China is ramping up its cybersecurity enforcement with new regulations requiring network operators to report severe cybersecurity incidents within one hour. The rules, announced by the Cyberspace Administration of China (CAC), will come into effect on November 1, 2025, and mark a significant escalation in how the country manages threats to its critical digital infrastructure.
These latest measures follow a cybersecurity incident involving luxury fashion brand Dior, whose Shanghai branch was recently fined for unlawfully transferring customer data overseas. The incident appears to have accelerated regulatory action.
Immediate Reporting for Cybersecurity Incidents
Under the new rules issued by the Cyberspace Administration of China, any “particularly serious” cybersecurity incident must be reported to relevant authorities within one hour. Authorities receiving the report must, in turn, notify the National Cyberspace Administration and the State Council within 30 minutes.
The regulation classifies incidents into four levels of severity, with “particularly serious” being the most critical. These include cyberattacks or system failures affecting government portals, critical infrastructure, or key national news websites for more than 24 hours. In cases where the entire infrastructure is affected, even a six-hour outage falls under the top tier.
Additionally, incidents that disrupt essential services for over 50% of a province’s population or affect the daily lives of more than 10 million people, including utilities, transportation, and healthcare, are also categorized as particularly serious. The leakage or theft of core or important data that threatens national security is likewise covered, as reported by the South China Morning Post.
Large-scale data breaches are included in this highest category as well, specifically those involving the personal information of more than 100 million citizens or causing financial damages exceeding 100 million yuan (approximately USD 14 million).
Specific Criteria for Cyber Threats
The CAC’s new rules also define large-scale hacking attacks as a top-tier threat if they result in the display of illegal or harmful content on the homepage of a government or major news website for over six hours, or if such content is viewed over one million times or shared more than 100,000 times on social media platforms.
The second tier of severity, labeled as “serious,” includes incidents affecting municipal government portals or provincial news sites for over six hours, or causing disruptions of more than three hours to key infrastructure systems.
Data leaks involving the personal information of over 10 million citizens, or those impacting more than 1 million people in a city, are also placed in this category.
Once a cybersecurity incident is resolved, network operators are required to submit a detailed incident report within 30 days. This report must analyze the root cause, response measures, impact assessment, corrective actions, and lessons learned.
These new rules are an extension of China’s Cybersecurity Law, first enacted in 2017, and its supporting regulations on the protection of critical information infrastructure, introduced in 2016 and 2021 respectively.
Lawmakers Propose Stricter Penalties
Coinciding with these regulatory changes, the Standing Committee of the National People’s Congress has begun its first review of proposed amendments to the Cybersecurity Law. These amendments are aimed at strengthening penalties for violations, particularly those involving large-scale data breaches and critical infrastructure failures.
If passed, the updated law would impose fines ranging from 500,000 to 10 million yuan on operators of critical infrastructure who fail to meet cybersecurity obligations. Individuals directly responsible for such failures could face personal fines of up to 1 million yuan.
Moreover, the proposed amendments target network operators who neglect to prevent the spread of prohibited content. Failure to halt transmission, erase the content, retain relevant logs, or report incidents could result in fines ranging from 50,000 to 500,000 yuan.
