No time to waste: China’s unified cybersecurity reporting framework explained

In a move that sent ripples through the luxury retail sector and beyond, a global luxury brand was fined by Mainland China’s Public Security Bureau last month for a major customer data breach in a cybersecurity incident.

On finding the company illegally transferred personal data to its European headquarters earlier this year, this high-profile enforcement action marks the first time that mainland authorities have penalised a foreign company for violating cross-border data transfer.

Though the fine was unspecified, the penalty serves as a stark backdrop to the release of critical new legislation announced on 11 September 2025, the Measures for the Administration of the Reporting of Cybersecurity Incidents (国家网络安全事件报告管理办法) (Measures).

For multi-national corporations operating in the mainland, the message is unequivocal: the era of ambiguity in cybersecurity incident response is over.

These new Measures establish a stringent and unified framework for mandatory reporting and clear reporting timeframe of cybersecurity incidents.

Network operators are required to comply with the Measures from 1 November 2025, when they become effective.

In this legal update, we summarise essential components of the Measures and answer key questions:

1. When and how should a network operator report a cybersecurity incident?
2. What are the consequences of failure to report?
3. What should multi-national corporations with a China presence do?

Who needs to comply?

The Measures adopt the same definition of a network operator (网络运营者) as the PRC Cybersecurity Law – namely the owner, administrator or service provider of a network.

This definition is sufficiently wide to cover foreign companies administering or controlling a network in China. It does not limit coverage solely to Chinese network operators¹1.

When should network operators report a cybersecurity incident?

Reporting obligations arise when a cybersecurity incident (网络安全事件) occurs. This is defined as “an incident that, due to factors such as human factors, cyberattacks, potential vulnerabilities in networks, defects or failures in software or hardware, or force majeure, causes harm to networks and information systems or the data and business applications therein, and creates a negative impact on the state, society or economy.”²2

Classification of cybersecurity incidents

The Measures classify cybersecurity incidents into four tiers in descending order of severity:

1. Exceptionally Major Cybersecurity Incidents (特别重大网络安全事件)
2. Major Cybersecurity Incidents (重大网络安全事件)
3. Relatively Major Cybersecurity Incidents (较大网络安全事件)
4. General Cybersecurity Incidents (一般网络安全事件)

To help network operators determine the severity and classification of a cybersecurity incident, the Measures provide a set of quantified criteria with respect to the scale of the impact and damage caused.

Some of the key but non-exhaustive classifications are summarised below:³3

Classification of cybersecurity incidents under the Measures

View the table in actual size

If a cybersecurity incident does not fall under any of these above-mentioned descriptions, it will be classified as a General Cybersecurity Incident (detailed classifications of cybersecurity incidents are set out in the Appendix here).

Reporting requirements

Reporting requirements outlined in the Measures apply to all cybersecurity incidents classified as Relatively Major Cybersecurity Incidents or above⁴4.

Reporting timeline

Please click on the superscript number ⁵5 for details of the corresponding remark in the table.

View the table in actual size

What should be reported?

In the initial report to relevant authorities, depending on severity of the cybersecurity incident, the following information must be provided immediately or in tranches:⁶6

1. Name of entity involved and basic information about affected systems or facilities.
2. Time, location, type and level of the incident; impact and harm caused; measures taken and their effects; and, in the case of ransomware attacks, the amount, payment method and payment date for the ransom demand.
3. Development of the incident and any potential further impact and harm.
4. Preliminary analysis of the causes.
5. Leads for traceability investigation, including but not limited to information of the suspected attacker, attack vectors, and known vulnerabilities.
6. Proposed response measures and any requests for support.
7. Current status of containment of the incident.
8. Any other information that shall be reported.

Where the cause, impact or development trend of an incident cannot be determined within the prescribed time limit, the network operator may report only the information prescribed in sub-paragraphs (1) and (2) in the first instance and report the remaining information in a timely manner thereafter.

Who should network operators report to?

Prior to publication of the Measures, there was a lack of clarity regarding the timeline and specific mechanism for reporting cybersecurity incidents, other than the general requirement that network operators report the incident to “competent authorities”⁷7.

The Measures now establish that the Cyberspace Administration of China (CAC) shall establish and implement the “12387 cybersecurity incident reporting hotline”.

The CAC is also required to establish other reporting channels, such as websites, email and fax, to centrally receive reports of cybersecurity incidents.⁸8

The 12387 cybersecurity incident reporting hotline has now been established. Network operators can file a report via these channels:⁹9

1. Dial 12387 to report the cybersecurity incident;
2. File a report through https://12387.cert.org.cn;
3. Follow the WeChat account of China National Computer Network Emergency Response Technical Coordination Centre (国家互联网应急中心 CNCERT), and press “Report Incident” to file a report;
4. File a report through the WeChat mini-programme “12387”;
5. Email a report to [email protected]; or
6. Fax a report to 7.

What are the consequences of failure to report?

Under the Measures, both the company and its responsible individuals may face direct liability for failing to report a cybersecurity incident.

If reporting is delayed or concealed – especially where significant harm has been caused – the authorities will impose heavier penalties on both the company and responsible individuals.¹⁰10

By contrast, organisations and personnel who have taken reasonably necessary protective steps – responding according to their emergency response plans, mitigating damage of the incident and timely reporting under the Measures – may be subject to lighter punishment, or even exempted from liability.¹¹11

Post-incident reporting

After completing response to a cybersecurity incident, a network operator is required to prepare a summary report on the response.

This comprehensive analysis must include:

• causes of the incident
• emergency response measures taken
• harm caused
• accountability measures, improvements and rectification, and
• lessons learned

This summary must then be submitted through the original reporting channels within 30 days of completing the initial response.¹²12

What precautions should multi-national corporations with a China presence take?

The recent high-profile enforcement action against a global entity coupled with the mandatory reporting deadlines and stringent requirements established in the Measures makes it clear that regulators are prioritising cyber resilience and rapid incident response.

In view of these regulatory developments, multi-national corporations with operations in China should urgently review and update their incident response plans (IRP), protocols and playbooks to ensure full compliance with the new reporting obligations.

Organisations should consider the following recommendations:

1. Implement an escalation matrix that clearly defines the relevant stakeholders to be informed, reporting channels and timelines for notification, in accordance with the severity and classification of the incident (e.g. relatively major, major or exceptionally major) as set out in the Measures.
2. Establish procedures to ensure that all material information (such as details of the impact and response measures) can be gathered and reported within the strict statutory timeframes (as short as one hour for critical information infrastructures), along with mechanisms for supplementary reporting as new information emerges.
3. Conduct training to raise awareness across all business functions to ensure clear communication, alignment and understanding of the procedures for identifying, escalating and reporting a notifiable event.
4. Review and update contracts with third-party service providers to require prompt notification of any detected cybersecurity incidents and ensure their cooperation in reporting, as mandated by Article 5 of the Measures.
5. Document all actions taken in response to a cybersecurity incident, as timely and effective reporting and mitigation efforts may reduce or exempt the organisation and responsible personnel from liability in the event of an incident (Article 11, Measures).
6. Establish protocols to maintain confidentiality of information by limiting internal access to details of the incident on a strict “need-to-know” basis and using secure channels for sharing of sensitive information. Consider engaging legal counsel to ensure parties communicating sensitive information and conducting forensic investigations are under a contractual duty of confidentiality. External counsel can also help to provide critical guidance on regulatory reporting, risk mitigation and defence against potential enforcement actions.

Such coordinated preparation will not only facilitate regulatory compliance but also reinforce the organisation’s overall cyber defence and resilience.

How we can help

We support companies in crafting and implementing robust incident response playbooks that comply with latest legal requirements.

Our team supports businesses by reviewing internal policies and procedures to ensure alignment with regulatory standards – and develop clear communication plans for incident reporting and escalation.

Through our experience, we enable organisations to respond swiftly and effectively, report incidents correctly, and maintain regulatory compliance.cenarioReporting timeline