Presented at this month’s "Two Sessions" – China’s annual legislative showcase in Beijing – the 2024 Government Work Report highlights the importance of safeguarding network and data security in the world’s second largest economy. While improving the management of data and cyber incidents has long been on the agenda of the PRC authorities, implementing incident reporting requirements under the three pillars of China’s data law has recently become a tangible focus in line with the Work Report’s aspirations. 

Specifically, the Cyberspace Administration of China (CAC) released the draft Administrative Measures for Cybersecurity Incident Reporting (Reporting Measures), together with the Cybersecurity Incident Grading Guide (Guidelines) and the Cybersecurity Incident Information Reporting Form (Reporting Form) for public consultation at the turn of the year. Together, these three documents detail the requirements that Chinese organisations should follow in the event of a cyber incident. 

Below are some highlights from the Reporting Measures.

What is an in-scope cybersecurity incident?

Under the Reporting Measures, a “cybersecurity incident” refers to an incident that causes harm to a network and information system or its data in a manner that has an adverse impact on society.

Compared with the definition of a data breach under the PIPL, the scope of cybersecurity incident that is reportable seems narrower.

• Firstly, (based on a technical read of their proposed text) the Reporting Measures focus on network-related incidents rather than any incident that leads to a loss or other compromise of personal information. This narrower scope suggests, for example, that loss of a notepad on a bus would be outside of the guidelines’ principles.
• Secondly, the inclusion of the qualification language that the incident must adversely impact society suggests that not all incidents must be handled in accordance with the Report Measures. However, the question remains: how is an adverse impact determined?; is there a de minimis to avoid reporting of hairline breaches as appeared mandatory under the Cybersecurity Law (CSL).

Who must report a cybersecurity incident?

Echoing the definition of a network operator under the CSL, under the Reporting Measures, any network operator that develops and operates networks or provides services through networks within China must report any incident that endangers cybersecurity. 

This suggests that the Reporting Measures have a similar jurisdictional scope as the CSL and only apply to a network within the PRC. This is different to the more recently launched Personal Information Protection Law, which certainly seeks to apply on an extra-territorial basis to certain offshore processing activities and the obligations under the Chinese-equivalent of the EU standard contractual clauses, which require the offshore recipient of China-originated personal information to report a data breach in accordance with PRC law.

The answer to this question will be important to multinational organisations where there is a cybersecurity incident involving China-originated personal information held in their IT infrastructure operated outside China. 

To whom must reports be made?

The Reporting Measures map out different reporting channels:

What is the reporting timeline (1 hour, 24 hours or 5 working days)?

In the event of any relatively severe, severe, or particularly severe cybersecurity incidents, network operators must make:

• an initial report: covering at least basic details including when, what and where the incident occurs, and its relevant consequences and mitigation measures taken, etc., to the relevant authorities within one hour. 
• a supplementary report: supplementing within 24 hours details that could not previously be confirmed within 1 hour. 
• a comprehensive analysis: submitting a fuller analysis within 5 working days after handling of the incident has been completed. 

The appended Reporting Form sets out information that should be submitted. The Guidelines further outline some criteria to classify the severity level of an incident. Among others, an incident affecting 1 million individuals’ personal information will be deemed “relatively significant”. Companies should put in place an emergency response plan in advance so that they can react promptly when a cybersecurity breach falls into the scope of reporting.

However, how about a cybersecurity incident that is relatively minor and does not fall into the “relatively severe” criteria? It would seem reasonable to anticipate a more lenient reporting timeframe being applied to a general and non-major cybersecurity incident. Query, in the absence of further details though, what reporting requirements and minimum reporting timeline organisations should apply? 

Are there benefits to reporting a cybersecurity incident?

Where a network operator has taken reasonable and necessary protective measures, taken the initiative to report to the authorities, acted in accordance with its emergency plans and made best efforts to mitigate any impact from the incident, the liabilities of such an operator and its responsible management can be exempted or mitigated on a discretionary basis.

Apparently, the regulator is trying to ease businesses’ concerns about subsequent enforcement or investigations taken by an authority against a reported data breach, and encourage businesses to proactively report under the Reporting Measures. To qualify for such an exemption though, organisations should implement a comprehensive cybersecurity handling and emergency response plan. 

What’s next?

On the same day that the Reporting Measures were released, the Ministry of Industry and Information Technology (MIIT) adopted the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation). The MIIT’s measures seek to enhance the regulation of data security, including data breach reporting, in this particular sector. 

Five days later, the MIIT published a draft contingency plan for data security incidents in the industry and information technology sector. The draft plan propose a four-tier, colour-coded system for handling incidents, depending on factors such as the degree of urgency, development status, scale of data, associated consequences and the actual harm caused.

Tech companies and those which develop or operate a network or provide network services in the PRC, should stay ahead of the curve and prepare before the Reporting Measures take effect. 

Stay tuned for further updates as we see them.

How can Linklaters help?

One of our key assets as a team is our global reach. Linklaters' internal privacy network spans 14 jurisdictions across Asia, the U.S. and Europe, while our wider network of independent privacy specialists covers over 100 countries. 

Clients benefit from our deep experience of advising on:

• Some of the most serious hacking and data breach crises in the last decade.
• Effective cyber crisis preparedness - through training, incident response planning, and risk management strategies.
• Governance and resilience arrangements - helping clients review and put appropriate governance structures in place.

Click here to explore cybersecurity at Linklaters. In case you missed it, check out our dedicated Cyber Security Handbook prepared for in-house counsels.