China's New Cybersecurity Reporting Rules Now Live: What Foreign Companies Must Know

By a Cybersecurity Compliance Consultant specializing in international data protection laws.

A graphic showing the Chinese flag next to a digital clock counting down from one hour, symbolizing the new cybersecurity incident reporting deadline.

As of 12:01 AM Beijing time on November 1, 2025, a new era of cybersecurity compliance in China has begun. The “National Cybersecurity Incident Reporting Management Measures,” issued by the Cyberspace Administration of China (CAC), are now in full effect. For any foreign company operating digital services or selling products online in China, this is not a minor update—it is a fundamental shift in your legal obligations. Failure to comply with these strict new rules can result in massive fines, operational shutdowns, and even criminal liability for executives.china-briefing+3

In my 10 years of advising Fortune 500 companies on navigating China’s evolving cyber regulations, I have never seen a more aggressive timeline imposed on businesses. The core message from Beijing is clear: if you experience a significant cybersecurity incident, you must report it, and you must do it fast. The days of managing a data breach quietly behind closed doors are over.

Who Must Comply with These New Rules?

The regulations apply to all “network operators” in China. This is a broad definition that encompasses virtually any foreign business with a digital presence in the country. If your company falls into any of these categories, these rules apply to you:twobirds

E-commerce Platforms: Any company selling goods directly to Chinese consumers online.
SaaS Providers: Businesses offering software-as-a-service products to customers in China.
Cloud Infrastructure Companies: Providers of cloud hosting, storage, or computing services.
App Developers: Any company with a mobile app available in Chinese app stores.
Automotive Companies: Modern vehicles are complex networks on wheels, collecting vast amounts of data.
Any Foreign Business with a Digital Presence: This includes corporate websites, marketing platforms, and any service that collects or processes data from users in China.

What Counts as a Reportable Cybersecurity Incident?

The new measures establish four tiers of incidents: general, relatively large, major, and particularly major. While all incidents require internal management, reporting obligations are triggered for “relatively large” incidents and above. The criteria are based on the impact of the event.digitalpolicyalert+1

Here is a simplified breakdown of what must be reported:

Incident Type	Description & Thresholds
Data Breach	Unauthorized access or leakage of personal information affecting more than 1 million users morganlewis.
Service Disruption	A cyberattack (like a DDoS attack) causing a core business service to be unavailable for more than 1 hour.
System Compromise	Unauthorized access to critical information systems or the planting of malicious backdoors.
Ransomware Attack	Any ransomware attack that encrypts systems or exfiltrates data, especially if a ransom demand is made digitalpolicyalert.
Reputational Damage	Incidents that generate significant negative public attention or could impact social stability.

For a comprehensive review of your own systems, refer to our Cloud Security Misconfiguration Guide to identify potential weak points.

The Reporting Timeline: The Clock Starts Ticking Immediately

This is the most challenging aspect of the new rules. The timelines are extremely tight and require a highly efficient incident response process.

Within 1 Hour: An initial notification must be made to the relevant authorities. This is not a full report but a “heads-up” that a major incident has occurred. For Critical Information Infrastructure (CII) operators, this one-hour deadline is non-negotiable.scmp+1
Within 3 Days: A detailed incident report is due. This report must include forensic evidence, an analysis of the attack vector, the scope of the damage, and the remedial measures being taken.
Within 30 Days: A final, comprehensive summary report must be submitted after the incident has been fully handled and resolved.digitalpolicyalert

This rapid timeline means that your Incident Response Framework must be optimized for speed and clarity.

The Chain of Command: Who Do You Report To?

The reporting structure is tiered, depending on the type of operator and the severity of the incident.

Critical Information Infrastructure (CII) Operators:
- Report to: Their industry protection department and the local Public Security Bureau.
- Deadline: Within 1 hour.
- The protection department then has 30 minutes to escalate “particularly major” incidents to the national CAC and State Council.digitalpolicyalert
Central and State-Owned Enterprises:
- Report to: Their own internal cybersecurity departments.
- Deadline: Within 2 hours.
- The internal department then has 1 hour to escalate “major” incidents to the national CAC.
All Other Network Operators (most foreign companies):
- Report to: The local provincial-level CAC office.
- Deadline: Within 4 hours.dimsumdaily+1
- The provincial office will then escalate to the national CAC as needed.

Navigating this complex web of authorities requires a clear internal flowchart and a designated team member who understands the protocol.

Penalties for Non-Compliance: The Stakes Are Higher Than Ever

The Chinese government has significantly increased penalties for cybersecurity law violations in 2025. Non-compliance is not an option.mmlcgroup+2

Massive Fines: Fines can range from RMB 50,000 up to RMB 10 million (approx. US$1.4 million). In some interpretations, fines could be linked to a percentage of annual revenue, similar to GDPR.
Suspension of Business: Authorities can order a temporary or permanent shutdown of your business operations in China.
Revocation of Licenses: Your operating permits and business licenses can be revoked.
Criminal Liability: For “particularly severe” incidents or cases of deliberate concealment, the directly responsible executives and personnel can face personal fines up to RMB 1 million and potential criminal charges.

Action Steps for Compliance Officers: What to Do Today

As of November 1, 2025, your company is subject to these rules. If you have not already prepared, you are behind. Here are four steps to take immediately:

Audit Your Incident Response Plan TODAY: Review your existing IR plan against the new reporting timelines. Can your team detect, verify, and report a major incident within one hour? If not, the plan needs an urgent overhaul.
Designate a China-Based Compliance Liaison: You need a designated person or team on the ground in China who is responsible for communicating with the CAC. This person must be fluent in Mandarin and understand the local regulatory environment.
Implement Real-Time Monitoring for Reportable Incidents: You cannot report what you cannot see. Ensure your security monitoring tools (SIEM, EDR, etc.) are configured with alerts that map directly to the CAC’s incident classification criteria. Your security team must be able to instantly identify a “reportable event.”
Train Your China Team: Your local employees are your first line of defense. They must be trained to recognize and immediately escalate potential cybersecurity incidents to the designated compliance liaison.

Managing these new requirements also involves a thorough review of your supply chain, as you are responsible for incidents caused by your vendors. Our Third-Party Cyber Risk Management Guide can provide a useful framework for this process.

Ultimately, these new rules are another step in China’s long-term goal of building a robust and tightly controlled cyberspace. For foreign companies, the cost of doing business in China now includes the price of radical transparency. Prepare accordingly.

China’s New Cybersecurity Reporting Rules Now Live: What Foreign Companies Must Know