China regulates the reporting of cyber security incidents in a new law, which is now available in draft form. A key aspect is the reporting obligation for companies that set up or operate networks in China or provide services via networks. Particular attention is paid to the different reporting channels for central bodies, critical infrastructures and other network and system operators, which are clearly defined. The draft stipulates that reports must contain precise information about the time, location, nature and impact of the incidents. In the case of ransomware attacks, the disclosure of details such as the amount of ransom demanded is required.
To ensure that operators fulfill their reporting obligations, a social monitoring mechanism is to be implemented. Organizations and individuals providing services to operators will be required to report significant cyber security incidents. In addition, a reporting reminder will be introduced to ensure that operators take their obligations seriously.
The law sets clear standards for the classification of cybersecurity incidents and distinguishes between particularly serious, serious, significant and general incidents. This provides a clear structure for assessing incidents and determining appropriate responses.
Operators who fail to report or provide inaccurate information will be penalized in accordance with the relevant laws and administrative regulations. The draft also emphasizes the importance of a comprehensive post-incident analysis and stipulates that compliance with the reporting provisions may exempt the operator from liability or mitigate the penalties. We recommend that companies in China adjust their management of cyber incident reporting as part of IT compliance.
Image>Unsplash
China Intellectual Property Blog 