China Releases Measures for Cybersecurity Incident Reporting
- Rose Li, XL Law & Consulting
- Jan 29
- 4 min read
On September 11, 2025, the Cyberspace Administration of China released the Measures for Cybersecurity Incident Reporting, which clarify the specific requirements for network operators regarding cybersecurity incident reporting.
The Measures require network operators to report certain incidents within one to four hours, depending on the type of entity involved.
On September 11, 2025, the Cyberspace Administration of China (“CAC”) released the Measures for Cybersecurity Incident Reporting (“Measures”), which came into effect on November 1, 2025. Currently, the three PRC laws governing data compliance—the PRC Cybersecurity Law (“CSL”), the PRC Data Security Law, and the PRC Personal Information Protection Law—all stipulate that responsible entities must report security incidents (e.g., cybersecurity incidents, data security incidents, or personal information leaks, tampering, or loss) to the relevant authorities. Article 25 of the CSL explicitly requires network operators to report cybersecurity incidents to the relevant authorities. The Measures clarify the specific requirements for network operators regarding cybersecurity incident reporting.
Cybersecurity Incident
A “cybersecurity incident” is defined as an event that causes harm to networks and information systems or the data and business applications therein, due to human factors, network attacks, network vulnerabilities, software and hardware defects or failures, force majeure or other factors, and has a negative impact on the state, society or economy.
The Measures do not require reporting of all cybersecurity incidents. Only the following incidents are subject to mandatory reporting:
| Particularly Major Incident | Major Incident | Relatively Major Incident |
Criteria | 1. Critical networks and information systems suffer exceptionally severe system failures, resulting in widespread system paralysis and loss of operational capabilities; 2. Loss, theft, tampering or counterfeiting of core data, important data or massive amounts of citizens' personal information, posing an exceptionally severe threat to national security and social stability; or 3. Other cybersecurity incidents that pose an exceptionally severe threat to national security, social order, economic development or public interests, or cause exceptionally severe impacts. | 1. Critical networks and information systems suffer severe system failures, resulting in prolonged system outages or partial paralysis that significantly impair operational capabilities; 2. Loss, theft, tampering or counterfeiting of core data, important data or massive amounts of citizens' personal information, posing a severe threat to national security and social stability; or 3. Other cybersecurity incidents that pose a severe threat to national security, social order, economic development or public interests, or cause severe impacts. | 1. Critical networks and information systems suffer significant system failures, resulting in system outages that markedly impair system efficiency and impact operational capabilities; 2. Loss, theft, tampering or counterfeiting of important data or relatively massive amounts of citizens' personal information, posing a relatively severe threat to national security and social stability; or 3. Other cybersecurity incidents that pose a relatively severe threat to national security, social order, economic development or public interests, or cause relatively severe impacts. |
Examples | 1. Leakage, theft, tampering or counterfeiting of core data or important data, posing an exceptionally severe threat to national security and social stability; 2. Leakage of personal information of 100,000,000citizens or more; 3. Causing direct economic losses of RMB 100,000,000 or more; or 4. Other cybersecurity incidents that pose an exceptionally severe threat to national security, social order, economic development or public interests, or cause exceptionally severe impacts. | 1. Leakage, theft, tampering or counterfeiting of core data or important data, posing a severe threat to national security and social stability; 2. Leakage of personal information of 10,000,000citizens or more; 3. Causing direct economic losses exceeding RMB 20,000,000; or 4. Other cybersecurity incidents that pose a severe threat to national security, social order, economic development or public interests, or cause severe impacts. | 1. Leakage, theft, tampering or counterfeiting of important data that pose a relatively major threat to national security and social stability; 2. Leakage of personal information of 1,000,000citizens or more; 3. Causing direct economic losses exceeding RMB 5,000,000; or 4. Other cybersecurity incidents that pose a relatively severe threat to national security, social order, economic development or public interests, or cause relatively severe impacts. |
Reporting Timelines
The cybersecurity incidents must be reported within the following timelines:
Entity | Regulatory Authority | Reporting Timeline |
Critical Information Infrastructure (CII) Operators | Local public security authority and central CAC and public security authority | One hour (for reporting to local public security authority) Half an hour (for reporting to central CAC and public security authority) |
Central Government Agencies | Internal cybersecurity department | Two hours |
Other Network Operators | Central CAC | Four hours |
What To Report
Network operators are required to report the following:
Name of the entity involved and basic information about the systems or facilities;
Time, location, type, and severity level of the cybersecurity incident upon discovery or occurrence, along with its impact and harm, measures taken and their effectiveness; for ransomware attacks, this should also include the ransom amount demanded, payment method, and date;
Trends in the development of the situation and potential further impact and harm;
Preliminary analysis of the cause of the cybersecurity incident;
Clues for traceability investigations, including but not limited to possible attacker information, attack paths, and existing vulnerabilities;
Proposed further response measures and requests for assistance;
Status of on-site protection for the cybersecurity incident; and
Any other circumstances required to be reported by the CAC.
Reporting Channel
The Measures provides six channels for reporting: 12387 hotline, website (https://12387.cert.org.cn/ ), WeChat Mini Program (12387), WeChat Official Account (CNCERTCC), email (12387@cert.org.cn), and fax (010-82992387).
Implications for U.S. Higher Education Institutions
All network operators that build, operate or provide services through networks in the PRC must comply with these measures. U.S. higher education institutions that provide services via networks to individuals in the PRC that meet the above thresholds are subject to reporting obligations. The following measures are recommended:
Map systems and data flows to identify high-risk areas;
Develop or update incident response policies to ensure compliance with the 4-hour reporting timeline; and
Review and revise vendor and third-party contracts to require organizations or individuals providing cybersecurity, system operation and maintenance, or similar services to promptly report any cybersecurity incidents detected through monitoring and assist in reporting such incidents in accordance with the Measures.
