The Cyberspace Administration of China (CAC) released the Administrative Measures on the Reporting of Cybersecurity Incidents (CI Reporting Measures) on 15 September 2025. As an implementing regulation, the CI Reporting Measures provide further details on the reporting requirements upon the occurrence of a cybersecurity incident, which depends on the severity of the incident.

Among others, the following key aspects of the CI Reporting Measures are worth noting:

Application scope

The CI Reporting Measures apply to all network operators that construct or operate networks, or provide service through networks within China. Upon the occurrence of any incident that causes harm to the networks and information systems (or the data stored or the business applications hosted through such networks and information systems) due to human causes, cyberattacks, network vulnerabilities, software and hardware defects or failures, force majeure, etc., and has an adverse impact on the nation, society or economy, the relevant Network Operator is required to report such Cybersecurity Incident in accordance with the CI Reporting Measures.

Graded supervision

The CI Reporting Measures classify Cybersecurity Incidents into four levels:

• extremely significant cybersecurity incidents
• significant cybersecurity incidents
• material cybersecurity incidents 
• ordinary cybersecurity incidents based on two factors, being the level of potential adverse impact on: national security, social order, economic interests, and public interests; and the business operation of the affected Network Operator.

Reporting requirement

The CI Reporting Measures require the relevant Network Operator to report to CAC's provincial office extremely significant cybersecurity incidents, significant cybersecurity incidents and material cybersecurity incidents within four hours of their occurrence. Where critical information infrastructures or governmental entities are involved, more compressed timelines will apply.

The content of reporting

When reporting a Cybersecurity Incident, the Network Operator should report the following content, among others:

• basic information of the Network Operator and networks and information systems
• description of the Cybersecurity Incident, including the impact of the incident and the risk mitigation measures already taken and their effects
• the anticipated development and further impact of the Cybersecurity Incident
• preliminary findings on causes of the Cybersecurity Incident
• clues for source-tracing, e.g., possible attackers, attack paths, and existing vulnerabilities
• next steps and any requests for assistance
• status of on-site preservation in respect of the Cybersecurity Incident. After completing the initial reporting, the relevant Network Operator is also required to promptly report any important updates as well as to generate and submit a comprehensive analysis report of the Cybersecurity Incident after solving such incident.

The CI Reporting Measures will take effect on 1 November 2025.

Market players are advised to revisit their relevant internal policies and upgrade governance structures as soon as possible to ensure their compliance with the CI Reporting Measures in case any Cybersecuity Incident occurs in the future.