On 8 December 2023, the Cyberspace Administration of China (CAC) issued the Draft Provisions on the Management of Network Security Incident Reporting (Draft Reporting Provisions), which are open for public comments until 7 January 2024.
Previously, the content and implementation measures for reporting network/system security incidents and data security incidents have lacked clarity and certainty. The new Draft Reporting Provisions refine and specify these reporting obligations under several key laws and regulations – the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (the PIPL) and the Security Protection Regulations on Critical Information Infrastructure (CII Regulations).
The Draft Reporting Provisions have been designed to provide clearer guidelines for enterprises to fulfil mandatory incident reporting duties across different compliance frameworks.
Along with the Draft Reporting Provisions, the CAC also published two supplementary documents– the Guidelines for Grading Network Security Incidents (Guidelines) and the Network Security Incident Reporting Form (Reporting Form). The Guidelines establish benchmarks for classifying incidents into four severity levels: “extremely major”, “major”, “relatively major”, and “general”. The Reporting Form is a template that organisations shall complete and submit when notifying authorities of an incident.
Until now, the CSL, DSL and PIPL have contained mandatory reporting obligations for relevant security incidents, but the specific authorities and procedures for notification have been unclear. The CSL and DSL do not identify the department entities that should receive reports or provide details on report content and processes. While the PIPL specifies that incidents must be reported to personal information protection authorities and outlines notification content requirements, it lacks specifics about which departmental level within the CAC that notifications should be submitted to, and the expected timeframes.
Consequently, enterprises have faced uncertainty regarding the appropriate authorities and procedures for fulfilling mandatory security incident reporting duties under these laws.
According to Article 2 of the Draft Reporting Provisions, network operators that construct, operate a network (under the CSL, a “network” is defined as a system consisting of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures) or provide services through networks must report network security incidents. Based on the draft’s definition, a network security incident includes incidents that jeopardise network and information systems and the data contained therein. Thus, the Draft Reporting Provisions apply to both system/network security incidents and data (including personal information) security incidents.
When a network security incident occurs, the relevant network operators shall, in accordance with the procedures set out in the Draft Reporting Provisions:
- initiate emergency response plans;
- report the incident to the relevant authorities; and
- within five working days after the handling of an incident concludes, submit a comprehensive follow-up report to the relevant authorities.
For the reporting obligation under the second point above, if a network security incident constitutes an “extremely major”, “major” or “relatively major” one in accordance with the Guidelines, it shall be reported within one hour. If a network security incident is categorised as “general” under the Guidelines, it shall also be reported to the relevant authorities. The Draft Reporting Provisions, however, do not provide a specific reporting time frame for general network security incidents, and therefore the deadlines for reporting are currently unclear.
The Guidelines categorise network security incidents levels based on severity of system damages, data sensitivity, and level of threat posed to national security, social stability, economic development, and public interests, and provide some parameters to decide if an incident may be categorised as “extremely major”, “major”, or “relatively major”. For instance, incidents leaking personal information of over 100 million individuals or resulting in direct economic losses exceeding RMB 100 million will constitute “extremely major’ incidents”; incidents leaking personal information of over 10 million individuals or causing direct economic losses exceeding RMB 20 million will constitute “major” incidents; and incidents leaking personal information of over 1 million individuals or causing direct economic losses exceeding RMB 5 million will constitute “relatively major” incidents.
The reporting channels depend on the nature of the impacted network and system:
- If the network and system belong to central and state departments, as well as enterprises and institutions under their management, the operator shall report to:
- The division in charge of cyberspace administration within the relevant department.
- If the network and system is categorised as critical information infrastructure (CII), the relevant network operators shall report to:
- Competent protection authorities; and
- Public security organs.
- Operators of other networks and systems shall report to:
If there is a sector supervisory authority of the network operator, the operator shall also report in accordance with the sector regulator’s requirements. In addition, if crimes are suspected, the operator shall also concurrently report to public security authorities in a timely manner.
Information to report
Network operators shall report the following information:
- Basic details of the impacted entity, systems, platforms where the incident occurred;
- Time, location, type of incident;
- Impacts and harm caused, measures taken and their effectiveness;
- For ransomware attacks: amount, method, date of ransom demanded;
- Anticipated impacts and progression;
- Preliminary analysis of root cause;
- Clues needed for further investigation (e.g. attacker information, attack route, vulnerabilities);
- Next steps and assistance requested;
- Protection of incident scene; and
- Other relevant information.
Relatively major, major and extremely major network security incidents
General network security incidents
Report within one hour.
The Draft Reporting Provisions keep silent on the timing of reporting, and therefore the reporting timeframe is currently not clear.
For situations where the root cause, impact or progression cannot be determined within one hour, operators may first report the basic details of the impacted entity, systems and platforms, as well as time, location, incident type, impact, measures taken and ransom details (for ransomware), and supplement other information within 24 hours.
Within five working days after the handling of an incident concludes, network operators must comprehensively analyse the root cause, emergency response, damages, accountability, rectification, lessons learned, etc., and submit follow-up reports through original reporting channels.
Non-compliance and penalties
According to the Draft Reporting Provisions, if network operators fail to fulfil their obligations to report network security incidents as required, the authorities will issue penalties in accordance with the relevant laws and regulations. Based on the provisions of the CSL, PIPL, DSL and the CII Regulations, penalties may include:
- orders for rectification;
- fines on entities ranging from RMB 10,000 up to RMB 1 million;
- fines on directly responsible management personnel ranging from RMB 5,000 up to RMB 100,000; and
- adverse impact of company credit record.
Under severe circumstances, penalties may also include:
- fines up to RMB 50 million or 5% of annual turnover from the entity’s preceding year;
- fines up to RMB 1 million for management personnel who are directly responsible;
- suspension/termination of the entity’s relevant business operations or services;
- revocation of the entity’s relevant business permits or business licences;
- prohibition of relevant personnel to serve as senior executives or data protection officer for a certain period; and
- possible criminal liabilities.
Although still in draft form, the incident reporting obligations stipulated in the Draft Provisions originate from requirements already established within existing laws and regulations. In practice, the relevant authorities have already required network operators to fulfil these obligations although exact expectations currently vary across departments and geographic jurisdictions. If finalised, the Draft Provisions would consolidate and systematise reporting obligations in greater detail. The full text for the Draft Provisions can be found here (Chinese text only).
For more information on these draft provisions and data security regulations in China, contact your CMS client partner or these CMS experts.