Cybersecurity clock is ticking as Chinese firms get one-hour rule

One hour to report cyberattacks

China’s Cyberspace Administration has introduced strict new rules requiring companies to report “particularly serious” cybersecurity incidents within one hour of discovery.

The regulation takes effect on November 1, 2025, and applies to network operators. Authorities say the faster timeline is designed to limit damage, improve coordination, and strengthen national resilience against large-scale digital threats.

Four levels of incident severity

The rules divide incidents into four levels: particularly serious, serious, relatively serious, and general. The most severe incidents include data leaks of over 100 million records, failures affecting over 50% of a province’s population, or government or key news websites being offline for more than 24 hours.

Serious incidents include data leaks of more than 10 million records or service disruptions affecting over one million people in a city. The lesser incidents are categorized as relatively serious or general, with reporting expectations scaled to their impact.

Escalation for the worst cases

Escalation timing depends on the operator type and incident grade: critical-infrastructure protection bodies and public security organs may need to alert national authorities within 30 minutes for the most extreme incidents.

Provincial CACs often have one hour to report up to the national CAC, while other network operators typically report first to local/provincial authorities (commonly within four hours) before any national escalation.

What counts as a serious breach?

Examples of qualifying incidents include outages of major news or government portals, mass leaks of personal data, or disruptions of utilities serving large populations.

The guidelines stress that events which undermine social stability, national security, or public order must be reported immediately. This broad definition puts pressure on companies to build fast classification and escalation processes into their cybersecurity playbooks.

Details required in reports

The initial, time-sensitive report must provide key facts (incident type, discovery time, affected systems, initial mitigation steps, ransom demands, and preliminary loss estimates).

A follow-up, comprehensive report, including root cause and corrective actions, must be filed within 30 days.

Authorities also require estimated losses and likely sources of attack. This data helps regulators prioritize responses and coordinate resources. If further details emerge later, companies are required to submit follow-up reports.

A second report within thirty days

After the initial disclosure, firms must submit a full follow-up report within 30 days. This must include the root cause, comprehensive damage assessment, lessons learned, and corrective actions to prevent recurrence.

The Cyberspace Administration emphasized that both the initial and follow-up reports are mandatory. Missing deadlines or failing to provide complete information could bring penalties.

Rule applies to all network operators

The new regulations apply broadly to all network operators in China. This includes state-owned enterprises, private companies, critical infrastructure providers, and internet platforms. Smaller businesses offering online services are also covered.

The wide reach of the rules means every organization with digital operations must adopt reporting procedures and incident response plans to avoid violations once the law comes into force.

Heavy fines for non-compliance

Penalties vary by severity: guidance and counsel summaries commonly reference fines up to RMB 1 million (about US$140,000) for serious reporting failures and individual penalties for responsible personnel.

Separate draft amendments proposed earlier in 2025 would allow much larger sanctions for especially severe violations, up to RMB 10 million for entities and up to RMB 1 million for individuals, depending on the final legislative outcome.

Lessons from recent breaches

The push for stricter rules follows several high-profile incidents, including enforcement actions against companies mishandling sensitive data. Officials cited cases where delayed reporting slowed containment and increased damage.

By forcing faster disclosure, regulators hope to avoid repeat scenarios. Authorities also referenced penalties against firms found transferring data abroad without approval as evidence of their growing enforcement activity.

Built on earlier cybersecurity laws

The one-hour rule builds on China’s 2017 Cybersecurity Law and 2021 Data Security Law. Those laws created obligations to protect networks and sensitive data, but deadlines for incident reporting were less defined.

By adding clear timelines and tiered classifications, the new measures make responsibilities more specific. Companies must now align existing emergency response procedures with these sharper requirements.

Need for stronger response plans

To meet the new standard, organizations are expected to upgrade their monitoring systems and emergency playbooks. Companies must be able to detect breaches, classify severity, and prepare reports within an hour.

Experts say this will require faster coordination across technical teams, legal departments, and executives. Many firms are now testing mock drills to ensure readiness for real-world events.

Reports flow from local to national

Reports must be sent first to local cyberspace or public security authorities. For higher-level incidents, these offices must then escalate to national regulators.

The structure creates a two-step chain where local oversight is combined with national supervision. Businesses therefore need to maintain updated contact lists and communication channels to avoid delays when serious incidents occur.

Global vendors scale back in China

Multinational corporations with operations in China may find compliance difficult. Tight timelines can clash with cross-border corporate processes, especially when detection systems or decision-makers are outside China.

Some foreign security vendors have also scaled back services available to Chinese clients. As a result, companies may need to establish dedicated local teams to meet the one-hour reporting requirement.

Faster than most global rules

China’s one-hour deadline is among the strictest worldwide. By comparison, U.S. defense contractors must report incidents within 24 hours, and European regulators often allow several days.

Analysts say China’s approach reflects its goal of ensuring rapid cyber sovereignty and tighter control of information flows. The new rules may influence how other countries rethink their reporting frameworks.

Push toward automation

Cybersecurity experts believe automation will be key to compliance. Manual reporting can be slow and prone to errors, making it difficult to meet the one-hour cutoff.

Automated monitoring tools, real-time alerts, and pre-formatted reporting templates can help companies streamline their responses. These technologies are expected to become standard for firms operating in China’s digital space.

Regulators have pointed to cases where delayed reporting slowed containment, and those experiences appear to have helped drive the push for much faster disclosure and tougher enforcement.

Preparing for compliance now

Companies should run tabletop exercises, train staff to classify incidents correctly, and build automated escalation systems.

Assigning designated reporting leads can reduce confusion during high-pressure situations. As enforcement begins, regulators may expand definitions or tighten requirements further. Businesses that adapt early will be better positioned to avoid penalties.

The urgency of early preparation mirrors how cyber scammers upgrade tactics with AI, forcing defenders to adapt just as quickly.

What do you think about this? Let us know in the comments, and don’t forget to leave a like.

Read More From This Brand:

• Shield Your Smartphone from Cyber Threats
• US sets $10M bounty on Russians behind cyber breaches
• Hackers Use $TRUMP Tokens in New Phishing Scam

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.