Privacy & Information Security Law Blog

On September 11, 2025, the Cyberspace Administration of China (“CAC”) issued the Administrative Measures for Reporting National Cybersecurity Incidents (“AMRNCI”). The AMRNCI provide guidance on how to report cybersecurity incidents, including the relevant governmental authorities to notify, the timing and contents of such notifications, the channel to submit such notifications, and how to assess the “grade” of an incident. An unofficial translation of the AMRNCI may be found here.

Definition of a “Cybersecurity Incident”

A “cybersecurity incident” is defined as an event that causes harm to networks and information systems, or to the data and business applications within such networks and systems, that has negative impacts on the Chinese State, society or economy. Such incidents may result from human behavior, network attacks, network vulnerabilities, software and hardware defects and malfunctions, force majeure or other factors.

Jurisdiction and Reporting Obligations

In the event of a cybersecurity incident, a network operator providing services in China must report the incident to the relevant competent authority.

If a cybersecurity incident occurs outside of China and the affected data is transferred from China, the Chinese entity that transferred the affected data must report such incident to the relevant competent authority.

Cybersecurity Incident Notification Procedures and Timing Requirements

The appropriate incident reporting procedures and timing requirements depend on the type of network operator and level of incident. For a description of the different incident levels, please see the “Annex” to the unofficial translation of the AMRNCI, available here. The table below sets forth the relevant incident reporting procedures and timing requirements based on the type of network operator and incident level:

Where a network operator is part of an industry that is subject to specific reporting regulations, such network operator also must report the incident to the competent industrial regulatory authorities.

Where the cybersecurity incident involves criminal or illegal activities, the network operator must also promptly report the incident to the public security authorities.

Contents of Notification

The regulator notification must include the following:

• name of the affected entity and basic information about the affected system or facility;
• time, location, type and severity level of the cybersecurity incident, along with its impact and harm, and remedial measures taken and their effectiveness (for ransomware attacks, reporting should also include the ransom amount demanded, payment method and date of payment);
• development of the situation and further potential impacts and harms;
• preliminary analysis of the cause of the cybersecurity incident;
• initial investigation results, including but not limited to potential attacker information, attack paths, and existing vulnerabilities;
• proposed further remedial measures and whether the entity coordinated with governmental authorities;
• status of on-site preservation of evidence related to the cybersecurity incident; and
• other relevant details about the incident.

If a network operator cannot provide all of the above-listed details within the required timeline, the first two items may be provided first, with supplementary details promptly provided as the information becomes available.

If new significant developments arise with respect to the incident or related investigation, the network operator must promptly supplement its notification.

Summary Reporting

Within 30 days after the conclusion of a cybersecurity incident, a network operator must conduct a comprehensive analysis and create a summary that includes the cause of the incident, remedial measures implemented, harms caused by the incident, identity of the threat actor, corrective actions taken and lessons learned. The summary report must be submitted through the original reporting channel.

Reporting Channel

The CAC provides 6 channels for reporting cybersecurity incidents:

• the cybersecurity incident reporting hotline, “12387”;
• the official cybersecurity incident reporting website, at cert.org.cn;
• the “12387” mini-program on WeChat;
• the “National Internet Emergency Center CNCERT” WeChat official account (click “Report Incident”);
• email 12387@cert.org.cn; and
• fax to 010-82992387.

Penalties for Failure

The relevant authorities may impose penalties on a network operator that fails to report an incident in accordance with the AMRNCI’s requirements. Furthermore, if any delayed, omitted, false, or concealed reporting of a cybersecurity incident results in significant harm, the network operator and relevant responsible personnel may be subject to heavier penalties.

Minimizing or Waiving Liability

If a network operator can demonstrate it implemented reasonable and necessary information security safeguards, followed its incident response plan, reduced the impact and harm caused by an incident, and notified the relevant authorities in accordance with the AMRNCI, the network operator and responsible personnel may be exempted from penalties or subject to lighter penalties.