China’s top internet regulator has introduced stringent new regulations mandating the rapid reporting of cybersecurity incidents, particularly those involving critical information infrastructure. Under the draft rules announced by the Cyberspace Administration of China (CAC), network operators are required to report "particularly serious" cybersecurity incidents to relevant authorities within one hour. These measures are set to take effect on November 1.

The move follows recent enforcement actions, including a fine imposed on Dior’s Shanghai subsidiary for non-compliance with data transfer security requirements. The new incident reporting framework classifies cybersecurity events into four categories based on severity, with explicit criteria for each level.

Incidents classified as "particularly serious" — the highest category — include prolonged cyberattacks or failures lasting over 24 hours (or six hours for critical information infrastructure), disruptions affecting more than 50% of a province’s population or over 10 million people’s daily necessities, and large-scale data breaches involving information of more than 100 million citizens or causing financial losses exceeding 100 million yuan ($14 million). Also included are hacking attacks displaying illegal content on key websites for extended periods or with widespread dissemination.

The "serious" category covers incidents such as outages at municipal government or provincial news portals lasting six hours, breaches affecting over 10 million people’s data, or disruptions impacting more than 50% of a city’s population.

Network operators must report top-tier incidents to cyberspace authorities and police within one hour, and these reports must be escalated to the National Cyberspace Administration and the State Council within 30 minutes. After resolution, operators have 30 days to submit a detailed analysis covering causes, responses, impacts, accountability, and corrective measures.

These regulations build on existing laws, including the 2016 Cybersecurity Law and 2021 critical infrastructure rules. A draft amendment to the Cybersecurity Law, currently under review, proposes stricter penalties, including fines up to 10 million yuan for infrastructure operators failing security duties and individual fines up to 1 million yuan for responsible personnel. The amendment also increases penalties for permitting illegal information dissemination.

The enhanced regulatory framework reflects China’s intensified focus on cybersecurity, rapid incident response, and accountability in protecting critical digital infrastructure and public interests.