On 11 September 2025, the Cyberspace Administration of China released the Administrative Measures for the Reporting of National Cybersecurity Incidents (“Measures”). The Measures will come into effect on 1 November 2025.
1. Background
Recently, more and more companies have encountered issues such as unauthorized intrusions into their computer systems, theft of information, and disruptions to their services. For instance, hackers managed to break into a company’s computer network, stole customer information, and subsequently released it. This is a typical example of a cybersecurity incident that adversely affects both the company and its customers. Given the increasing frequency and impact of such incidents, it is crucial for companies and regulatory authorities to have clear guidelines and legal frameworks in place to address them.
The introduction of the Measures is essential for refining and implementing the provisions concerning cybersecurity incidents report in higher-level laws such as the Cybersecurity Law of the People's Republic of China (“CSL”), the Data Security Law of the People's Republic of China (“DSL”) and the Personal Information Protection Law of the People's Republic of China (“PIPL”). For example, Article 25 of the CSL explicitly stipulates that when a cybersecurity incident occurs, network operators shall immediately activate their emergency response plans, take appropriate remedial actions and report the incident to the relevant competent authorities.
The Measures, as a specialized regulation, systematically define the specific requirements, procedures and responsibilities regarding reporting cybersecurity incidents, thereby filling a gap in operational guidance for the implementation of laws for all industries.
2. What are cybersecurity incidents?
Article 12 of the Measures defines a cybersecurity incident as an event that causes harm to a network, information system, or its data and business application due to human factors, cyberattacks, vulnerabilities, software or hardware defects or malfunctions, force majeure, or other causes, resulting in adverse impacts on the state, society or the economy. This means the threshold for identifying a cybersecurity incident depends on whether it causes damage to national security, social order, economic construction or public interests. Personal cybersecurity issues such as cyber fraud are not within the scope of mandatory reporting.
3. Who shall report cybersecurity incidents?
The reporting subjects under the Measures follow the principle of territorial jurisdiction. The network operators that construct, operate networks or provide services via networks within China are all subject to the Measures. It should be noted that if a company entrusts a third party to provide services such as cybersecurity operations and maintenance for its network operations, the primary obligation to report cybersecurity incidents remains with the entrusting party, i.e. the company, while the entrusted party is only responsible for reporting the discovered cybersecurity incidents to the entrusting party and assisting the entrusting party in completing the report to the authorities, according to Article 5 of the Measures.
4. Which cybersecurity incidents need to be reported?
The Measures were released with the Guidelines for Cybersecurity Incident Classification (“Guidelines”). The Guidelines classify cybersecurity incidents into four levels: Particularly Major, Major, Significant and General. The classification is based on the severity of impact on the affected entities, the extent of business losses and the degree of social harm. This tiered classification system aims to adopt different reporting measures according to the severity and impact scope of an incident. When a network operator discovers or becomes aware of a cybersecurity incident involving its own company, it shall conduct an initial own assessment in accordance with the Guidelines. Any incident classified as the level of “Significant” or above must be reported.
5. What are the time limits and procedures for reporting cybersecurity incidents?
The Measures establish differentiated time limits depending on the type of network operators. Further, network operators are not only required to submit an initial report upon discovering or becoming aware of a cybersecurity incident but also submit a post-incident report after the incident has been resolved.
– Time limits
Generally, as a non-critical information infrastructure operator, a company must report to the provincial-level cyberspace administration authority in its jurisdiction within four hours. However, if a company is a network operator managing critical information infrastructure, it must report to the authorities responsible for its protection and public security authorities within one hour.
– Report on discovering a cybersecurity incident
According to Article 7 of the Measures, the content of the report must include:
• Name of the involved company and basic information about the relevant systems or facilities;
• Basic details (e.g. time, place, type and level, etc.) of the cybersecurity incident;
• Development trend and impact of the incident;
• Preliminary analysis of the cause;
• Clues for traceability investigations;
• Proposed response measures; and
• Preservation of the scene of the incident.
Where important new circumstances arise after a cybersecurity incident report has been submitted, or where a milestone in the investigation is reached, the entity involved shall promptly report such information.
– Post-incident report
Besides the initial report, Article 8 of the Measures also stipulates that after the conclusion of a cybersecurity incident, the network operator must formulate a comprehensive summary report within 30 days. The content of this report shall cover the cause of the incident, emergency response measures taken, resulting damages, accountability, corrective actions, lessons learned, etc. This summary report must then be submitted through the original reporting channel.
6. What are the channels for reporting cybersecurity incidents?
Based on Article 9 of the Measures and the answers from officers of the Cyberspace Administration of China in the press, the following public reporting channels are currently available:
• Telephone: 12387
• Website: 12387.cert.org.cn
• WeChat mini program: 12387
• WeChat official account: National Internet Emergency Center (“国家互联网应急中心CNCERT”)
• Email: 12387@cert.org.cn
• Fax: 010-82992387
7. What are the legal liabilities for failure to report cybersecurity incidents?
The Measures do not specify concrete penalty provisions. If a network operator fails to report a cybersecurity incident, the relevant competent authorities shall impose penalties in accordance with applicable laws and administrative regulations including CSL, DSL and PIPL, etc.
Besides, the Measures adopt a balanced approach of rewards and penalties. If any delay, omission, false reporting or withholding of information in the reporting of cybersecurity incidents by network operators results in major adverse consequences, severe penalties shall be imposed on the network operators and relevant responsible persons. However, for operators who have taken reasonable protective measures to effectively mitigate the impact and harm and reported the incident promptly after an incident occurs, liability may be mitigated or waived depending on the circumstances. This provision aims to encourage companies to actively fulfill their reporting obligations, cooperate proactively in incident response and jointly safeguard the cybersecurity environment.
In summary, the introduction of the Measures establishes a clear reporting framework for cybersecurity incidents and provides companies with explicit guidance. Before the implementation of the Measures in November this year, all companies are highly recommended to promptly develop cybersecurity incident emergency response plans and conduct corresponding training. In the event of a cybersecurity incident, companies must ensure that they can accurately classify the incident in accordance with the Measures and Guidelines as well as effectively fulfill their reporting and other obligations.
