Cybersecurity Incident Reporting Rules in Effect November 1 – Requirements for Foreign Companies in China

Posted by Written by Arendse Huld Reading Time: 8 minutes

New rules on cybersecurity incident reporting in China outline the scenarios in which companies must report incidents involving data leaks or cybersecurity breaches to regulatory authorities. Under the new rules, companies that provide network services or sell services online must report any high-risk incidents to a specified authority within a matter of hours, or face possible penalties. While the these reporting obligations are not new, the new rules provide helpful clarity to companies by defining the chain of command and reporting timelines. 

From November 1, companies in China will be required to follow new rules for reporting cybersecurity incidents under the National Cybersecurity Incident Reporting Management Measures (the “Incident Reporting Measures”). The measures, which were issued by the Cyberspace Administration of China (CAC) on September 11, 2025, and built on draft measures first released for public comment in 2023, apply to both domestic and foreign companies that build or operate internet networks or provide online services in China. They set out strict reporting obligations, with deadlines that vary depending on the type of company and the severity of the incident.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Obligations to report cybersecurity incidents 

Both domestic and foreign companies handling data or personal information in China are already legally required to report any cybersecurity incidents to authorities under the country’s existing cybersecurity and data protection laws. This includes explicit obligations set out in the Data Security Law (DSL), the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Critical Information Infrastructure Operators Security Protection Measures.

Find Business Support
Get expert assistance in conducting compliance audits, penetration tests, and computer security and impact assessments for improved cybersecurity in China.

The Incident Reporting Measures do not impose new obligations on network operators, but rather clarify and reinforce the procedural requirements already stipulated in the above laws. Under these measures, all companies that build or operate internet networks, or provide services through the internet within the territory of China, and are involved in a cybersecurity incident, must follow the standardized reporting procedures.

By strengthening the incident reporting mechanism, the measures aim to ensure effective coordination between government and enterprises during emergencies, mitigate negative impacts, and prompt stakeholders to take timely action to reduce or prevent further harm.

 

Security Incident Reporting Requirements under China’s Data Protection and Cybersecurity Laws 

Data Security Law: The Data Security Law requires companies to take immediate remedial measures in the event of a data security incident, and promptly inform users and report the incident to the competent industry authority. 

Liability: Failure to report security incidents may result in fines of RMB 50,000 to RMB 500,000 (US$7,000 to US$70,000) for the company if corrections are not made, and possible fines of RMB 10,000 to RMB 100,000 (US$1,400 to US$14,000) for responsible personnel. In serious cases, such as where the violation results in a large-scale data leak, the company may be fined between RMB 500,000 and RMB 2 million (US$70,000 to US$280,000), while responsible personnel are liable for fines of RMB 50,000 to RMB 200,000 (US$28,120). Companies may also be ordered to suspend operations or business or have their relevant business permits or licenses revoked. 

PIPL: The PIPL requires personal information processors to take immediate remedial measures in the event of, or potential for, personal information leakage, alteration, or loss. Processors must notify both the competent personal information protection authorities and affected individuals. 

Liability: Violations may result in orders to correct, warnings, confiscation of illegal gains, or suspension of services. Fines can reach up to RMB 1 million (US$140,000) for general violations, with responsible personnel fined between RMB 10,000 and RMB 100,000. In severe cases, companies may face fines of up to RMB 50 million (US$7 million) or 5 percent of the previous year’s turnover, suspension of operations, or license revocation, while responsible personnel may face fines of RMB 100,000 to RMB 1 million and potential disqualification from senior management roles. 

Cybersecurity Law: The Cybersecurity Law requires network operators to report incidents that endanger network security to the competent authorities. Where personal information leakage, damage, or loss occurs or may occur, network operators must immediately take remedial measures, notify users, and report to regulators. 

Liability: Failure to report or remedy vulnerabilities, or to inform users and regulators of personal information leaks, can result in orders to correct, warnings, and fines ranging from RMB 50,000 to RMB 500,000 for companies and RMB 10,000 to RMB 100,000 for responsible personnel. 

Critical Information Infrastructure Operator Security Protection Measures: CIIOs must report major cybersecurity incidents or the discovery of significant threats to both the protection work department and the public security authorities, in accordance with relevant regulations. 

Liability: Failure to report can result in an order to correct, warnings, and fines ranging from RMB 100,000 to RMB 1 million for companies and RMB 10,000 to RMB 100,000 for responsible personnel. 

 

When to report a cybersecurity incident 

As soon as a company discovers or becomes aware of a cybersecurity incident involving its own business, it must conduct an assessment in accordance with the Guidelines for the Classification of Cybersecurity Incidents, released as an Appendix to the Measures. These guidelines set out the criteria and thresholds for classifying incidents into different risk levels, with each level corresponding to different reporting obligations and timelines. 

There are differing requirements for the timeframe in which an entity must report a cybersecurity incident, depending on the type of entity involved and the seriousness of the incident. These are summarized in the table below. 

Security Incident Reporting Time Limits and Procedures
Type of entity  Incident risk level  Reporting time limit  Reporting procedures 
Critical information infrastructure operators  Cybersecurity incident at or above the “relatively serious” level 

No later than 1 hour after the incident occurred. 

Entity reports the incident to the protection department and public security organs. 
“Serious or extremely serious” cybersecurity incident 

No later 30 minutes after receiving the report 

 Protection department reports the incident to the national cyberspace administration department and the public security department of the State Council. 

 
Network operators belonging to central and state government departments and their directly affiliated units  Cybersecurity incident at or above the “relatively serious” level  No later than 2 hours after the incident occurred.  Entity reports the incident to the cybersecurity work unit of their department. 
“Serious or extremely serious” cybersecurity incident  No later than 1 hour after receiving the report.  Cybersecurity and informatization work units of various departments report the incident to the national cybersecurity and informatization department. The national cybersecurity and informatization department shall promptly notify the relevant departments upon receipt of the report. 
Other network operators   Cybersecurity incident at or above the “relatively serious” level  No later than 4 hours after the incident occurred.  Entity reports the incident to the provincial cybersecurity and informatization department of their jurisdiction 
“Serious or extremely serious” cybersecurity incident  No later than 1 hour after receiving the report.  Provincial cybersecurity and informatization department reports the incident to the national cybersecurity and informatization department and simultaneously notifies the relevant departments at the same level. 

Note that if there are specific regulations regarding incident reporting for a certain industry sector, the entity involved should also report the incident in accordance with the requirements of the competent industry regulatory authorities. 

Meanwhile, if there is any suspicion of illegal or criminal activities having taken place, the entity must promptly report the case to the public security organs. 

Guidelines for classifying the risk level of cybersecurity incidents 

As mentioned above, the measures were released with a set of supporting guidelines for companies to assess the risk level of a cybersecurity incident. These range from “serious or extremely serious” (which require swift reporting) to “general” incidents (which do not need to be reported). The risk level classification detailed in the guide is summarized in the table below. 

Risk Level Classification for Cybersecurity Incidents
Level  Key characteristics  Typical indicators 
Extremely serious (特别重大)  Causes widespread paralysis of important networks/systems; massive loss/theft of core/important data or personal information; poses particularly severe threats to national security or social stability. 
  • Provincial or central government or key news sites are inaccessible for over 24 hours 
  • Disruption of entire CII operations for over 6 hours, or disruption of main functions for over 24 hours 
  • Affects daily services of over 50 percent of the population in one or more provinces, or over 10 million people 
  • Leak or tampering of core or important data posing a particularly serious threat to national security or social stability 
  • Leak of personal information of over 100 million people 
  • Malicious information spread at “extremely large scale” via government websites (provincial level or above), key central news sites, or super-large network platforms 
  • Direct economic loss of over RMB 100 million (US$14 million) 
Serious (重大)  Severe damage to important networks/systems; large-scale loss/theft of core/important data or personal information; serious threats to national security or social stability. 
  • Municipal or provincial government or key news sites are inaccessible for over 6 hours 
  • Disruption of entire CII operations for over 1 hour, or disruption of main functions for over 3 hours 
  • Affects daily services of over 50 percent of the population in one or more cities, or over 1 million people 
  • Leak or tampering of core or important data posing a serious threat to national security or social stability 
  • Leak of personal information of over 10 million people 
  • Malicious information spread at “large scale” via municipal or provincial government websites, key news sites, or large network platforms 
  • Direct economic loss of over RMB 20 million (US$2.8 million)
Relatively serious (较大)  Noticeable disruption to important networks/systems; loss/theft of important data or personal information; relatively serious impact on security or stability. 
  • Municipal or provincial government or key news sites are inaccessible for over 2 hours 
  • Disruption of entire CII operations for over 10 minutes, or disruption of main functions for over 30 minutes 
  • Affects daily services of over 30 percent of the population in one or more cities, or over 100 thousand people 
  • Leak of important data posing a relatively serious threat to national security or social stability 
  • Leak of personal information of over 1 million people 
  • Malicious information spread at “relatively large scale” via government websites, key news sites, or platforms 
  • Direct economic loss of over RMB 5 million (US$703,022) 
Ordinary (一般)  Other incidents that fo not reach the above thresholds but still posing some threat to national security, social order, economic activity, or public interests. 
  • Lesser impacts not meeting higher-level criteria

 

How to report a cybersecurity incident 

Companies must provide the following information when reporting a cybersecurity incident: 

  1. The name of the entity involved and basic information about the system or facility involved.
  2. The time, location, type, and level of the cybersecurity incident, as well as the impact and harm caused, measures taken, and their effectiveness. For ransomware attacks, the amount, method, and date of the ransom demand must also be included.
  3. The likely progression of the incident and the possible further impact and harm that it could cause.
  4. A preliminary analysis of the cause of the cybersecurity incident.
  5. Clues for tracing the source of the incident, including but not limited to information about possible attackers, attack paths, and existing vulnerabilities.
  6. Proposed further response measures and requests for support.
  7. Security measures taken at the cybersecurity incident site.
  8. Any other matters that should be reported. 

If the company cannot determine the cause, impact, or likely progression of a cybersecurity incident within the required time, it may first submit the initial two items listed above and provide the remaining information as soon as it becomes available.

Find Business Support
Localize your ERP system to ensure compliance with China's cybersecurity laws with help from our IS team.

If any new important circumstances arise after the cybersecurity incident has been reported, or if any progress is made in the investigation, the company must also promptly report these developments. 

Within 30 days of resolving a cybersecurity incident, the company must conduct a comprehensive review covering the causes, emergency response measures, impacts, accountability, remediation efforts, and lessons learned, and submit an incident handling report through the original reporting channels (see the reporting authorities in the table above). 

Liabilities for noncompliance 

If a company fails to report a cybersecurity incident in accordance with the measures, the relevant competent authorities shall impose penalties in accordance with relevant laws and administrative regulations. Fines can range from RMB 50,000 to RMB 50 million depending on the severity of the case, and the type of data involved (incidents involving personal information are liable for higher fines). 

Companies can also face more severe penalties if they delay the reporting of a cybersecurity incident, or fail to report, falsify, or conceal a cybersecurity incident, and this neglect results in serious consequences. 

Key takeaways for foreign companies 

For foreign companies operating in China, the new measures underscore the importance of timely and accurate incident reporting. Failure to comply can result not only in steep fines but also in reputational damage that may affect broader business operations. The measures also bring greater clarity and standardization by setting out unified requirements for how and when incidents must be reported, helping companies navigate obligations that were previously scattered across different laws and regulations.

Related Reading
How Did Dior Violate China’s Personal Information Protection Law? Lessons from the PIPL Probe

At the same time, companies should be aware that filing an incident report can trigger follow-up investigations into potential violations of China’s broader data security, cybersecurity, or PIPL requirements – as seen in the recent Dior case – making it essential to maintain strong overall compliance frameworks. 

It is also important to note that, where cybersecurity incidents involve personal information, companies are also required to inform the owners of the personal information of the incident. Under Article 57 of the PIPL, companies must notify both the competent authorities and the affected individuals when a leak, alteration, or loss of personal information occurs and may cause harm.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.