China’s internet watchdog mandates 1-hour reporting for serious cybersecurity incidents

Measures taking effect on November 1 come less than a week after Dior in Shanghai was fined for illegal transfer of customer data

Reading Time:3 minutes

The Cyberspace Administration of China’s new cybersecurity incident reporting management measures include an incident classification guide with detailed definitions of the various degrees of seriousness and how to respond. Photo: AFP

Published: 6:34pm, 15 Sep 2025Updated: 6:37pm, 15 Sep 2025

China’s top internet regulator has rolled out new rules for the rapid reporting of cybersecurity breaches and major incidents involving critical information infrastructure.

Network operators must report “particularly serious” cybersecurity incidents within one hour to relevant authorities, according to the draft regulation announced by the Cyberspace Administration of China on Monday.

The measures are due to come into effect on November 1.

This comes less than a week after Chinese cyber authorities fined fashion giant Dior’s Shanghai subsidiary for failing to comply with security requirements when transferring data overseas.

The “national cybersecurity incident reporting management” measures include an incident classification guide with detailed definitions of the various degrees of seriousness and how to respond.

“Particularly serious” cybersecurity incidents – the highest of four categories – are defined as involving the portals of provincial or higher officials and government agencies, as well as key national news websites, for prolonged periods.

Select Voice

Choose your listening speed

Get through articles 2x faster

1.25x

250 WPM

Slow

Average

Fast

00:0000:00

1.25x