In a bid to fortify national cybersecurity defenses, China’s Cyberspace Administration (CAC) has established a new regulatory regime that mandates companies to report major cybersecurity incidents within just one hour. Effective November 1, 2025, this regulation is part of a sweeping effort to tighten response mechanisms amid an escalating threat landscape.
The regulation standardizes how cybersecurity incidents are reported, prioritizing rapid damage control and synchronized crisis management across private and public sectors. It aligns with similar global initiatives by jurisdictions such as the United States, the European Union, and India, signaling China’s commitment to proactive cyber governance.
Cybersecurity Incidents Must Now be Reported Within One Hour
The core mandate of the regulation demands immediate awareness and response from network operators facing cybersecurity threats. Companies must inform authorities within an hour when confronted with incidents classified as either “serious” or “particularly serious.”
Definitions of Incident Severity are Clearly Stratified
The CAC’s classification system designates four threat levels—“particularly major,” “major,” “significant,” and “general”—to determine reporting urgency and escalation paths. Two tiers, “serious” and “particularly serious,” trigger the one-hour reporting requirement:
- Particularly Serious Incidents include:
* Disruptions that affect over 50% of a province’s population. * Incidents that impair essential services for more than 10 million people. * Breaches against critical governmental or high-profile media infrastructure.
- Serious Incidents cover:
* Data breaches affecting more than 10 million records. * Long-term outages of core business portals. * Attacks that paralyze critical information infrastructure.
This classification aligns incident response priorities with national security concerns and operational criticality.
Types of Events Considered Cybersecurity Incidents
The regulation encompasses a broad array of threats—human errors, software/hardware flaws, system failures, cyberattacks, and force majeure. If the precise cause or damage level is initially unclear, preliminary data must still be submitted within the hour, with a full incident report required within 24 hours. A comprehensive analysis must follow within five working days, enabling authorities to investigate root causes and systemic vulnerabilities.
Reporting Requirements Vary Based on Organizational Category
The regulation distinguishes reporting routes and timelines based on organizational ownership and infrastructure criticality. Key mandates include:
- Critical Information Infrastructure Operators (CIIOs) must notify protection departments and public security authorities immediately, and no later than one hour after the incident occurs.
- Operators Under Central Or State Agencies must report internally within two hours. If the incident is serious or particularly serious, these internal reports must escalate to the CAC within one hour.
- All Other Network Operators must report to provincial cyberspace administrations within four hours. If the event is deemed critical, provincial agencies must escalate to higher-level cyberspace authorities immediately.
In any context where criminal activity is suspected—whether through extortion, unauthorized access, or data theft—organizations must simultaneously notify public security organs.
Detailed Reporting Templates and Channels are Mandated
To institutionalize consistency, reports must follow a standardized template. The “Cyber Security Incident Information Reporting Form” includes:
- The name of the unit and basic system identifiers
- Incident time, date, and geographic location
- Type and scale of the event
- System damage and operational disruptions
- Measures taken and results
- Type of attack—such as ransomware—and any ransom demands
- Threat vector analysis and potential for escalation
To assist compliance, the CAC has opened six official reporting channels: a national hotline (12387), WeChat, fax, email, CAC’s website, and other digital platforms. These include provisions for organizations, operators, and individuals to submit incident notifications swiftly and securely.
Legal Liabilities and Incentives Create Compliance Pressure
Failing to report on time, concealing information, or submitting false reports can trigger legal penalties for both organizations and responsible individuals. Penalties become more severe if delays lead to escalated damages or secondary effects. However, the regulation also affords some leniency: operators who report promptly and implement effective risk mitigation strategies may receive reduced penalties or even exemptions.
Reinforcing Sector-Specific Responsibilities
The reporting scheme includes provisions for compliance with industry-specific cybersecurity regulations. Operators working under industry regulatory authorities—such as financial services or energy—must align with both the CAC’s framework and their sectoral reporting standards. This dual compliance lens underscores the integrated approach to national cyber defense.
Aligning China’s Cybersecurity Practices With Global Norms
The one-hour reporting regulation reflects China’s ambition to align internally fragmented processes with international cybersecurity governance trends. Countries such as the United States, United Kingdom, Australia, and those in the European Union have already implemented fast-track reporting obligations, particularly for critical infrastructure sectors.
By codifying rapid incident reporting timelines and severity-based escalation pathways, China aims to strengthen incident lifecycle management—from detection and notification through to remediation and policy learning.
Key Takeaways for Cybersecurity Professionals in China
- All network operators in China must prepare to comply with the new reporting timelines before November 1, 2025.
- Organizations should establish automated alerting systems and predefined protocols to ensure one-hour compliance under crisis conditions.
- Cybersecurity units must familiarize themselves with the four-tier incident severity structure and matching reporting obligations.
- Organizational reporting chains—particularly for central or critical entities—must be streamlined to handle both internal and external notification simultaneously.
- Legal compliance requires strict adherence to detailed reporting templates and official submission channels.
- Sector-specific overlaps must be mapped and formalized in internal response plans.
As the regulatory landscape evolves, establishing robust, timely, and transparent incident response workflows will be critical—not just for legal compliance, but for protecting both organizational resilience and national cybersecurity.
