The Cyberspace Administration of China (CAC) has released a new regulation on managing and reporting cybersecurity incidents. The rules, which will come into effect on November 1, 2025, aim to strengthen China’s defenses against the growing threat of cyberattacks.

What the Regulation Covers

The new rules define the scope of incidents that must be reported, who is responsible for reporting, and the procedures and timelines. Incidents include data leaks, cyberattacks, system vulnerabilities, hardware/software failures, and any event that threatens national, social, or economic security.

Operators must report incidents within strict timeframes. For critical cases, reports should be submitted to the CAC within one hour. Provincial cyberspace authorities will oversee local cases, while the CAC will coordinate nationwide.

Why It Matters

The move comes in response to the increasing frequency and severity of cyber threats in recent years. Experts highlight that standardized reporting ensures faster emergency response, minimizes risks, and prevents widespread damage. It also brings China’s practices closer to international standards, similar to laws already in place in the US, EU, Australia, and India.

Penalties and Incentives

Companies that fail to report, conceal incidents, or provide false information may face strict penalties. On the other hand, organizations that adopt strong preventive measures and report quickly may benefit from lighter penalties or exemptions.

Global and Domestic Impact

Analysts see this regulation as part of China’s broader effort to refine cybersecurity governance, strengthen institutional responsibility, and protect critical infrastructure. The regulation is also expected to improve coordination between government agencies and private sector operators, ensuring a faster, unified defense network against cyber risks.

Source: Xinhua News Agency, GuideinChnExpat