From November 1, China will apply one of the most strict regulations on cybersecurity in the world. The Cyberspace Administration of China (CAC) will implement the National Cybersecurity Incident Reporting Management Measures, which will make network operators report serious incidents within 60 minutes maximum. In ‘’particularly important’’ cases, the limit period to report it is shorter: 30 minutes.
Cyberattacks are a serious problem in the technological era we live, so let’s find out how China is dealing with it.
Who affects this rule in China?
The definition of network operators in this country is wide because it includes any organization that owns, manages, or provides network services. So, this goes from technological companies to financial institutions, government agencies, and online platforms. All of them must follow the same level of demand.
Deadlines to report in China
There are two situations and each have different deadlines to report the incident:
- Serious incidents: must be reported in less than an hour from the moment the incident is detected.
- Particularly serious incident: must be notified in 30 minutes to the right authorities, including the State Council’s Public Security Department.
This change makes China have a huge level of demand in comparison to Europe, where the deadline to report a data breach is 72 hours.
Categories of incidents in China
The rule establishes 4 levels of seriousness, being ‘’particularly serious’’ the highest. In this group we can find:
- Loss or theft of sensitive data that threatens national security or social stability.
- Data leaks exposing the personal information of over 100 million citizens.
- Outages taking down key government or news websites for more than 24 hours.
- Direct economic losses of more than ¥100 million (about £10.3 million).
Mandatory details in the first report
Operators in China must provide a complete first report with information such as:
- Impacted systems.
- Attack timeline.
- Type of incident.
- Damage assessment.
- Containment measures taken.
- Preliminary cause and exploited vulnerabilities.
- Ransom amounts if extortion was involved.
- Forecast of potential future harm.
- Type of government assistance required for recovery.
Final report in 30 days
Once the dust settles, organizations must submit a definite report within 30 days. This document must include the causes, lessons learnt, and the identification of the responsible people.
Penalties for non-compliance
The CAC clarifies that there won’t be a chance to hide information. So, if an operator in China delays the report, omits it, provides fake data or covers the incident; the organization and the responsible people could face severe legal penalties.
Available report channels
To avoid any excuses, the government of China has opened multiple ways of communication like: hotline 12387, the official website, WeChat, email, and other digital platforms. With this variety of channels to report incidents, it’s almost impossible to say you didn’t know how to report it or that you didn’t have the option to follow the process.
Impact on organizations in China
The new rule makes companies and institutions in this country reinforce their real-time monitoring systems and have specialized compliance teams capable of making rapid decisions. There won’t be an opportunity to wait several days before reacting: time is running so fast.
Recent context in China
These measures arrived right after Dior’s Shanghai branch was fined for transferring customer data to its French headquarters without the required security checks, customer disclosure, or encryption. This high-profile case underscores the message from authorities in China: data protection and cybersecurity are matters of national importance.
So, with this framework, China is sending a clear signal: cybersecurity incidents must be reported immediately, transparently, and in detail. Any attempt to delay or conceal information will bring heavy consequences. For organizations operating in China, compliance will mean speed, precision, and accountability. Do you think these measures are okay?