China’s Cyberspace Administration (CAC) is rolling out new mandatory rules, effective November 1, 2025, that require network operators to report “particularly serious” or “serious” cybersecurity incidents within one hour of detecting them. Incidents that qualify under these classifications include disruptions affecting over 50% of a province’s population, leaks of more than 10 million citizens’ personal data, major service outages, attacks on government portals, or anything that threatens national security or social stability. Reports must include system details, attack type, timelines, damage assessments, ransom demands if any, preliminary causes, and requests for government support. Firms that don’t comply risk fines or other penalties.
Sources: WebPro News, TechRadar
Key Takeaways
– Tightening compliance window: The one-hour report requirement marks a sharp acceleration in liability for companies in China, especially for high-severity cyber incidents.
– Clear definitions and thresholds: Only incidents meeting certain seriousness criteria—e.g., massive data leaks, critical infrastructure failures, or government site outages—trigger the hour-deadline. Less severe incidents permit longer reporting timelines.
– Significant penalties and oversight: Non-compliance carries financial consequences. Authorities are also expecting detailed reports from firms, including preliminary assessments and damage estimates, elevating requirements for preparedness and internal cybersecurity governance.
In-Depth
Starting November 1, 2025, China will dramatically tighten cybersecurity incident reporting requirements under a newly formalized regulation by the Cyberspace Administration of China (CAC). Under the “National Cybersecurity Incident Reporting Management” rules, network operators must report any “particularly serious” or “serious” cybersecurity incidents to the relevant authorities within one hour of discovering them. This adjustment represents a significant escalation in regulatory expectations and reflects concerns over the growing scale and impact of cyber incidents both domestically and globally.
The rule distinguishes between several levels of incident severity. For example, “particularly serious” incidents include those that severely disrupt critical infrastructure such as utilities, transportation, or healthcare, failures or attacks on government portals or national news sites, or breaches affecting tens of millions of people. If an incident is merely “serious” rather than “particularly serious,” companies may have slightly more leeway, though the expectations are still much tighter than prior regulations.
In addition to reporting time frames, the new regulation spells out what the reports must contain: which systems were attacked, the timeline of discovery, preliminary causes, damage estimates, whether ransom was demanded, assessments of potential danger, and whether government intervention or support will be needed. These stipulations mean that companies must have well-prepared incident response plans, with internal detection, analysis, and reporting processes already in place.
Failure to comply is not an empty threat. Penalties are expected for late or incomplete reporting. Given the broad scope—affecting everything from utilities to news outlets to municipal systems—this rule will require significant adjustments by many companies. Foreign firms operating in China, and Chinese firms with international operations, will find increased risk if their internal processes or corporate cultures are not already aligned for rapid response.
In sum, China is pushing for a more disciplined, faster, and more transparent response regime for cyber incidents. It’s part of a broader global trend toward shorter breach-reporting windows, but this one-hour requirement places China among the strictest. Companies in China, especially those managing critical infrastructure or large volumes of data, will need to up their cybersecurity governance, incident detection, and reporting readiness to avoid fines and ensure compliance.