Client Alert

China’s CAC Announces New Cybersecurity Incident Reporting Measures

October 21, 2025

The measures, which take effect on November 1, 2025, position China with one of the more rigorous cybersecurity incident notification regimes in Asia.

Key points

Who is covered: All network operators (including critical information infrastructure operators (CIIOs) and state organs) that build, operate, or provide services through networks within the People’s Republic of China (PRC).
Cybersecurity incidents covered: The proposed cybersecurity incident notification regime extends to incidents that “cause harm to the network, information system or the data and business applications…and have a negative impact on the country, society, and economy.” Accordingly, the Measures appear more limited in their application, particularly in comparison to recent regulatory updates (see the reporting requirements recently introduced under the Network Data Security Management Regulations), as they are confined to those incidents that negatively impact the PRC’s public interest, as opposed to just any security incident that a network operator or CIIO may suffer.
Reporting obligations: The in-scope cybersecurity incidents must be reported to the relevant PRC authorities within four hoursWhile the Measures and Guidelines remain silent on this point, the reporting timeline is likely calculated from when the relevant network operator becomes aware of the cybersecurity incident, consistent with previous guidance issued by the CAC (in the case of network operators) or within one hour (in the case of CIIOs), respectively.

On September 11, 2025, the Cyberspace Administration of China (CAC) issued the Measures on National Cybersecurity Incident Reporting (the Measures), which will take effect on November 1, 2025. The Measures establish a comprehensive framework for the classification, reporting, and management of cybersecurity incidents within the PRC.

Classification of Cybersecurity Incidents

The Guidelines on Cybersecurity Incident Classification (the Guidelines), appended to the Measures, categorize incidents based on their severity and impact into four levels, as follows: particularly major; major; relatively major; and general cybersecurity incidents. The Guidelines provide both qualitative and quantitative thresholds in defining each of these levels, as set out below. Importantly, if any one threshold is met for a standard, the company would be classified under the higher level of cybersecurity incident that has been met, i.e., the thresholds for each incident level should be read independently, rather than cumulatively.

The subtle distinctions between the levels of cybersecurity incidents are in bold for reference.

Cybersecurity Incident
Key Thresholds	Particularly Major	Major	Relatively Major	General
Impact	Important networks and information systems suffer particularly serious system losses, resulting in large-scale system paralysis and loss of business processing capabilities; or other incidents posing a particularly serious threat or impact on national security, social order, economic construction, and public interests.	Important networks and information systems suffer serious system losses, resulting in long-term system interruption or partial paralysis, greatly affecting business processing capabilities; or other incidents posing a serious threat or impact on national security, social order, economic construction, and public interests (see thresholds in the rows below).	Important networks and information systems suffer large system losses, causing system interruption, significantly affecting system efficiency and business processing capabilities; or other incidents posing a serious threat or impact on national security, social order, economic construction, and public interests (see thresholds in the rows below).	Other cybersecurity incidents that pose a certain threat or cause a certain impact on national security, social order, economic construction, and public interests, but do not meet the thresholds of the higher categories in the preceding columns.
Data leaked	Core data, important data, and widespread citizens’ personal information are leaked, posing a particularly serious threat to national security and social stability.	Core data, important data, and a large number of citizens’ personal information are leaked, posing a serious threat to national security and social stability.	Important data and a relatively large number of citizens’ personal information are leaked, posing a serious threat to national security and social stability.
Personal information leaked	More than 100 million citizens.	More than 10 million citizens.	More than 1 million citizens.
Direct economic loss caused by the incident	More than RMB 100 million.	More than RMB 20 million.	More than RMB 5 million.
CII outage	The overall interruption of CII for more than 6 hours or the interruption of main functions for more than 24 hours.	The overall interruption of CII for more than 1 hour or the interruption of main functions for more than 3 hours.	The overall interruption of CII for more than 10 minutes or the interruption of main functions for more than 30 minutes.
Disruption to essential services	Disruption of essential services (e.g., water, electricity etc.) for more than 50% of the population of one or more provinces or over 10 million people.	Disruption of essential services (e.g., water, electricity etc.) for more than 50% of the population of one or more municipalities or over 1 million people.	Disruption of essential services (e.g., water, electricity etc.) for more than 30% of the population of one or more municipalities or over 100,000 people.

Reporting Obligations

The Measures prescribe specific reporting obligations that apply to (i) all network operators (i.e., owners and administrators of networks and network service providers) as a default, including (ii) CIIOs (i.e., enterprises that operate critical information infrastructure and have been notified by the competent authorities that they qualify as a CIIO) and (iii) state organs that are also network operators, operating within the PRC.

Reporting timelines vary by operator category. While the Measures and Guidelines remain silent on this point, the reporting timeline is likely calculated from when the relevant network operator becomes aware of the cybersecurity incident, consistent with previous guidance issued by the CAC.

CIIOs: Report cybersecurity incidents to the CII protection department and Public Security Bureau immediately and no later than one hour. For major or particularly major incidents, the CII protection department must report to the CAC and the Ministry of Public Security within 30 minutes.
State organs and subordinate units: Report cybersecurity incidents to the department’s CAC office promptly and no later than two hours. For major or particularly major incidents, the department’s CAC office must report to the CAC within one hour.
Other network operators: Report cybersecurity incidents to the provincial CAC promptly and no later than four hours. For major or particularly major incidents, the provincial CAC must report to the national CAC within one hour and simultaneously notify the relevant department authorities of the same level.

The reporting obligations on the various operators (and the corresponding timelines) mentioned above are not contingent on the relevant severity level assigned to the particular cybersecurity incident, meaning any and all cybersecurity incidents (even those that are categorized at a general level but fall within the definition of “cybersecurity incidents” within the Measures) are subject to these reporting timelines. For example, based on the text of the Measures and the Guidelines, a network operator would technically be required to notify both “particularly major” and “general” cybersecurity incidents to the provincial CAC no later than four hours, even though a “general” cybersecurity incident would be less severe than a “particularly major” cybersecurity incident. Notwithstanding this broad scope, the definition of cybersecurity incident under the Measures refers specifically to cybersecurity incidents that harm network systems and have a negative impact on the PRC, society, and the economy, as opposed to any unauthorized access to network systems that may not necessarily satisfy the prescribed threshold.

Comparison With the Network Data Security Management Regulations

According to the Network Data Security Management Regulations (the Regulations), which took effect on January 1, 2025, network data processors must report to PRC regulators within 24 hours if they discover risks in network products or services (e.g., security defects or vulnerabilities) that involve threats to national security or public interest. In comparison, the timeline set out in the Measures for reporting incidents is much shorter — four hours at most for network operators. A cybersecurity incident that is notifiable under the Measures is defined as “an event that causes harm to networks and information systems or their data and business applications, and has a negative impact on the country, society, or economy, due to human factors, network attacks, network vulnerabilities, software or hardware defects or failures, force majeure, etc.” Arguably, the risks that are notifiable under the Regulations are broader than the cybersecurity incidents referred to in the Measures, as the former refers to general risks and vulnerabilities that may not yet materialize, whereas the latter refers to actual incidents that have materialized and, importantly, one of the qualitative or quantitative thresholds in the table above has been met. Accordingly, cybersecurity incidents that have materialized (as opposed to being a potential risk) are seemingly subject to a shorter reporting timeline under the Measures than the network security risks under the Regulations. For more information about the Regulations, please read our Client Alert.

Contents of Cybersecurity Incident Reports

Reports on cybersecurity incidents notifiable under the Measures should include the following information:

Background information about the entity and system where the incident occurred
Time, place, type, and level of the incident, impact and harm, measures taken and their effects
For ransomware incidents, the requested payment amount, method, and date, if applicable
Preliminary analysis on the cause(s) of the cybersecurity incident
Threat intelligence and forensic leads (potential attacker information, attack path, vulnerabilities, etc.)
Planned remediation measures and support requests
Security measures adopted at the time of the cybersecurity incident
Other material facts

If the cause or impact of the incident cannot be determined within the required notification timeline, the notifying entity should submit a preliminary report with the available information and supplement it promptly once further information becomes available. The notifying entity should provide updates on major developments and submit a comprehensive summary report within 30 days after closure of the incident, documenting the root cause, emergency response measures, remediation actions taken, impact, accountability, and lessons learned.

Impact on IT and Security Contracts

When a network operator engages security or other IT service providers, the Measures require network operators to include contractual terms requiring such providers to promptly notify the operator of any detected incidents and assist with reporting such incidents to the relevant authorities.

Reporting Hotline

The CAC has established unified reporting channels, including the 12387 hotline, email and fax, for the purpose of receiving notifications of such incidents. The CAC’s 12387 website provides more detailed information on the different reporting channels available.

Liabilities and Mitigation

If a network operator fails to report (whether at all or within the specified timeline) or falsifies their report, this may result in liabilities for network operators and relevant individuals under applicable laws, including the PRC Cybersecurity Law, Data Security Law, and Personal Information Protection Law.

The Measures also expressly state that penalties may be mitigated if the network operator took reasonable and necessary protective measures and dealt with the cybersecurity incident in accordance with established emergency response plans, effectively reduced the impact, and reported the cybersecurity within the specified timeline.

Recommendations for Network Operators in the PRC

In light of the updated reporting timelines, it is recommended network operators undertake the following preparatory steps:

review and update incident response policies and plans to ensure compliance with the accelerated notification requirements, including the shortest applicable reporting timelines (as little as four hours for network operators and one hour for CIIOs);
revise internal procedures to ensure prompt escalation of cybersecurity incidents to the appropriate personnel within the organization;
update internal reporting templates and documentation to capture all information required under the Measures; and
review and amend vendor and third-party contracts, particularly with security and IT service providers, to include clear obligations for prompt notification to the network operator upon discovery of any suspected or actual cybersecurity incident.

This Client Alert was prepared with the assistance of Zurui Yang in the Beijing office of Latham & Watkins.

Endnotes

This publication is produced by Latham & Watkins as a news reporting service to clients and other friends. The information contained in this publication should not be construed as legal advice. Should further analysis or explanation of the subject matter be required, please contact the lawyer with whom you normally consult. The invitation to contact is not a solicitation for legal work under the laws of any jurisdiction in which Latham lawyers are not authorized to practice. See our Attorney Advertising and Terms of Use.