The Cyberspace Administration of China (“CAC”) promulgated the Measures for the Administration of National Cybersecurity Incident Reporting (《 国家网络安全事件报告管理办法》, the “Incident Reporting Measures”) on September 11, 2025,  in an effort to strengthen the country's cybersecurity regulatory framework. These Incident Reporting Measures, which took effect on November 1, 2025, establish clear and mandatory reporting obligations for “network operators” in the event of cybersecurity incidents reaching certain thresholds. Against the backdrop of increasingly sophisticated cyber threats—including persistent attacks by Advanced Persistent Threat (“APT”) groups and frequent data breaches—the new rules underscore the Chinese government's heightened focus on systemic risk monitoring, timely incident disclosure, and coordinated emergency response.

This article provides a targeted overview of the Incident Reporting Measures, outlining critical aspects such as the scope of application, incident grading criteria, statutory reporting timelines and channels, required content of incident reports, and potential liability for non-compliance. It highlights practical compliance steps that enterprises operating in China, including foreign-invested entities, should take. By establishing robust internal monitoring, response, and reporting mechanisms, and by extending related obligations to third-party service providers through contracts, companies can comply with the new rules and thereby mitigate legal, financial, and reputational risks.

Background of Promulgation

The Cybersecurity Law of the PRC (《中华人民共和国网络安全法》) , enacted on November 7, 2016, provides under its Article 51 and related provisions for the establishment of a national cybersecurity monitoring, early warning, and information reporting system, and the newly issued Incident Reporting Measures represent a concrete implementation and refinement of those principles. The CAC is tasked with overall planning and coordination among competent authorities to enhance the collection, analysis, and reporting of cybersecurity information, as well as the release of monitoring and warning information in accordance with relevant regulations.

As Deputy Chief Engineer Yan Hanbing of the National Computer Network Emergency Response Technical Team/Coordination Center of China remarked upon the release of the Incident Reporting Measures, in recent years, cyberattacks have become increasingly sophisticated, posing growing challenges to China's cybersecurity landscape. APT groups have persistently launched assaults against key Chinese institutions, with growing magnitude and recurrence. Additionally, frequent data breaches have resulted in significant harm.

These events highlight the critical importance of cybersecurity at the national level. Amid rising international instability, cybersecurity has become an increasingly crucial domain of strategic competition. The issuance of the Incident Reporting Measures by the CAC signifies the formal establishment and enhancement of a structured cybersecurity incident reporting regime, reflecting the Chinese government's stepped-up efforts and heightened vigilance in this field.

Scope of Applicability

Article 2 of the Incident Reporting Measures clarifies that, “network operators” that construct, operate networks, or provide services through networks within the territory of the People's Republic of China shall report cybersecurity incidents in accordance with the provisions of these Incident Reporting Measures when such incidents occur.

Pursuant to Article 12 of the Incident Reporting Measures, the term “network operator” refers to an owner, manager, and network service provider of a network. Given that the term “network” is broadly defined under the Cybersecurity Law of the PRC as any system comprising computers or other information terminals and related equipment that collects, stores, transmits, exchanges, or processes information according to specific rules and procedures, a wide range of enterprises that operate such networks are likely to be deemed “network operators” under the Incident Reporting Measures, irrespective of their industry sector.

Incident Grading and Thresholds

Under Article 12 of the Incident Reporting Measures, a “cybersecurity incident” refers to an event caused by human factors, network attacks, network vulnerabilities or hidden dangers, software or hardware defects or failures, force majeure, or other factors, which causes harm to networks and information systems or to the data and business applications therein, and has adverse impacts on the nation, the society, or the economy. In view of the broad scope of this definition, the Incident Reporting Measures establish a tiered reporting system that tailors reporting obligations and routes based on both the severity of the incident and the classification of the network operator involved.

Notably, the Incident Reporting Measures explicitly adopt the grading framework set out in the recommended national standard Information Security Technology—Guidance for Cybersecurity Incident Classification and Grading (GB/T 20986-2023) (《信息安全技术 网络安全事件分类分级指南》).

Under this system, cybersecurity incidents are classified into four levels:

(1) Especially Major Cybersecurity Incident;

(2) Major Cybersecurity Incident;

(3) Relatively Significant Cybersecurity Incident; and

(4) General Cybersecurity Incident.

Among these, a critical threshold is the “relatively significant” level, as only incidents classified as this level or above would trigger the reporting obligations under the Incident Reporting Measures, where those deemed “General Cybersecurity Incidents” would not.

Among the criteria set forth in the Incident Reporting Measures that would generally lead to an incident being classified as “relatively significant,” the following are most relevant to general enterprises (i.e., those not affiliated with the Chinese government and not classified as Critical Information Infrastructure Operators): 

(1) Disruption of water, electricity, gas, oil, heating, transportation, medical care, shopping, or other essential services affecting the work or daily life of over 30% of the population in one or more prefecture-level administrative regions, or more than 100,000 people;

(2) Leakage or theft of important data poses a relatively serious threat to national security and social stability; 

(3) Leakage of personal information of more than 1 million citizens; 

(4) Direct economic losses exceeding CNY 5 million.

In addition to the general reporting obligations, the Incident Reporting Measures specify that where sector-specific regulations impose additional reporting requirements (e.g., in the securities and futures industry or for medical institutions), network operators within those sectors must also comply with the relevant rules. Furthermore, if an incident is suspected to involve a criminal offence, the network operator must promptly report the incident to the public security authorities.

Reporting Routes and Timeline Requirements

Where a cybersecurity incident meets the threshold of a “relatively significant” incident or any higher level, the network operator involved is obligated to report it in accordance with the Incident Reporting Measures.

For incidents not involving Critical Information Infrastructure and where the network operator is not a department or directly affiliated unit of the central or state organs, the operator must promptly report the incident to the provincial-level cyberspace administration department where it is located—in any case, within four hours after detection.

Content of the Report 

Under Article 7 of the Incident Reporting Measures, when reporting a cybersecurity incident, the following information shall be included:

(1) The name of the entity involved and basic information concerning the affected system or facility;

(2) The time, location, type, and level of the incident, its impact and harm, measures taken and their effectiveness; for ransomware attacks, the demanded ransom amount, payment method, and deadline must also be reported;

(3) The incident's development trend and potential further impact and harm;

(4) Preliminary analysis of the cause of the cybersecurity incident;

(5) Clues for investigation, including but not limited to potential attacker information, attack paths, and existing vulnerabilities;

(6) Proposed further response measures and requests for support;

(7) The status of on-site protective measures taken;

(8) Other relevant information that should be reported.

Recognizing that certain details, such as incident trends, causes, and investigative clues, may be difficult to ascertain fully within the initial reporting window, the Incident Reporting Measures allow the operators to first report the key information required under items (1) and (2) and supplement the report in a timely manner with further details.

Importantly, Article 5 of the Incident Reporting Measures also requires network operators to contractually obligate third-party organizations or individuals providing cybersecurity, system operation and maintenance, or other services to promptly report detected cybersecurity incidents to them, and to assist them in fulfilling reporting obligations under the Incident Reporting Measures.

Another noteworthy reporting obligation under the Incident Reporting Measures is that, after the handling of a cybersecurity incident is concluded, the network operator shall, within 30 days, conduct a comprehensive analysis and summarize the causes of the incident, emergency response measures, harm caused, accountability, rectification and improvement, lessons learned, etc., and submit the resulting summary report through the original reporting channel.

Liabilities and Mitigating Factors

While the Incident Reporting Measures do not specify detailed penalties for non-compliance, they instead stipulate that punishment shall be administered by the relevant competent authorities in accordance with applicable laws and administrative regulations. They also state that if a network operator's delayed or false reporting, omission in reporting, or concealment of a cybersecurity incident leads to severe consequences, both the operator and relevant persons in charge may face heavier penalties in accordance with the law.

Given that the Personal Information Protection Law of the PRC (《中华人民共和国个人信息保护法》) (“PIPL”) is a key governing statute, breaches of the Incident Reporting Measures may constitute violations of the PIPL. Consequently, such breaches could lead to severe penalties under the PIPL, which may include fines of up to CNY 50 million or 5% of the offender's annual turnover, administrative warnings, compulsory business suspension for rectification, or revocation of its business license. Individuals responsible for the compliance failure may also face personal fines and, in serious cases, may also be prohibited for a specified period from holding positions such as director, supervisor, senior executive, or Personal Information Protection Officer in any relevant enterprise.

Article 11 of the Incident Reporting Measures sets out a potential mitigating circumstance: where a network operator (i) has taken reasonable and necessary protective measures, (ii) handled the incident in accordance with its emergency response plan, (iii) effectively reduced the impact and harm of the incident, and (iv) reported the incident in a timely manner as required, the relevant entities and personnel may, depending on the circumstances, receive a lighter punishment and potentially be exempt from liability.

Key Takeaways

As the mandatory reporting obligations took effect on November 1, 2025, looking ahead, we recommend that companies take the following structured approach:

(1) Immediate Action: Conduct a gap analysis of existing cybersecurity protocols against the requirements of the Incident Reporting Measures. Establish or refine internal policies for incident monitoring, classification, and escalation to ensure that incidents can be identified and reported within the statutory timeframe.

(2) System and Documentation Enhancement: Develop and implement clear internal reporting workflows and templates that capture all information mandated by the Incident Reporting Measures. The importance of maintaining comprehensive audit logs cannot be overstated, as they may serve as critical evidence of compliance efforts and the basis for incident grading.

(3) Third-Party Risk Management: Proactively review contracts with all vendors providing cybersecurity, system operation and maintenance, or other related services. Ensure these agreements explicitly require the service providers to promptly report detected incidents and to assist in fulfilling formal reporting duties under the Incident Reporting Measures.

(4) Training and Preparedness: Organize training sessions for relevant staff, including the technical and legal/compliance teams, to ensure a coordinated and legally defensible response when an incident occurs. Conducting simulated exercises for a major cybersecurity breach can be highly effective in testing and refining these procedures.

The Incident Reporting Measures represent a decisive move by Chinese regulators towards a more rigorous and enforceable cybersecurity incident reporting regime. By taking proactive steps, enterprises can go beyond compliance to significantly strengthen their overall cybersecurity resilience, thereby mitigating legal, financial, and reputational risks in an increasingly challenging threat landscape.