China Issues Management Measures for Cybersecurity Incident Reporting
Published 22 September 2025
Xia Yu
On 15 September 2025, the Cyberspace Administration of China (CAC) promulgated the Management Measures for National Cybersecurity Incident Reporting (“Measures”), which will take effect on 1 November 2025. A cybersecurity incident (“Cybersecurity Incident”) refers to an event resulting in harm caused by failures of networks and information systems due to human factors, cyber-attacks, system defects, force majeure, or other causes. In accordance with the requirements for incident reporting under the Cybersecurity Law of the People’s Republic of China, the Measures provide guidance to network operators that construct or operate networks or provide services via networks within China (“Network Operators”) regarding the fulfilment of reporting obligations, including procedures, recipients, time limits, content, channels, and related legal liabilities, and provide a basis for enforcement by regulatory authorities.
The Measures is attached with the Guidelines for Classifying Cybersecurity Incidents (“Guidelines”), which specify quantitative indicators—through a limited enumeration approach—for four incident severity levels: especially serious, major, relatively major, and ordinary. An especially serious Cybersecurity Incident refers to an incident that poses an exceptionally severe threat to national security, public order, economic development, and public interests, and causes particularly serious impacts. Examples include inaccessibility of government websites at or above the provincial level for more than 24 hours; complete interruption of critical information infrastructure for over 6 hours; disruption affecting basic living needs—such as water, electricity, gas, oil, heating, transportation, medical care, or shopping—for more than 50% of the population in one or more provinces, or for over 10 million people; leakage of personal information of more than 100 million citizens. A relatively major Cybersecurity I0cident refers to an incident with relatively serious damaging consequences, such as inaccessibility of government or enterprise websites at or above the prefectural level for more than 2 hours; complete interruption of critical information infrastructure for over 10 minutes, or interruption of core functions for more than 30 minutes; disruption affecting basic living needs for over 30% of the population in one or more prefectures, or for more than 100,000 people; leakage of personal information of more than 1 million citizens; and direct economic losses exceeding RMB 5 million ( Equivalent to US$0.7 million). A major Cybersecurity Incident refers to an incident whose severity falls between that of an especially serious Cybersecurity Incident and a relatively major Cybersecurity Incident. An ordinary Cybersecurity I000dent refers to any other incident that poses a certain threat to national security, public order, economic development, and public interests, and causes a certain degree of impact.
The Measures specify reporting procedures, time limits, and reporting entities respectively for critical information infrastructure operators, national authorities and their directly affiliated institutions, as well as other Network Operators. Upon discovering or becoming aware of a Cybersecurity Incident, the Network Operators shall conduct a preliminary assessment of its severity level in accordance with the Guidelines. For the Cybersecurity Incidents classified as relatively major or above, the Network Operators of critical information infrastructure shall report to the competent protection department and public security authorities within 1 hour; the Network Operators of national authorities shall report to their respective cyberspace affairs agency within 2 hours; and other Network Operators shall report to the provincial-level cyberspace administration department in their locality within 4 hours. Upon conclusion of the Cybersecurity Incident response, the Network Operators shall, within 30 days, conduct a comprehensive analysis covering the cause of the Cybersecurity Incident, emergency response measures taken, resulting damages, accountability actions, corrective improvements implemented, and lessons learned. This analysis shall be submitted through the original reporting channel.
The Measures specify that the Cybersecurity Incident reports shall include: basic information of relevant entities and affected systems or facilities; time and location of discovery or occurrence; incident type and severity level; impacts and damages caused; measures taken and their effectiveness; development trends and potential subsequent impacts; preliminary analysis of causes; leads for traceability investigations (such as possible attacker information, attack vectors, and vulnerabilities identified); proposed countermeasures and requested support; and on-site preservation status. Additionally, for ransomware attacks, the Measures require reporting of ransom payment details—including amount, method, and date—drawing on practices from the United States and European countries.
The Measures encourage social organizations and individuals to report the Incidents and specify the channels for such reporting. To facilitate rapid and standardized incident reporting, the reporting channels have been operationalized are 12387 Hotline; official reporting portal of 12387.cert.org.cn; “12387” WeChat Mini Program, and official WeChat Account of “National Internet Emergency Center CNCERT”; dedicated email of 12387@cert.org.cn; and reporting fax of 010-82992387.
The Measures further clarify the legal liabilities of the Network Operators. Failure to report the Cybersecurity Incidents in accordance with requirements shall be penalized under relevant laws and regulations. Those that delay reporting, omit reporting, falsely report, or conceal the Cybersecurity Incidents resulting in significant harmful consequences shall be subject to heavier penalties. However, those that adopt reasonably necessary protective measures, effectively mitigate the impact and damage of the Cybersecurity Incidents, and promptly report such Cybersecurity Incidents may receive mitigated penalties or be exempt from liability.
In conclusion, the Measures clarify the reporting obligations, channels, specific requirements, and legal liabilities of the Network Operators, thereby facilitating the centralized integration of the Cybersecurity Incident information and enhancing the overall efficiency of the Cybersecurity Incident reporting.
The Measures is attached with the Guidelines for Classifying Cybersecurity Incidents (“Guidelines”), which specify quantitative indicators—through a limited enumeration approach—for four incident severity levels: especially serious, major, relatively major, and ordinary. An especially serious Cybersecurity Incident refers to an incident that poses an exceptionally severe threat to national security, public order, economic development, and public interests, and causes particularly serious impacts. Examples include inaccessibility of government websites at or above the provincial level for more than 24 hours; complete interruption of critical information infrastructure for over 6 hours; disruption affecting basic living needs—such as water, electricity, gas, oil, heating, transportation, medical care, or shopping—for more than 50% of the population in one or more provinces, or for over 10 million people; leakage of personal information of more than 100 million citizens. A relatively major Cybersecurity I0cident refers to an incident with relatively serious damaging consequences, such as inaccessibility of government or enterprise websites at or above the prefectural level for more than 2 hours; complete interruption of critical information infrastructure for over 10 minutes, or interruption of core functions for more than 30 minutes; disruption affecting basic living needs for over 30% of the population in one or more prefectures, or for more than 100,000 people; leakage of personal information of more than 1 million citizens; and direct economic losses exceeding RMB 5 million ( Equivalent to US$0.7 million). A major Cybersecurity Incident refers to an incident whose severity falls between that of an especially serious Cybersecurity Incident and a relatively major Cybersecurity Incident. An ordinary Cybersecurity I000dent refers to any other incident that poses a certain threat to national security, public order, economic development, and public interests, and causes a certain degree of impact.
The Measures specify reporting procedures, time limits, and reporting entities respectively for critical information infrastructure operators, national authorities and their directly affiliated institutions, as well as other Network Operators. Upon discovering or becoming aware of a Cybersecurity Incident, the Network Operators shall conduct a preliminary assessment of its severity level in accordance with the Guidelines. For the Cybersecurity Incidents classified as relatively major or above, the Network Operators of critical information infrastructure shall report to the competent protection department and public security authorities within 1 hour; the Network Operators of national authorities shall report to their respective cyberspace affairs agency within 2 hours; and other Network Operators shall report to the provincial-level cyberspace administration department in their locality within 4 hours. Upon conclusion of the Cybersecurity Incident response, the Network Operators shall, within 30 days, conduct a comprehensive analysis covering the cause of the Cybersecurity Incident, emergency response measures taken, resulting damages, accountability actions, corrective improvements implemented, and lessons learned. This analysis shall be submitted through the original reporting channel.
The Measures specify that the Cybersecurity Incident reports shall include: basic information of relevant entities and affected systems or facilities; time and location of discovery or occurrence; incident type and severity level; impacts and damages caused; measures taken and their effectiveness; development trends and potential subsequent impacts; preliminary analysis of causes; leads for traceability investigations (such as possible attacker information, attack vectors, and vulnerabilities identified); proposed countermeasures and requested support; and on-site preservation status. Additionally, for ransomware attacks, the Measures require reporting of ransom payment details—including amount, method, and date—drawing on practices from the United States and European countries.
The Measures encourage social organizations and individuals to report the Incidents and specify the channels for such reporting. To facilitate rapid and standardized incident reporting, the reporting channels have been operationalized are 12387 Hotline; official reporting portal of 12387.cert.org.cn; “12387” WeChat Mini Program, and official WeChat Account of “National Internet Emergency Center CNCERT”; dedicated email of 12387@cert.org.cn; and reporting fax of 010-82992387.
The Measures further clarify the legal liabilities of the Network Operators. Failure to report the Cybersecurity Incidents in accordance with requirements shall be penalized under relevant laws and regulations. Those that delay reporting, omit reporting, falsely report, or conceal the Cybersecurity Incidents resulting in significant harmful consequences shall be subject to heavier penalties. However, those that adopt reasonably necessary protective measures, effectively mitigate the impact and damage of the Cybersecurity Incidents, and promptly report such Cybersecurity Incidents may receive mitigated penalties or be exempt from liability.
In conclusion, the Measures clarify the reporting obligations, channels, specific requirements, and legal liabilities of the Network Operators, thereby facilitating the centralized integration of the Cybersecurity Incident information and enhancing the overall efficiency of the Cybersecurity Incident reporting.