Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · EMERGENCY RESPONSE PLAN FOR DATA SECURITY INCIDENTS IN THE FIELD OF INDUSTRY AND INFORMATION TECHNOLOGY (TRIAL)

Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial).

工业和信息化领域数据安全事件应急预案(试行)

Promulgated by: Ministry of Industry and Information Technology.
Document No.: MIIT Cyber Security [2024] No. 214.
Issued October 29, 2024. Effective November 1, 2024.


Issuing Notice

To the industry and information technology authorities of all provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps; the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; the radio regulatory agencies of Qinghai and Ningxia; the units directly under the Ministry; the universities directly under the Ministry; and the relevant enterprises:

The Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (Trial) is hereby issued to you. Please conscientiously comply with and implement it.

Ministry of Industry and Information Technology

October 29, 2024


Summary of the Emergency Response Plan

The substantive text of the Plan was distributed as a separate annex and is not reproduced here article-by-article. The following structured summary reflects the published framework of MIIT Cyber Security [2024] No. 214.

Purpose and basis. The Plan implements the Data Security Law, the Cybersecurity Law and the MIIT Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial). It is the sector-specific counterpart, for data security incidents, to the Contingency Plan for Public Internet Cybersecurity Emergencies, and is intended to improve the capacity of MIIT, local industry regulatory authorities and data processors to respond to data security incidents affecting industrial data, telecommunications data and radio data.

Scope. The Plan applies to the prevention, monitoring, reporting, emergency response to, and post-incident handling of data security incidents in the field of industry and information technology — that is, incidents in which data is tampered with, destroyed, leaked, lost, or illegally obtained or used, causing harm to national security, the public interest, or the legitimate rights and interests of individuals and organizations.

Incident grading. Data security incidents are classified into four grades according to the degree of harm and scope of impact:

  • Especially significant (Level I) — incidents causing especially serious harm, such as those involving core data or affecting national security and the lifeline of the national economy on a wide scale.
  • Significant (Level II) — incidents causing serious harm, typically involving important data or core data with major regional or industry-wide impact.
  • Relatively significant (Level III) — incidents causing relatively serious harm within a more limited scope.
  • General (Level IV) — incidents with a limited scope of impact and relatively minor harm.

Organizational structure. The Plan establishes a coordinated command structure: the Ministry of Industry and Information Technology organizes and coordinates the response to incidents involving important data and core data and to especially significant and significant incidents, while local industry regulatory authorities organize the response to incidents in their respective regions. Data processors bear primary responsibility for responding to incidents affecting the data they process.

Monitoring, early warning and reporting. Data processors must monitor data security risks, promptly investigate hidden dangers, and report incidents to the industry regulatory authority of their region. Incidents involving important data and core data must be reported to MIIT at the first opportunity, with follow-up reports on the development and disposal of the incident. Early-warning information is graded and disseminated through the channels established under the MIIT data security monitoring and early-warning mechanism.

Graded response and post-incident handling. Upon the occurrence of an incident, the corresponding contingency measures are activated according to the incident grade; measures are taken to prevent the harm from expanding, eliminate hidden dangers, and notify affected users where their legitimate rights and interests may be harmed. After disposal is completed, the data processor forms a summary report within the prescribed period, and reports on the disposal of data security incidents to the industry regulatory authority of its region on an annual basis. Where a clue of suspected crime is discovered, the matter is reported to the public security or State security authorities and cooperation is provided in the investigation.

How it fits. This Plan supplies the operational incident-response layer for the MIIT industrial data security regime. It works alongside the Industrial Data Security Measures (which impose the underlying full-lifecycle and reporting obligations) and the Implementing Rules for Data Security Risk Assessment (which govern the annual proactive assessment), and dovetails with the Contingency Plan for Public Internet Cybersecurity Emergencies for incidents that simultaneously constitute cybersecurity emergencies.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.