Cyber reporting rule pushes limits of response readiness: PwC

The issue

The Cyberspace Administration of China (CAC) issued cyber incident reporting requirements that are among the world’s strictest. The measure, which took effect November 1, 2025, establishes a broad framework for classifying, reporting, and managing cybersecurity incidents within the People’s Republic of China (PRC). Among its requirements are reporting deadlines of 1-4 hours for more serious incidents.

This landmark regulation, Administrative Measures for Reporting National Cybersecurity Incidents, requires organizations that operate networks or provide network-related services within China to report and manage covered cyber incidents as specified or face penalties. The particular timelines and actions required vary depending on the incident’s severity and the type of reporting entity, but taken together they represent a high standard globally for incident response (IR).

Multinational companies operating in China should consider these requirements in concert with recent amendments to China’s Cybersecurity Law, which increase penalties for violations and expand enforcement against overseas activities that endanger China’s cybersecurity. To prepare, multinationals should take immediate action to strengthen their IR capabilities. For starters, they should assess their potential exposure and take steps to develop an agile IR program and compliance strategy that’s capable of near real-time incident notification.

The regulator’s take

The CAC developed the new rule in accordance with the PRC’s Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), and related regulations. Its goal is to standardize how cyber incidents are reported and to promptly control their losses and risks.

Who’s covered? The rule applies to “network operators,” defined as any entity or individual that builds, operates, or maintains a network, or provides network-related services, within the PRC. These include operators of telecom carriers and cloud service providers, enterprise IT operators, and other entities responsible for network security and compliance. They fall into three categories, each with distinct reporting obligations.

Critical information infrastructure operators (CIIOs), i.e., entities that operate information infrastructure critical to national security, economic security, or public welfare
Government agencies that operate networks
All other network operators

Multinationals that operate networks or provide network-related services in China will mostly fall under the last category, other network operators, though it’s possible some could be classified as CIIOs.

What incidents are covered? The rule applies to cybersecurity incidents, defined as “events that cause harm to networks and information systems or the data and business applications within them due to human factors, network attacks, software defects, malfunctions, force majeure, and other factors that have a negative impact on the country, society, or economy.”

Incident severity tiers. The rule classifies incidents into four tiers depending on whether they meet various quantitative and qualitative thresholds shown below. Note that the thresholds within each tier are individually sufficient―not collectively necessary―to trigger classification. An incident that meets any one threshold within a tier gets classified there. However, if an incident meets any one threshold within multiple tiers, it gets classified to the highest level applicable.

Key thresholds	Severity tiers
Key thresholds	Particularly major	Major	Significant	General
Overall impact	Critical networks and information systems suffer particularly severe system damage resulting in large-scale system paralysis and loss of operational capabilities; or other incidents posing a particularly severe threat to national security, social order, economic development or public interests	Critical networks and information systems suffer severe system losses, resulting in prolonged system outages or partial paralysis, with business processing capabilities significantly impaired; or other incidents posing a severe threat to national security, social order, economic development or public interests	Important networks and information systems suffer significant system losses, resulting in system interruption that significantly impairs system efficiency and business processing capabilities; or other incidents posing a relatively serious threat or impact on national security, social order, economic development, and public interests	Other cybersecurity incidents that pose a certain threat or cause a certain impact on national security, social order, economic construction, and public interests, but don’t meet the thresholds of the higher categories
Data impact	Loss or theft of core data, critical data, or massive amounts of citizens’ personal information, posing a particularly severe threat to national security and social stability	Loss or theft of core data, critical data, or massive amounts of citizens’ personal information, posing a severe threat to national security and social stability	Loss or theft of important data and relatively large amounts of citizens’ personal information, posing a relatively serious threat to national security and social stability	N/A
People impact	Personal information of more than 100 million citizens	Personal information of more than 10 million citizens	Personal information of more than 1 million citizens	N/A
Economic loss	More than RMB 100 million (~US $14M)	More than RMB 20 million (~US $2.8M)	More than RMB 5 million (~US $700,000)	N/A
CII outage duration	Overall interruption of critical information infrastructures (CII) for more than 6 hours or the interruption of key functions for more than 24 hours	Overall interruption of CII for more than 1 hour or the interruption of key functions for more than 3 hours	Overall interruption of CII for more than 10 minutes or the interruption of key functions for more than 30 minutes	N/A
Essential services impact	Disruption of essential services (e.g., water, electricity) for more than 50% of the population of one or more provinces or more than 10 million people	Disruption of essential services (e.g., water, electricity) for more than 50% of the population of one or more cities or more than 1 million people	Disruption of essential services (e.g., water, electricity) for more than 30% of the population of one or more municipalities or more than 100,000 people	N/A

Reporting timelines. Deadlines for reporting incidents vary depending on the type of network operator. Upon discovering or becoming aware of a cybersecurity incident involving its organization, the network operator must conduct an assessment and, for incidents classified as significant or above, must report as follows:

Reporting entity	Deadline	To whom?	Escalation path for major and particularly major incidents
CIIOs	1 hour after becoming aware of the incident	Competent protection authority and public security bureau	Competent protection authority must notify the national CAC and State Council's public security department no later than 30 minutes after receiving the report
Government agencies	2 hours after becoming aware of the incident	Cyberspace affairs office of department	Cyberspace affairs office must notify the national CAC within one hour after receiving the report
Other network operators (e.g., most multinationals)	4 hours after becoming aware of the incident	Provincial CAC	Provincial CAC must notify the national CAC within one hour after receiving the report

Where there are specific regulations in the relevant industry sectors, the network operator must also comply with the IR requirements of the industry’s competent regulatory authorities. Where criminal or illegal activities are suspected, the network operator must promptly report to the public security authorities.

Contents of incident report. The incident report must include:

Background information about the entity and system where the incident occurred.
Time, place, type, and level of discovery of the incident, its impact and harm, and the measures taken and their effects. For ransomware incidents, the requested payment amount, method, and date, if applicable.
The development trend of the situation and the potential for further harm.
Preliminary analysis of the incident’s cause.
Threat intelligence and forensic leads (potential attacker information, attack path, vulnerabilities, etc.).
Proposed remediation measures and requests for support.
Status of on-site preservation of relevant evidence.
Other material facts.

If the incident’s cause or impact can’t be determined within the required notification timeline, the notifying entity should submit a preliminary report with the available information and supplement it promptly once further information becomes available.

Post-incident report. The notifying entity should provide updates on major developments and submit a comprehensive summary report within 30 days after the incident’s resolution. That report should document the root cause, emergency response measures, remediation actions taken, impact, accountability, and lessons learned.

Vendor contract clauses. Network operators must require third-party entities or individuals providing cybersecurity and system operation and maintenance, or other services to them, through contracts or other forms, to promptly report any cybersecurity incidents detected through monitoring, and to assist network operators in reporting those incidents.

Penalties and liability. Failure to report a cybersecurity incident as required is subject to penalties in accordance with applicable laws and regulations. If a network operator’s delay, falsification, or concealing of a required incident report causes significant harm, the network operator and the relevant responsible personnel may face severe penalties.

Conversely, if a network operator has taken reasonable and necessary protective measures upon occurrence of the incident, handled it according to emergency response plans to effectively mitigate the impact and harm, and reported it in a timely manner as required, the relevant entities and personnel may be exempted from liability or granted a reduction in their liability on a discretionary basis.

Your next move

Companies operating within China should strengthen their IR capabilities to enable near real-time disclosure. Consider taking a phased approach to readiness.

Immediately address gaps in your ability to meet the rule’s fundamental reporting requirements.

Update your IR SOP. Embed the China-specific incident reporting timeline into internal playbooks, and SLAs. Confirm that internal escalation occurs within 30 to 60 minutes.
Appoint and train designated local officers. Define primary and backup contacts (Legal, InfoSec, Compliance, PR) with 24/7 availability and train them on the new requirements.
Test reporting channels. Register and perform a mock submission via CAC’s platform to verify connectivity and record evidence of reporting.
Review vendor contracts. Update clauses with cloud, managed service, and your security vendors to include timely notification and cooperation obligations.

Shift from reactive reporting to proactive compliance, enhancing the accuracy and completeness of incident reporting.

Conduct IT asset and data inventory. Classify your systems and data by sensitivity and confirm whether any fall under “critical information infrastructure” or “important data” categories.
Prepare standardized reporting templates. Create quick-fill forms covering the eight CAC-required elements (incident facts, impact, root cause, measures, etc.).
Review evidence preservation procedures. Confirm logs, forensic images, and attack traces can be secured immediately.
Conduct simulation drills. Include full submission and interdepartmental communication exercises.

Integrate the rule’s requirements into your daily business operations, and enhance digital forensics and IR (DFIR) capabilities.

Implement technical hardening and governance. Patch vulnerabilities, segment networks, and test data backup and recovery.
Review cyber insurance. Check policy definitions and coverage for security incident liabilities. Confirm the 1- to 4-hour reporting deadlines don’t void your policy coverage. Consider increasing coverage for investigation costs.
Engage third-party IR retainer services. Provide rapid technical supports for IR and investigation when incidents occur. Obtain a professional and independent post-incident analysis report to identify root cause, enhance security measures, etc.
Establish a local CAC liaison. Maintain regular communication with local and provincial regulators for smoother reporting and guidance.