Promulgated by: Cyberspace Administration of China. Document No.: (none assigned) Issued September 11, 2025. Effective November 1, 2025.
Article 1. These Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Security Protection Regulations for Critical Information Infrastructure, and other laws and regulations, in order to regulate the administration of cybersecurity incident reporting and to control in a timely manner the losses and harm caused by cybersecurity incidents.
Article 2. Network operators that build or operate networks within the territory of the People’s Republic of China, or that provide services through networks, shall report cybersecurity incidents in accordance with these Measures when such incidents occur.
Article 3. The national cyberspace administration authorities shall be responsible for the overall coordination of the administration of cybersecurity incident reporting nationwide. Provincial cyberspace administration authorities shall be responsible for the overall coordination of the administration of cybersecurity incident reporting within their respective administrative regions.
Article 4. When a network operator discovers or learns of a cybersecurity incident involving its own entity, it shall assess the incident in accordance with the Guidelines for the Classification of Cybersecurity Incidents (see the Annex). Where the incident is classified as a relatively significant or above-level cybersecurity incident, it shall be reported following the procedures set out below:
Where the incident involves critical information infrastructure (CII), the network operator shall report to the protection authority and the public security authority as soon as possible and no later than one hour. Where the incident is a major or especially major cybersecurity incident, the protection authority shall, upon receiving the report, report to the national cyberspace administration authorities and the State Council public security department as soon as possible and no later than thirty minutes.
Where the network operator is one of the various departments of the central Party and State organs or their directly affiliated units, it shall report to the cyberspace-administration body of its own department in a timely manner and no later than two hours. Where the incident is a major or especially major cybersecurity incident, the cyberspace-administration body of the relevant department shall, upon receiving the report, report to the national cyberspace administration authorities as soon as possible and no later than one hour. Upon receiving the report, the national cyberspace administration authorities shall promptly notify the relevant departments.
All other network operators shall report to the provincial cyberspace administration authorities of their locality in a timely manner and no later than four hours. Where the incident is a major or especially major cybersecurity incident, the provincial cyberspace administration authorities shall, upon receiving the report, report to the national cyberspace administration authorities as soon as possible and no later than one hour, and shall simultaneously notify the relevant departments at the same level.
Where the relevant industry sector has specific provisions of its own, the network operator shall also report in accordance with the requirements of the industry competent authority or supervisory department.
Where suspected illegal or criminal conduct is involved, the network operator shall report the case to the public security authority in a timely manner.
Article 5. A network operator shall, by means of contracts or other instruments, require organizations or individuals that provide it with cybersecurity, system operations and maintenance, or similar services to report cybersecurity incidents discovered during monitoring to the network operator in a timely manner, and to assist it in reporting cybersecurity incidents in accordance with these Measures.
Article 6. Social organizations and individuals are encouraged to report relatively significant or above-level cybersecurity incidents of which they have knowledge.
Article 7. When reporting a cybersecurity incident, the following information shall be included:
(1) The name of the affected entity and basic information on the affected system or facility;
(2) The time, location, type, and grade of the cybersecurity incident, the impact and harm already caused, and the measures taken and their effects; for ransomware attacks, the report shall also include the amount, method, and date of the ransom demanded;
(3) The trend in how the situation is developing and the further impact and harm that may be caused;
(4) A preliminary analysis of the cause of the cybersecurity incident;
(5) Clues for traceability investigation, including but not limited to information about the possible attacker, the attack path, and the vulnerabilities exploited;
(6) The further response measures proposed and any request for support;
(7) The status of on-site preservation relating to the cybersecurity incident; and
(8) Any other matters that should be reported.
Where the cause, impact, or development trend of a cybersecurity incident cannot be determined within the prescribed time, the information under items (1) and (2) above may be reported first, with the remaining information to be submitted as a supplement in a timely manner.
Where important new developments arise after a cybersecurity incident has been reported, or where the investigation makes stage-by-stage progress, the affected entity shall report such developments in a timely manner.
Article 8. After incident handling for a cybersecurity incident has concluded, the network operator shall, within thirty days, conduct a comprehensive analysis and summary of the cause of the relevant incident, the emergency response measures taken, the harm caused, accountability, rectification and improvement, and lessons learned, shall prepare an incident handling summary report, and shall submit that report through the original reporting channel.
Article 9. The cyberspace administration authorities shall establish the 12387 cybersecurity incident reporting hotline, as well as a website, email, fax, and other channels, to receive cybersecurity incident reports in a unified manner.
Article 10. Where a network operator fails to report a cybersecurity incident in accordance with these Measures, the relevant competent authority shall impose penalties in accordance with the applicable laws and administrative regulations.
Where late reporting, missed reporting, false reporting, or concealed reporting of a cybersecurity incident by a network operator results in serious harmful consequences, heavier penalties shall be imposed on the network operator and the responsible individuals in accordance with law.
Where a department that bears responsibility for cybersecurity incident reporting fails to report a cybersecurity incident in accordance with these Measures, the liability of the relevant entity and personnel shall be pursued in accordance with the applicable laws and administrative regulations and the cybersecurity work accountability system.
Article 11. Where a cybersecurity incident occurs and the network operator has taken reasonable and necessary protective measures, has handled the incident in accordance with its emergency response plan, has effectively reduced the impact and harm of the cybersecurity incident, and has reported in a timely manner in accordance with these Measures, the liability of the relevant entity and personnel may, taking into account the circumstances, be mitigated or not pursued.
Article 12. For the purposes of these Measures, “cybersecurity incident” refers to an incident in which networks and information systems, or the data and business applications therein, are harmed as a result of human causes, network attacks, network vulnerabilities and security risks, software or hardware defects or failures, force majeure, or other factors, and which has a negative impact on national, social, or economic interests.
For the purposes of these Measures, “network operator” refers to the owner, administrator, or service provider of a network.
The Guidelines for the Classification of Cybersecurity Incidents referred to in these Measures are formulated with reference to the national standard Guidelines for the Classification of Cybersecurity Incidents — Information Security Technology (GB/T 20986-2023) and provide quantitative grading indicators for the relevant incidents by means of a finite enumeration.
Article 13. Reports of cybersecurity incidents involving State secrets shall be handled in accordance with the relevant provisions of the competent departments.
Article 14. These Measures shall come into force on November 1, 2025.