Cyberspace Administration Issues “National Cybersecurity Incident Reporting Measures”

National Cybersecurity Incident Reporting Measures now come with clear timelines, four incident levels, and six official reporting channels.

Quick overview

The Cyberspace Administration of China (Guójiā Hùliánwǎng Xìnxī Bàngōngshì 国家互联网信息办公室, CAC) published the National Cybersecurity Incident Reporting Measures on September 11, 2025.

The Measures take effect on November 1, 2025 and create a unified framework for how cybersecurity incidents are reported across the People’s Republic of China.

The rules cover scope, responsible parties, reporting entities, processes, time limits, and required content of reports.

Why this matters (purpose and legal basis)

The Measures aim to standardize reporting and limit losses and harms from cybersecurity incidents.

The Measures implement provisions already found in key laws:

• Cybersecurity Law (Wǎngluò Ānquán Fǎ 网络安全法).
• Data Security Law (Shùjù Ānquán Fǎ 数据安全法).
• Personal Information Protection Law (Gèrén Xìnxī Bǎohù Fǎ 个人信息保护法).
• Regulations on Protection of Critical Information Infrastructure (Guānjiàn Xìnxī Jīchǔ Shèshī Ānquán Bǎohù Tiáolì 关键信息基础设施安全保护条例).

Who must report

Any network operator that builds, operates, or provides services via networks inside the PRC must report incidents under the Measures.

The Measures define network operator broadly to include owners, managers, and service providers.

Which authorities are responsible

The national-level CAC coordinates nationwide incident reporting.

Provincial-level CAC offices coordinate reporting inside their administrative regions.

Industry regulators retain any reporting obligations they separately impose.

Reporting procedures and time limits — what to expect

Operators must first assess incidents using the attached “Cybersecurity Incident Classification Guide” (based on national standard GB/T 20986-2023).

For incidents judged “relatively large” or above, strict timelines apply.

• If the incident involves critical information infrastructure, report immediately to the relevant protection office and to public security authorities — no later than 1 hour after discovery.
• For incidents classified as “major” or “particularly major”, the protection office must notify the national CAC and the Ministry of Public Security’s national department within 30 minutes of receiving the report.
• Central or national government departments and their directly affiliated units must report to internal CAC work units within 2 hours.
• For central/national units if the incident is “major” or “particularly major”, the internal CAC unit must report to the national CAC within 1 hour.
• Other network operators should report to the provincial CAC office responsible for their location, no later than 4 hours after discovery.
• For incidents that are “major” or “particularly major”, the provincial CAC must report to the national CAC within 1 hour of receipt and notify same-level departments.
• If the incident involves suspected criminal acts, operators must also file reports with public security authorities.

Reporting partners and third-party service providers

Operators must require, by contract or equivalent, that organizations or individuals providing cybersecurity, system operation, or maintenance services:

• Promptly report incidents they detect.
• Assist the operator in meeting the reporting obligations in the Measures.

That means vendors, managed security service providers, and contractors should be contractually prepared to escalate incidents into the operator’s reporting process.

Encouraging public reporting

The Measures explicitly encourage social organizations and individuals to report incidents that are “relatively large” or more serious.

Public reporting channels and outreach will likely increase noise but also surface real threats faster.

What to include in a report — required content

At minimum reports should include the following items.

1. Name of the affected unit and a basic description of the affected system or facility.
2. Time and place when the incident was discovered or occurred; incident type and level; impact and harm already caused; countermeasures taken and their effects.
3. Projected evolution of the incident and possible further impacts.
4. Preliminary analysis of causes.
5. Clues for traceability (potential attacker information, attack path, known vulnerabilities).
6. Planned follow-up measures and requests for assistance.
7. On-site evidence-preservation measures.
8. Any other information that should be reported.

If cause, impact, or trend cannot be determined within the required time window, operators may initially submit only items (1) and (2), and supply remaining details later.

If new material developments or investigative milestones arise after an initial report, operators must promptly submit updates.

Post-incident summary and accountability

After resolution, the operator must produce a comprehensive incident-handling summary within 30 days.

The summary must include root cause analysis, emergency measures taken, harms caused, accountability determinations, remediation actions, and lessons learned.

The summary should be submitted through the same reporting channels used initially.

Sanctions and mitigating factors

Failure to report as required may result in administrative penalties under relevant laws and regulations.

Late reporting, under-reporting, false reporting, or concealment that causes significant harm will be punished more severely for operators and responsible individuals.

However, if an operator has taken reasonable and necessary protective measures, followed contingency plans, reduced impact, and reported timely, the Measures allow for lighter or no punishment depending on circumstances.

How the Measures define a “cybersecurity incident”

The Measures define a cybersecurity incident as an event that harms networks, information systems, their data or applications due to human actions, attacks, vulnerabilities, hardware or software defects/failures, force majeure, or other causes.

The incident must cause negative impacts to the state, society, or economy.

Classification guide: four levels and key thresholds

The attached “Cybersecurity Incident Classification Guide” divides incidents into four levels — particularly major, major, relatively large, and general.

Key thresholds include:

• Particularly major incidents — examples and thresholds include:
• Critical systems suffer extremely severe loss with widespread paralysis of services.
• Core or massive citizen personal data are lost, stolen, modified, or faked in ways that create an especially grave threat to national security or social stability.
• Personal data of 100 million or more citizens are leaked.
• Causes direct economic losses of ¥100,000,000 RMB ($13,888,889 USD).
• Major incidents — examples and thresholds include:
• Important systems suffer serious loss with long interruptions or local paralysis.
• Core or large volumes of citizen personal data are lost or stolen posing a serious threat.
• Personal data of 10 million or more citizens are leaked.
• Causes direct economic losses of ¥20,000,000 RMB ($2,777,778 USD).
• Relatively large incidents — examples and thresholds include:
• Important systems suffer noticeable losses and interruptions that affect business processing.
• Important data or relatively large amounts of citizen personal data are lost or stolen.
• Personal data of 1 million or more citizens are leaked.
• Causes direct economic losses of ¥5,000,000 RMB ($694,444 USD).
• General incidents — incidents that do not meet the above thresholds but still pose some threat or cause some impact.

FAQ highlights

The CAC provided a Q&A to clarify practical points.

• Why issue the Measures? To reduce losses from incidents, to operationalize reporting provisions already in law, and to align China’s practice with international norms that require mandatory incident reporting with defined time limits.
• What counts as a cybersecurity incident? Any event — from attacks and exploitation of vulnerabilities to faults and force majeure — that harms networks, systems, data or applications and produces negative effects.
• Who must report? Network operators operating or providing services within the PRC.
• What channels are available? The CAC has set up six reporting channels to facilitate rapid, standardized reporting.

Reporting channels — six official options

1. Call the 12387 cybersecurity incident reporting hotline and follow the voice prompts.
2. Report online at the cybersecurity incident reporting website: 12387.cert.org.cn.
3. Use the “12387” WeChat mini-program and click “Event Report” on the mini-program homepage.
4. Follow the “China National Computer Network Emergency Response Technical Team/Coordination Center” WeChat public account (国家互联网应急中心 CNCERT) and use its “Event Report” function.
5. Send email to [email protected].
6. Send fax to 010-82992387.

Effective date

The Measures enter into force on November 1, 2025.

Practical implications — what network operators and investors should do now

The Measures formalize clear, time-bound reporting duties and a centralized intake mechanism.

Operators should take immediate, practical steps to comply and reduce regulatory risk.

Key actions to consider:

• Update vendor contracts to require immediate notification from MSSPs, cloud providers, and maintenance vendors, and to confirm cooperation for evidence preservation.
• Map critical systems and classify which assets meet the definition of critical information infrastructure.
• Test contingency plans and incident playbooks against the Measures’ timelines (1 hour, 2 hours, 4 hours, 30 minutes escalation rules).
• Establish an internal escalation matrix with named owners, contact details, and decision thresholds aligned to the four incident levels.
• Log and evidence retention — ensure forensic logs and evidence-preservation measures are in place to meet reporting content requirements.
• Legal and PR coordination — agree process triggers so legal counsel and communications teams can act fast when reports are required.
• Train staff and vendors on the six official reporting channels and the required report content fields.
• Prepare summary templates for the 30-day comprehensive incident-handling report to speed compliance.

Quick compliance checklist

• Have you identified whether you are a network operator under the Measures?
• Are vendor contracts updated to require prompt incident reporting?
• Can you assemble required report items (1)-(9) within the timed windows?
• Do internal escalation and public communication protocols meet the 1/2/4 hour obligations?
• Is a 30-day post-incident summary workflow defined and resourced?

Investor and market takeaways

For investors and founders, the Measures increase clarity on regulatory expectations and timelines in China’s cybersecurity ecosystem.

Companies operating in or serving users in the PRC will need disciplined incident response capabilities and contractual guardrails with third parties.

Fiscal thresholds in the classification guide provide an objective lens for assessing incident severity and potential regulatory exposure.

Linking opportunities

Suggested anchor texts to link back to official or explanatory resources:

• “国家网络安全事件报告管理办法（全文）” — link to the CAC publication for full text and authoritative guidance.
• “CNCERT incident reporting” — link to CNCERT for technical incident handling and the 12387 portal.
• “analysis of CAC reporting timelines” — link to industry coverage such as the Eastmoney analysis for local market context.

Final note

The National Cybersecurity Incident Reporting Measures set a clear, time-bound compliance bar for operators in China and will reshape vendor contracts, incident playbooks, and governance processes.

Start mapping assets, update contracts, and rehearse your escalation playbooks now so your team can meet the stringent reporting timelines set out in the Measures.

References

• 国家网络安全事件报告管理办法（全文） – 国家互联网信息办公室
• CNCERT / 国家互联网应急中心（事件报告与应急响应） – 国家互联网应急中心
• 国家互联网信息办公室发布《国家网络安全事件报告管理办法》 – 东方财富

National Cybersecurity Incident Reporting Measures