Contents
Section 1 The purpose of these procedures is to standardize the administration of cybersecurity incident reporting, and mitigate the negative impacts caused by such incidents under the Cybersecurity Act, the Data Security Act, the Personal Data Protection Act and the Critical Information Infrastructure Protection Regulations.
Section 2 Network service providers that build, operate, or provide services through networks in China must report any cybersecurity incidents under these procedures.
Section 3 The national cyberspace agencies shall serve as the national coordinators for the administration of cybersecurity incident reports.
Provincial cyberspace agencies shall coordinate the administration of the cybersecurity incidents within their respective jurisdictions.
Section 4 A network service provider shall review any cybersecurity incident pursuant to the Cybersecurity Incident Classification Guidelines upon becoming aware of the incident, and report any major, critical or significantly critical incident pursuant to the following procedures:
Network service providers shall report to the cybersecurity agency and the law enforcement agency within an hour if critical information infrastructure systems are affected. The cybersecurity agency shall report any critical or significantly critical incidents to the national cybersecurity agency and the cabinet level law enforcement agency within half an hour.
Network service providers subordinate to central government agencies or affiliated institutions shall report incidents to their cyberspace affairs office within 2 hours. For a high or critical severity incident, cyberspace affairs agencies shall submit the report to the national cyberspace agency within an hour of receipt. The national cyberspace agency shall report to the appropriate agency.
Other network service providers shall report to the local provincial cyberspace agency within 4 hours. The provincial cyberspace agency shall report to the national cyberspace agency within an hour, and report to the appropriate local agencies.
If there is a lead regulatory agency for the industry, the report shall meet its requirements.
Providers must immediately report possible crimes to a law enforcement agency.
Section 5 A network service provider shall enter into contracts to require organizations or individuals who provide cybersecurity or system maintenance services for them to notify them of any cybersecurity incidents, and assist in completing the reports required under these procedures.
Section 6 Non-governmental organizations and individuals are encouraged to report any major cybersecurity incident.
Section 7 A cybersecurity incident report shall include:
(a) The name of the involved organization and basic information about the devices or systems involved;
(b) The time and place of the initial detection or occurrence, the nature of the incident, the impact, scale, actions taken and their effectiveness. For ransomware attacks, the ransom amount, payment methods, and the date of any requested payment shall also be included;
(c) Expected progression and potential additional harm;
(d) Preliminary analysis regarding the causes;
(e) Leads needed for further investigation, including but not limited to potential attackers, attack vectors and vulnerabilities exploited;
(f) Planned follow-up action and any request for assistance;
(g) Environmental protection at the incident site;
(h) Other information as required.
If the causes, impacts or expected progression cannot be reasonably assessed within the required time limit, the network service provider is permitted to first submit a report with information prescribed in § 7 (a)(b) and provide other information on a supplementary basis within 24 hours.
Significant new information or progress in the investigation phases shall be immediately reported.
Section 8 A comprehensive analysis regarding the identified causes, immediate remediation actions, actual harm, allocation of liability, corrective actions and learnings shall be reported via the same approved channel within 30 days after full resolution of the incident.
Section 9 The cyberspace agency shall establish 12387 hotline, websites, emails, and fax to receive cybersecurity incidents.
Section 10 A network service provider who does not comply with these procedures is subject to penalties by the cyberspace agencies as required in applicable Chinese law.
If significant harm is caused due to lateness, omissions, falsification or misleading statements in reports, the network service provider, as well as the responsible persons involved, shall be subjected to enhanced penalties.
If government agencies responsible for cybersecurity incidents reporting that fail to comply with these procedures, the agencies and responsible persons will be held accountable under applicable Chinese laws and the cybersecurity accountability system.
Any person whose conduct may constitute a crime shall be prosecuted to the full extent of law.
Section 11 A network service provider or an implicated responsible person that has taken appropriate actions to prevent, report, address the incident or mitigate its impact in compliance with these procedures, may be eligible for an exemption from or a reduction in any penalties imposed.
Section 12 A cybersecurity incident shall be defined as any event or occurrence resulting in harm to networks, information systems, or data maintained by network service providers, that has an adverse effect on the country, society, and economy. This definition includes, but is not limited to incidents resulting from human actions, cyberattacks, technical vulnerabilities in hardware or software components, and force majeure events.
A network service provider refers to the owner or manager of the network, and provider of network services under these procedures.
The Cybersecurity Incident Classification Guidelines is drafted based on the Information Security Technology: Cybersecurity Incident Classification Guidelines National Standards (GB/T 20986-2023), and provides classification criteria by listing examples.
Section 13 Cybersecurity incidents that involve national security secrets shall be reported as per the appropriate agency’s guidelines.
Section 14 These administrative procedures take effect on November 1, 2025.
******************
This article was translated to American English from the following government publication:
National Cybersecurity Incident Reporting Administrative Procedures, (网络安全事件报告管理办法), (Cyberspace Administration of China, Sept.11, 2025), (in Mandarin)