China mandates cybersecurity incident reporting

-	Important news
-	News
-	In-Depth
-	Shenzhen
-	China
-	World
-	Business
-	Speak Shenzhen
-	Culture
-	Leisure
-	Photos
-	Lifestyle
-	Travel
-	Tech
-	Special Report
-	Digital Paper
-	Opinion
-	Features
-	Kaleidoscope
-	Health
-	Markets
-	Sports
-	Entertainment
-	Business/Markets
-	World Economy
-	Weekend
-	Newsmaker
-	Advertisement
-	Diversions
-	Movies
-	Hotels and Food
-	Yes Teens!
-	News Picks
-	Glamour
-	Campus
-	Budding Writers
-	Fun
-	Qianhai
-	CHTF Special
-	Futian Today

szdaily -> Tech ->

2025-09-16 08:53 Shenzhen Daily

CHINA’S cyberspace regulator issued a new regulation Monday on reporting cybersecurity incidents, taking effect Nov. 1. The 14‑article rule sets out the scope of incidents, reporting entities, supervisory duties, procedures, deadlines and required content, aiming to standardize incident reporting, limit damage and implement the Cybersecurity Law and protect information infrastructure.

The regulation applies to network operators that build, operate or provide services in China. A “cybersecurity incident” is defined broadly to include events caused by human action, cyberattacks, vulnerabilities, software or hardware defects, malfunctions, or force majeure that damage networks or information systems and harm national, social or economic security. The aim is to ensure timely notification to authorities so incidents can be contained and negative social impacts avoided.

The Cyberspace Administration of China (CAC) will coordinate oversight nationwide, with provincial cyberspace authorities managing reports in their jurisdictions. Sectoral regulators retain authority where industry‑specific rules exist. Public security authorities must be notified when incidents involve suspected crimes.

The regulation establishes a unified reporting system and six reporting channels, including the 12387 hotline, the CAC website, its WeChat account and mini‑program, email and fax. It also introduces a four‑level graded system for incidents based on quantifiable indicators to guide responses.

Major information infrastructure operators need to report immediately and no later than one hour to relevant departments and public security authorities and to the CAC within 1.5 hours. Government departments need to report to internal cybersecurity offices within two hours and to the CAC within three hours. Other network operators are required to report to provincial cyberspace authorities within four hours and to the CAC within five hours with concurrent notification to local authorities.

Late, false or concealed reporting that leads to serious consequences will be severely punished according to law.

The CAC said the regulation follows international practice: jurisdictions including the U.S., EU, Australia and India have introduced mandatory reporting rules with specified deadlines. By clarifying responsibilities, timelines and channels, the new regulation seeks to improve emergency response, strengthen cross‑agency coordination and raise overall cyber resilience.

(SD-Agencies)