible persons, within the scope prescribed by the applicable laws.

Recommendations:

It is recommended that network operators with systems in China, or who process data in connection with their business in China, establish internal guidance for classifying incidents and update their existing data incident response policies to reflect the new requirements of the Measures within the next few weeks.

They should also include robust contractual clauses with IT vendors and service providers to request that they monitor network incidents and provide the necessary assistance when required.

According to the Measures, if a network operator implements reasonable and necessary protective measures, handles an incident according to the emergency response plan, effectively mitigates the impact and harm of a cybersecurity incident and reports the incident in a timely manner in accordance with the Measures, the authorities may impose lighter penalties within the scope prescribed by the applicable laws or exempt the network operator and responsible persons from liability.

While this may incentivize the reporting of even general incidents (i.e. the ones less severe than major, significant and particularly significant incidents), network operators should also consider other factors before reporting. For example, the authorities may investigate the network operators’ overall data compliance status and ask questions such as whether the mandatory multi-level cybersecurity protection scheme (MLPS) requirements have been implemented, whether all compliance actions have been taken to legitimize cross-border data transfers and whether all data subjects’ consent has been obtained. Therefore, despite the very tight timeline, a careful internal assessment should be conducted before the report is submitted.

[View source.]