China’s Cyberspace Administration has issued new regulations that require network operators building, operating, or providing services in China and its territories to report major cybersecurity incidents within an hour when key infrastructure is affected. For incidents considered particularly serious, operators must file reports within 30 minutes.
The rules mandate that operators classify the severity of an incident and submit information to designated ministries or regulators immediately after detection. Particularly serious incidents include those causing large-scale system paralysis, loss of business processing capability, tampering or theft of core data, or exposure of massive volumes of personal information that could threaten national security or social stability.
“Network operators that build, operate, or provide services in China and its territories must report security incidents affecting key infrastructure within 60 minutes and particularly serious incidents within 30 minutes,” the notice states.
The regulations also apply to information-related events. Attacks on online news or content platforms that display non-state-approved information for more than six hours, accumulate more than one million views, or are forwarded more than 100,000 times on social media are categorized as widespread attacks. Such incidents must also be escalated immediately.
Operators are required to include details about the type of incident, affected systems, timeline, scale of losses, and whether extortion or ransom demands were involved. Social organizations and individuals are also encouraged to report significant cybersecurity incidents they encounter. Entities that fail to report within the mandated windows will face penalties, and those found concealing incidents or falsifying information will be punished more severely under Chinese law.
The new one-hour standard is far stricter than existing frameworks in Western jurisdictions. In the United States, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires covered entities to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of establishing a reasonable belief that a substantial incident has occurred, and ransomware payments must be reported within 24 hours. In the European Union, the NIS2 Directive requires early warnings within 24 hours, incident notifications within 72 hours, and a final report within one month.
China’s approach prioritizes near-immediate notification and centralized state oversight, while U.S. and EU regimes use phased reporting structures. Compliance will force network operators to adopt faster incident detection and notification workflows, with heavy reliance on automation, predefined response playbooks, and direct communication channels with government authorities.
The strict timelines present challenges for organizations, especially multinational firms operating in China that are also subject to different reporting requirements abroad. Reconciling obligations across multiple regulatory regimes could complicate compliance. Companies may need to strengthen monitoring systems, accelerate triage processes, and ensure 24/7 readiness to meet the one-hour or 30-minute deadlines.
The regulations arrive against the backdrop of increased global concern over state-linked cyber activity. Industry threat intelligence reports have noted a sharp rise in China-nexus cyber operations across critical infrastructure and government networks worldwide. Regulators argue that accelerated reporting will enable faster centralization of intelligence and mitigation measures, but security practitioners warn that extremely short deadlines may lead to rushed or incomplete reports if organizations lack mature monitoring systems.
Unusually, the notice also ties cybersecurity to information control, with thresholds for online content reach and visibility determining whether an incident is classified as widespread. By defining criteria such as views and forwards, the rules reflect China’s integration of cybersecurity governance with social stability and content regulation.
While the notice sets the overall framework, detailed implementing guidance is still expected. Questions remain about reporting formats, sector-specific channels, and the range of administrative or criminal penalties for violations. Legal and compliance teams anticipate follow-on measures to clarify enforcement mechanisms and establish concrete fines or sanctions.
For now, the Cyberspace Administration has made clear that failure to comply will not be tolerated. Organizations operating in China will need to overhaul their detection and reporting procedures to avoid legal repercussions. The move underscores Beijing’s drive to harden its domestic networks while exerting closer state control over cyber incident intelligence.
