Major critical infrastructure providers in China will now have a mere hour to report serious cyber incidents like breaches or leaks. The requirement is much stricter than in the United States and the European Union – regions that are regularly attacked by Chinese state-sponsored hackers.
The new regulation, detailed in a notice published by the Cyberspace Administration, requires network operators who build, operate, or provide services in China and its territories to report any security incidents to the appropriate ministry.
The operators also have to grade any incident and, if the security event – a cyberattack – impacted “key infrastructure,” report it within 60 minutes. However, notification is needed within 30 minutes if the incident is particularly important or serious.
Requirements tougher than in the West
Cybersecurity incidents are to be considered particularly serious if networks and information systems suffer severe losses, “resulting in large-scale system paralysis and loss of business processing capabilities,” the missive explains.
It also mentions the loss, theft, tampering, or forgery of core data and “massive amounts of personal information” of China’s citizens when it poses a significant threat to national security and social stability.
“Social organizations and individuals are encouraged to report any major cybersecurity incidents that they become aware of,” the new reporting regulations also say.
Curious what others think about this story? Contribute your thoughts to the debate below.
Network operators that fail to report within the timelines will be punished. Those that conceal incidents or falsify their details will be “punished more severely according to law,” the notice adds.
China is, of course, an authoritarian state, so it’s probably also not shocking that attacks on information or news sites that show non-state-approved content for more than six hours, get more than 1 million views or clicks, or are forwarded more than 100,000 times through social media will be recognized as widespread attacks.
It’s rather ironic that China is attempting to harden its networks even while sending loyal hackers to attack global networks.
The requirements are much tougher than in the US or the EU. In America, the primary federal reporting rule for major cyber incidents is the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
It requires certain organizations to report “covered cyber incidents” to the Cybersecurity and Infrastructure Security Agency within 72 hours of their “reasonable belief” that a substantial incident occurred, and report ransomware payments within 24 hours.
In the EU, the reporting rule for major cyber incidents is primarily governed by the NIS2 Directive.
It mandates that the entities in scope provide an early warning within 24 hours of detecting a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month.
Protect yourself, keep attacking others
It’s rather ironic that China is attempting to harden its networks even while sending loyal hackers to attack global networks.
Chinese-backed espionage group Salt Typhoon hacked several US telecom companies, including Viasat, in the lead-up to the US presidential elections held last November, for example. Nine US firms were compromised.
Salt Typhoon is also believed to be behind February’s hack of the US Treasury Department, in which the threat actors were able to gain access to the laptops of some senior US officials.
CrowdStrike's recent “2025 Global Threat Report” said that Chinese state-backed hacking has reached an “inflection point” and noted a 150% increase in China-nexus activity across all sectors.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked