Operating in China’s digital ecosystem just got more challenging. As regulators intensify their focus on cybersecurity and data protection, organizations must be prepared to respond to a breach in minutes, not days.
To boost national cyber defense and enforce faster crisis management, the Cyberspace Administration of China (CAC) released the National Cybersecurity Incident Reporting Management Measures (often referred to as the China incident reporting requirements) in September 2025. Backed by the authority of the Cybersecurity Law, Data Security Law (DSL), and Personal Information Protection Law (PIPL), these stringent new rules introduce mandatory obligations for all network operators, especially for Critical Information Infrastructure (CII) operators. CII are network facilities and information systems in key sectors such as public communications, energy, transportation, finance, and national defense that, if damaged or compromised, could seriously endanger national security, the economy, or public welfare.
This isn't just about checking a compliance box; it's about the difference between a swift, controlled recovery and a full-blown regulatory crisis. Knowing exactly what constitutes a reportable cybersecurity incident, how quickly you must act, and what information must be disclosed can make the difference between a controlled situation and a regulatory crisis.
This blog will break down the key mandates, including how incidents are classified, reporting timelines and content requirements, and the core emergency response obligations now required of all affected entities.
Incident Types: Classifying Cybersecurity Threats by Impact
Cybersecurity incidents are classified by severity, based on factors such as system impact, affected population, personal data exposure, and economic losses. Understanding these categories helps CII prioritize response and meet reporting obligations under China’s new rules.
1. Particularly Serious Cybersecurity Incidents
These are the highest-severity events. Examples include national-scale service disruptions or critical data breaches. Criteria include:
- CII outages lasting over six hours, or main function failures exceeding 24 hours
- Impact on more than 10 million people
- Exposure of over 100 million personal records
- Economic losses exceeding 100 million RMB
2. Major Cybersecurity Incidents
Major incidents often involve provincial-scale disruptions. Key thresholds:
- Outages over one hour for critical infrastructure, or three hours for main functions
- Affecting over a million people
- Exposure of more than 10 million personal records
- Economic losses over 20 million RMB
3. Relatively serious cybersecurity incident
These typically impact regional systems:
- Outages exceeding 10 minutes for critical systems, or 30 minutes for main functions
- Affecting over 100,000 people
- Exposure of over 1 million personal records
- Economic losses exceeding 5 million RMB
4. Common Network Security Incidents
Incidents falling below the above thresholds usually affect localized operations, with limited data loss or economic impact.
Why it matters: Accurately classifying an incident isn’t just a procedural step; it directly determines your organization’s legal obligations and crisis management tempo. Misjudging severity can lead to missed reporting deadlines or underestimation of systemic risk, both of which attract regulatory scrutiny. By correctly identifying the impact level early, organizations ensure proportionate response measures, maintain regulatory trust, and demonstrate operational maturity in the face of cyber disruption.
Reporting Timeframes and Channels: Acting Fast Matters
Incident severity also determines reporting timelines and response actions. The following table elaborates on it:
Operator Type
|
Incident Severity
|
Initial Report Deadline
|
Reporting Target(s)
|
| Critical Information Infrastructure (CII) Operators |
Major or Particularly Serious or Relatively Serious |
Within 1 hour of discovery |
Protection Department & Public Security Organs; then National Cyberspace Administration (within 30 minutes after receipt) |
| Central / State Departments & Directly Affiliated Units |
Major or Particularly Serious or Relatively Serious |
Within 2 hours of discovery |
Report to the department cybersecurity & informatization authority; then National Cyberspace Administration (within 1 hour) |
| Other Network Operators |
Major or Particularly Serious |
Within 4 hours of discovery |
Report to provincial cyberspace administration; then National Cyberspace Administration (within 1 hour) |
| All Network Operators |
Moderate or Common |
Timely |
Local provincial cyberspace administration or relevant industry regulator |
Reporting Channels: Incidents can be submitted via hotlines, online platforms, email, fax, or other authorized channels. The CAC oversees national reporting, while provincial CACs handle local cases. If criminal activity is suspected, incidents must also be reported to public security organs.
Why it matters: Speed and precision are central to China’s cyber governance model. Delayed or incomplete reporting can be interpreted as negligence, compounding both legal and reputational damage. Timely notification enables regulators to mobilize national and regional resources to contain systemic threats, while also signaling an organization’s reliability and transparency. Meeting these deadlines isn’t just about avoiding penalties; it’s a critical component of maintaining business continuity and preserving stakeholder confidence in high-stakes environments.
When submitting a cybersecurity incident report, CII operators must provide complete and accurate details to ensure regulators can respond effectively. Key elements include:
- Affected system or facility – clearly identify what was impacted.
- Incident specifics – time, location, type, severity, and overall impact.
- Response measures – what actions were taken, their effectiveness, and potential further consequences.
- Preliminary cause analysis includes attack paths, vulnerabilities, and suspected attackers.
- Follow-up measures and support requests – outline next steps and any assistance needed.
- On-site protection measures – actions taken to secure the location and prevent further damage.
If full information isn’t available at the time of the initial report, partial reports can be submitted, with supplementary details provided as investigations progress.
Why it matters: Comprehensive, structured reporting provides regulators with the intelligence needed to assess threats, coordinate cross-sector defense, and prevent contagion effects across the national network. For organizations, it demonstrates accountability and professionalism under regulatory pressure. Gaps or inaccuracies, by contrast, can erode credibility and prolong investigations. Treating incident reporting as an extension of risk management is not merely a compliance task, but it also positions an organization as a responsible and trusted operator within China’s cybersecurity ecosystem.
Emergency Response Procedures: From Detection to Resolution
Beyond prompt reporting, network operators must take immediate, structured action to contain incidents and minimize impact. Key steps include:
- Activate internal emergency response plans immediately upon discovering an incident.
- Isolate and contain affected systems to prevent escalation or wider disruption.
- Preserve digital evidence for forensic investigation and potential legal processes.
- Coordinate with regulatory bodies and law enforcement to ensure proper remediation and compliance.
- Submit a comprehensive incident handling report to the CAC within 30 days of resolution, detailing:
- Root cause analysis
- Response and remediation actions
- Accountability measures
- Lessons learned
Why it matters: Implementing a robust emergency response ensures that incidents are contained quickly, prevents regulatory penalties, and supports organizational resilience. Thorough documentation and coordination with authorities not only demonstrate compliance under the CAC framework but also strengthen trust with stakeholders and reduce long-term operational and reputational risk.
How Securiti Can Help
With Securiti’s solutions, organizations can streamline incident detection, response, and reporting, ensuring compliance with China’s rigorous rules. This not only reduces regulatory risk but also strengthens overall cybersecurity posture, protects critical infrastructure, and demonstrates a commitment to national security and public trust.
Securiti DataAI Command Center enables leaders to safeguard business continuity and ensure swift compliance in China’s evolving cyber landscape.
- Rapid Detection & Response – Instantly identify and act on critical incidents across hybrid systems.
- Automated Compliance – Meet CAC reporting mandates with built-in workflows and real-time dashboards.
- Risk Reduction at Scale – Minimize exposure and ensure consistent governance across all digital assets.
- Trust & Resilience – Demonstrate strong cybersecurity leadership to regulators, partners, and the public.
With Securiti, organizations can turn compliance challenges into opportunities to strengthen resilience and trust. Request a demo to learn more.
