China is once again tightening regulatory requirements for companies operating in the digital space. The National Measures for the Management of Cybersecurity Incident Reporting took effect on November 1, 2025, and clarify the obligations set forth in the CSL, DSL, and PIPL. This further tightens the compliance regime for companies doing business in China.
At the heart of the new measures is the mandatory and strictly time-bound reporting of cybersecurity incidents by all network operators. The term is broadly defined and encompasses not only traditional cyberattacks but also system errors, misconfigurations, human error, or external influences, provided these result in disruptions to networks, data, or business processes.
Reporting deadlines have been significantly shortened; incidents must be reported within one hour, depending on their severity and the infrastructure affected. Operators of critical information infrastructures are subject to the strictest requirements, while other companies face deadlines of just a few hours. At the same time, a multi-tiered reporting system is being established in which local, provincial, and national authorities are closely integrated. This effectively creates a government information chain that functions in near real time.
The content requirements for the report are high. Companies must not only provide basic information about the incident but also an initial root cause analysis, details on attack vectors, potential perpetrators, existing vulnerabilities, and concrete proposals for countermeasures. In the case of ransomware attacks, detailed information on ransom demands is required. At the same time, there is an ongoing reporting obligation; new findings or developments must be reported immediately.
The involvement of service providers is crucial. Companies are required to contractually transfer corresponding reporting obligations to external IT service providers, operators, or security providers. This extends responsibility across the entire IT value chain. The legislature also requires societal actors to report serious incidents, which further enhances awareness and oversight.
However, the regulatory obligation does not end with the resolution of an incident. A comprehensive final report must be prepared within 30 days, detailing the causes, damages, responsibilities, and corrective measures. This report serves not only for analysis but also for regulatory assessment and potential sanctions.
Cybersecurity incidents are classified based on clearly defined thresholds that quantify the scope of an incident. Incidents are considered particularly serious if critical infrastructure is down for hours, more than ten million people are affected, or data breaches involving over 100 million records occur. Economic losses in the hundreds of millions or widespread dissemination of disinformation are also taken into account. While this quantitative framework provides clarity, it also increases pressure on companies to classify incidents accurately and promptly.
Delayed, omitted, or incorrect reports can lead to severe sanctions directed against both the company and the responsible individuals. At the same time, the regulation also provides incentives for compliant behavior. Those who implement appropriate protective measures, effectively contain incidents, and report them in a timely manner may, under certain circumstances, expect a reduction or even exemption from liability.
For companies operating internationally, this has clear implications for their operations. Incident response processes must be aligned with Chinese requirements not only technically, but also organizationally and legally. Decision-making processes must be streamlined, reporting procedures standardized, and responsibilities clearly defined. Furthermore, the ability to quickly classify incidents is becoming significantly more important, as regulatory obligations depend directly on this.
Our webinar on May 21, 2026, at 10:00 a.m. (in German language) will explain the components of such a management system and how to set it up. The registration link: https://register.gotowebinar.com/register/841334655020093533
China Intellectual Property Blog 