On December 8, 2023, the Cyberspace Administration of China (CAC) introduced the Administrative Measures for the Reporting of Cybersecurity Incidents (Draft) (“Measures"). This significant draft, now open for public commentary, mandates specific reporting requirements for network operators in the event of a cybersecurity incident. It clearly outlines the categories of incidents that need to be reported, the information that must be included in these reports, and the consequences for failing to report. This Measures marks a critical enhancement in China’s approach to managing and mitigating cybersecurity risks.

1. Identifying the Key Subjects: to Whom Does the Measures Apply

The Measures specifically targets key subjects within PRC’s jurisdiction responsible for network-related activities. These subjects, in case of incidents that jeopardize network security, is obligated to report per the Measures. The primary subjects include:

Each of these Operators must promptly report any “cybersecurity incident", defined by the Measures as events that derive from any human errors, technical failures, natural disasters, and other similar causes and harm networks or information systems.

2. Reporting Procedure: How Should a Cybersecurity Incident Be Reported

The Measures requires Operators to adhere to specific reporting procedures, which vary depending on the severity of the cybersecurity incident. Each category of incidents demands distinct reporting protocols, as outlined in the table below:

This structured approach ensures that the right level of urgency and rigor is applied to each incident, facilitating efficient and effective communication with relevant authorities.

3. Incident Classification: General, Relatively Severe, Severe, and Extremely Severe

In accordance with the attached Cybersecurity Incident Classification Guidelines to the Measures, cybersecurity incidents are categorized into four classes: General, Relatively Severe, Severe, and Extremely Severe. The classification of cybersecurity incidents is based on the incident’s scale and impact. This framework is designed to ensure a consistent and effective approach to managing and responding to varying levels of cybersecurity threats. To be specific: 

4.Reporting Contents for Operators: Article 5 & Attachment of the Measures

According to Article 5 of the Measures and its attached Cybersecurity Incident Information Reporting Form, the following items shall be included in the report prepared by Operators:

Initial reports should focus on the first two items if full details are not immediately available, with a comprehensive report due within 24 hours. A thorough post-incident analysis covering response measures, impacts, and lessons learned must be compiled within five days following relevant incidents.

Service providers shall promptly notify Operators to report an incident, in case that such incident is classified as Relatively Severe, Severe, or Extremely Sever. If Operators fail to report accordingly, service providers may elect to report directly to the appropriate cyberspace administrations. Additionally, social organizations and individuals are also encouraged to report Relatively Severe or higher-level cybersecurity incidents.

5. Penalties for Non-Compliance in Cybersecurity Reporting: A Look at Superior Laws

The Measures indicates that if reporting obligations are not observed, Operators will face corresponding legal consequences prescribed by various superior laws. For specific penalties, the Measures refers mainly to the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL), among others. The CSL, for instance, imposes warnings and fines for general non-compliance, and for serious violations, heftier fines are levied thereunder. The PIPL specifies fines and potential business suspension for severe breaches. The DSL also details fines and potential business suspensions, while the Regulations on the Security Protection of Critical Information Infrastructure imposes fines for reporting failures, with increased penalties for repeated or grave offenses.

6. Compliance Strategies: Complying with New Measures with Enhanced Vigilance

Under the new Measures, Operators are required to follow specific protocols both in preventing and responding to cybersecurity threats. The chart below details some important measures we recommend Operators to take to align with the Measures’ objectives and to enhance cybersecurity vigilance and responsiveness:

Conclusion

The Measures represents a pivotal step to enhance China’s cybersecurity framework. Aiming to reduce the repercussions of cybersecurity incidents and fortify national cyber defenses, it is designed to work in tandem with China’s current legal frameworks such as CSL, PIPL, and DSL. By establishing a unified reporting protocol, the Measures seeks to streamline the process of incident reporting, thereby improving the overall effectiveness of cybersecurity governance in the country. We will closely track the legislative process upon this new Measures and update the readers with further analysis upon its official release.