Husain Parvez
Published on: September 19, 2025
Starting November 1, organizations operating networks in China will be required to report severe cybersecurity incidents within one hour, under new regulations issued by the Cyberspace Administration of China (CAC). The tightened rules form part of the National Cybersecurity Incident Reporting Management Measures and are aimed at accelerating national response times to digital threats.
The regulations apply to a wide range of “network operators,” which include any entity that builds, manages, or provides internet services in the country. For incidents deemed “particularly major,” such as those involving the leakage of over 100 million personal records or national security threats, the reporting window drops to just 30 minutes.
“If it is a major or particularly important network security incident, the protection department shall report to the national cyber information department and the public security department of the State Council as soon as possible after receiving the report, no later than half an hour,” according to the CAC.
To meet compliance, affected operators must provide a comprehensive incident report detailing the affected systems, attack timeline, causes, vulnerabilities, damages, and any ransom demands. Companies are also expected to assess the future risks and indicate what government assistance they may require. A final summary report is due within 30 days, outlining root causes and accountability.
“If the network operator reports late, omitted, falsely reported, or concealed network security incidents, causing major harmful consequences, the network operator and the relevant responsible persons shall be punished more severely according to law,” the CAC warned.
The measures come at a time when ransomware and data breaches are escalating globally. A Chinese Embassy spokesperson explained to TechRadar that “promptly reporting cybersecurity incidents to relevant departments after they occur facilitates timely handling of the incident and preventing the escalation of harm or negative social impact.”
Compared to the European Union’s 72-hour window under GDPR, China’s stopwatch-style enforcement will likely compel companies to invest in real-time monitoring systems and incident response teams capable of acting within minutes.
