The measures, which take effect on November 1, 2025, position China with one of the more rigorous cybersecurity incident notification regimes in Asia.
By Hui Xu, Rhys McWhirter, and Bianca H. Lee
The Cyberspace Administration of China (CAC) issued the Measures on National Cybersecurity Incident Reporting (the Measures) on September 11, 2025. The Measures will take effect on November 1, 2025, establishing a comprehensive framework for the classification, reporting, and management of cybersecurity incidents within the People’s Republic of China (PRC).
Who is covered: All network operators (including critical information infrastructure operators (CIIOs) and state organs) that build, operate, or provide services through networks within the PRC.
Cybersecurity incidents covered: The proposed cybersecurity incident notification regime extends to incidents that “cause harm to the network, information system or the data and business applications…and have a negative impact on the country, society, and economy.” Accordingly, the Measures appear more limited in their application, particularly in comparison to recent regulatory updates (see the reporting requirements recently introduced under the Network Data Security Management Regulations), as they are confined to those incidents that negatively impact the PRC’s public interest, as opposed to just any security incident that a network operator or CIIO may suffer.
Reporting Obligations: The in-scope cybersecurity incidents must be reported to the relevant PRC authorities within four hours1 (in the case of network operators) or within one hour (in the case of CIIOs), respectively.
For an in-depth analysis of the Measures, see our Client Alert.
- While the Measures and Guidelines remain silent on this point, the reporting timeline is likely calculated from when the relevant network operator becomes aware of the cybersecurity incident, consistent with previous guidance issued by the CAC. ↩︎