The Cyberspace Administration of China (CAC) on Monday released the regulation on the management of the reporting of cybersecurity incidents, which will take effect on November 1, 2025. The regulation, consisting of 14 articles, sets requirements on the scope of applicable incidents, supervisory responsibilities, reporting entities, procedures, timelines, and content, according to a release on the CAC's official website.

A CAC official pointed out that the new rules were formulated to standardize cybersecurity incident reporting, control damage caused by such incidents, and implement the Cybersecurity Law and the regulation for safe protection of critical information infrastructure. The regulation aims to further clarify reporting procedures and responsibilities.

The introduction of the regulation responds to the growing frequency and severity of cybersecurity incidents in recent years, said the official when responding to media queries. From the practice of emergency response work, timely reporting to relevant authorities helps ensure effective handling, prevents escalation, and avoids negative social impact, the official noted.

The official added that incident reporting is an established international practice. In recent years, the US, the EU, Australia and India have all enacted legislation or issued directives imposing mandatory reporting obligations on network operators, including specified reporting deadlines.

The regulation applies to network operators engaged in building, operating, or providing services within China. A "cybersecurity incident" refers to events caused by human factors, cyberattacks, vulnerabilities, software or hardware defects, malfunctions, or force majeure, which damages networks or information systems and negatively affect national, social, or economic security.

It also clarifies operators' reporting obligations and defines the supervisory duties of the CAC. The national cyberspace authority will oversee coordination nationwide, while provincial cyberspace authorities will manage reporting within their jurisdictions.

The regulation also clearly defines reporting procedures and deadlines. The CAC has set up a unified system to receive reports via the 12387 hotline, website, email, fax and other channels, the official introduced.

Operators will face severe penalties in accordance with the law for late, false, or concealed reporting if such conduct leads to serious consequences. Those that take effective preventive measures to mitigate risks and report in a timely manner can receive lighter penalties or be exempted from liability depending on the circumstances, according to the regulation.

For critical information infrastructure, network operators must report incidents to the relevant protection department and public security authorities immediately, no later than one hour. In cases of major or particularly serious incidents, protection departments must notify the CAC and the public security department immediately, and within half an hour at the latest.

Operators under central and state organs must report to their internal cybersecurity offices within two hours, and major incidents must be reported to the CAC within one hour. Other network operators are required to report to provincial cyberspace authorities within four hours, and major incidents must be escalated to the CAC within one hour, with simultaneous notification to relevant local authorities, the official said.

The regulation also stipulates that where sectoral regulations exist, operators must report according to industry-specific requirements. If the incident involves suspected crimes, operators must promptly report to public security organs.

According to the CAC, the regulation introduces a graded system for incidents, categorizing them into four levels — particularly major, major, significant, and general — based on quantifiable indicators.

According to the CAC, six channels for reporting such incidents have already been established, including the 12387 hotline, the CAC website, its WeChat official account and mini-program, email, and fax, enabling operators, organizations and individuals to report cybersecurity incidents.