China Strengthens Cybersecurity Regulations
In a notable shift towards robust cybersecurity enforcement, China has introduced new regulations that will require network operators to report serious cybersecurity incidents within one hour. These regulations, announced by the Cyberspace Administration of China (CAC), are set to take effect on November 1, 2025. This move signifies a considerable acceleration in the country’s approach to safeguarding its critical digital infrastructure.
Rapid Incident Reporting Protocols
Under the new rules, network operators must immediately report any “particularly serious” cybersecurity incidents to the relevant authorities within an hour of detection. The authorities receiving these reports are then required to inform the National Cyberspace Administration and the State Council within 30 minutes. This streamlined communication aims to mitigate potential damages swiftly and effectively.
The new regulations categorize incidents into four levels of severity, with the classification of “particularly serious” representing the highest risk. This includes substantial cyberattacks or system failures impacting critical government portals, vital infrastructure, or major national news websites for more than 24 hours. In scenarios where entire systems are compromised, even a six-hour outage can qualify as particularly serious.
Additionally, incidents that significantly disrupt essential services to over half of a province’s population or affect more than 10 million individuals—including utilities, transportation, and healthcare—are also considered particularly serious. Furthermore, any incidents involving the theft or leakage of crucial data that poses a threat to national security fall into this category, according to reports from the South China Morning Post.
Large-scale data breaches, specifically those affecting the personal data of more than 100 million people or resulting in financial damages exceeding 100 million yuan (approximately $14 million), are similarly classified as critical under these new regulations.
Understanding Cyber Threat Severity Levels
The CAC’s updated guidelines also detail what constitutes a top-tier cyber threat. Large hacking attacks are classified as such if they lead to the display of illegal or harmful content on the homepage of a government or high-profile news website for over six hours or if the content is accessed over one million times or shared more than 100,000 times across social media.
Incidents that fall into the second tier of severity, labeled as “serious,” involve disruptions of municipal government portals or provincial news sites for over six hours or cause critical infrastructure outages that last more than three hours. Data breaches affecting the personal information of over 10 million individuals or those impacting a city’s population exceeding one million are also categorized in this tier.
Once a cybersecurity incident is resolved, network operators are obligated to submit a comprehensive incident report within 30 days. This report must cover the root cause of the incident, the response measures taken, an assessment of the impact, corrective actions, and lessons learned from the event.
These new regulations build upon China’s existing Cybersecurity Law, which was enacted in 2017, alongside earlier regulations focused on the protection of critical information infrastructure established in 2016 and 2021.
Proposed Legislative Amendments for Stricter Penalties
In line with these new regulatory frameworks, the Standing Committee of the National People’s Congress has initiated its first review of proposed amendments to the Cybersecurity Law. These proposed changes are aimed at enhancing penalties for violations, particularly those related to large-scale data breaches and failures in critical infrastructure.
If the amendments are approved, operators of critical infrastructure who do not adhere to cybersecurity obligations could face fines ranging from 500,000 to 10 million yuan. Individuals found directly responsible for such breaches may incur personal fines of up to 1 million yuan.
The proposed legislative changes also specifically target network operators who fail to prevent the spread of prohibited content. In cases where operators neglect to halt the transmission of harmful material, erase such content, maintain necessary logs, or properly report incidents, they could be subject to fines between 50,000 and 500,000 yuan.
