Cybersecurity just got more urgent in China — literally.
Starting November 1, companies in China will be required to report major cyber incidents within just one hour of discovery. This isn’t a suggestion; it’s a legal mandate from the Cyberspace Administration of China (CAC), aimed at tightening the country’s response to growing cyber threats like ransomware and data breaches.
So, what exactly counts as a “serious” or “particularly serious” incident?
If a cyberattack affects more than 50% of a province’s population or impacts the daily needs of over 10 million people — think hospitals, utilities, transport, and essential services — it’s considered high-severity. Even taking down key government websites, or triggering economic losses of over ¥100 million (around £10 million), falls into this category. A notch below, “serious” incidents include leaking data from over 10 million citizens or causing service disruption for millions within a single city.
Organizations facing these kinds of events must report detailed information to authorities within 60 minutes: what systems were hit, the type of attack, when it occurred, the cause, the damage, and even the ransom demand (if applicable). They’ll also need to assess potential fallout and request government support where needed.
Non-compliance isn’t something firms can brush off. The CAC has made it clear: late or misleading reports — or worse, attempts to hide the breach — could lead to severe legal consequences for both the company and its responsible staff.
China isn’t alone in this fast-response shift. Just days ago, the U.S. Department of Defense rolled out strict cybersecurity rules for contractors, signaling a global trend toward tougher regulation in the face of rising digital threats.
As a Chinese Embassy spokesperson put it, timely reporting helps contain damage and reduce wider social impact. And that’s a reality businesses everywhere are starting to accept — cyber incidents don’t just damage systems; they disrupt lives.
About the Author
