China introduces strict one-hour deadline for reporting major cyber incidents

China’s cyberspace regulator is tightening control over how quickly organisations must disclose cyber incidents, introducing some of the fastest reporting requirements in the world. Beginning 1 November 2025, the Cyberspace Administration of China (CAC) will require all ‘network operators’ – a category that covers nearly anyone who owns, manages, or provides digital services – to report serious cybersecurity incidents within one hour of detection. For the most critical events, the window shrinks to just 30 minutes.

The new National Cybersecurity Incident Reporting Management Measures classify cyber incidents into four levels, reserving the toughest obligations for ‘particularly major’ cases. This top tier includes events such as leaks of over 100 million personal records, theft of sensitive data that could affect national security, or service outages taking government or news websites offline for more than 24 hours. Incidents causing direct economic losses exceeding ¥100 million (around £10 million) also fall under this category.

Initial reports must provide extensive details, including the systems affected, the timeline of the attack, vulnerabilities exploited, and any ransom demands. Operators must also assess possible future harm and outline what government support might be needed for recovery. A final, detailed report is due within 30 days, covering causes, lessons learned, and accountability.

The CAC warns that companies or officials who delay, conceal, or falsify reports will face strict penalties. To enforce compliance, it has created multiple reporting channels, including hotlines, a dedicated website, WeChat, and email.