Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: CAC requests comments on draft measures for cybersecurity incident reporting

On December 8, 2023, the Cyberspace Administration of China (CAC) released draft measures for the Management of Cybersecurity Incident Reporting and is requesting public comments on the same. The CAC clarified that the draft measures aim to standardize the reporting of cybersecurity incidents while reducing the loss and harm caused by the same and maintaining national cybersecurity in accordance with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL).

Who do the draft measures apply to?

The draft measures clarify that network operators who construct and operate networks or provide services through the network within the territory of the People's Republic of China must report in accordance with the provisions of the draft measures when an incident that endangers network security occurs.

What are the key requirements for incident reporting under the draft measures?

The draft measures outlined content that must be provided in the event of an incident which includes at least the following:

  1. the name of the unit where the incident occurred and basic information about the facilities, systems, and platforms where the incident occurred;
  2. the time and place when the incident was discovered or occurred, the type of incident, the impact and harm caused, the measures taken, and their effects. For ransomware attacks, the amount, method, and date of the ransom required to be paid should also be included;
  3. the development trend of the situation and possible further impacts and harms;
  4. preliminary analysis of the cause of the incident;
  5. clues required for further investigation and analysis, including possible attacker information, attack paths, existing vulnerabilities, etc.;
  6. further response measures to be taken and requests for support;
  7. protection conditions at the incident site; and
  8. other situations that should be reported.

Furthermore, the draft measures establish that where the cause, impact, or trend of the incident cannot be determined within one hour, the contents of items one and item two above may be reported first, and other situations shall be reported within 24 hours. Furthermore, within five working days after the incident is handled, the operator must conduct a comprehensive analysis and summary of the cause of the incident, emergency response measures, hazards, rectification situations, and lessons learned, and submit it according to the original channel.

Public comments may be submitted via email to [email protected] until January 7, 2024.

You can read the press release and the draft measures here, both only available in Chinese.