Conventus Law

Conventus Law

by

China is significantly stepping up its cybersecurity and data protection regulatory framework with a series of important updates. We summarize below some of the key developments which business should be aware of.

1. Measures on the Reporting of National Cybersecurity Incidents

Following a series of data and personal information (PI) breaches this year, the Cyberspace Administration of China (CAC) has formally issued the Measures on the Reporting of National Cybersecurity Incidents (Measures), coming into effect on 1 November 2025. For the first time, explicit time requirements for fulfilling reporting obligations in the event of data breaches are set out: for most commercial entities which are not state organs, and do not involve critical information infrastructure, cybersecurity incidents should be reported within 4 hours. Where critical infrastructures are involved, reports must be submitted within 1 hour.

Scope of Application

The Measures apply to all entities constructing, operating, or providing services via networks within China which basically cover most business activities and their operators in China. Cybersecurity incidents refer to those arising from cyberattacks, vulnerabilities, technical defects and failures, or force majeure events that affect network, data/PI security, or national, social and economic interests.

The annex to the Measures categorise reportable incidents into “extremely significant”, “significant”, and “relatively significant”, with some quantifiable thresholds including geographic and population scope, volume of PI, duration and numbers of views of unlawful information, and amount of direct economic loss. For instance, a data leak involving PI of 1 million individuals or direct losses of RMB 5 million will constitute a “relatively significant” incident and must be reported.

Although the Measures do not expressly address cybersecurity incidents that occur overseas after data/PI are exported, entities which transfer data/PI outside China remain subject to PRC laws. For multinational businesses with operations in China, it would be prudent to closely monitor overseas incidents and report where appropriate. The Chinese data protection authorities are keen to regulate unlawful cross-border data activities as discussed in our recent news alert.

Reporting Process

  • An initial report must be filed within 4 hours upon discovery or knowledge to the local provincial CAC via telephone hotline (12387), website, e-mail, fax, WeChat Public Account or Mini Program. The report should at least include a basic overview of the incident, security impacts, and remedial measures initially taken. If ransomware is involved, the report should also include the amount, payment method and date required by the ransomware group.
  • If the initial report cannot provide details such as development of the incident, preliminary cause analysis, investigations conducted, a supplemental report should be filed promptly once this information becomes available. However, the supplemental report must be submitted 72 hours after filing of the initial report.
  • A further summary report must also be filed via the original reporting channel within 30 days after the incident has concluded. The summary should include a comprehensive analysis of the cause of the incident, emergency measures taken, damage incurred, accountability, rectifications and lessons learned.
  • Where the incident involves criminal activity (such as a cyberattack), the incident should also be reported to the local Public Security Bureau within 24 hours, as stipulated by the Regulations on the Security Protection of Computer Information Systems.

Entities and their responsible personnel that fail to comply with the reporting obligations will be subject to administrative penalties under the PRC Cybersecurity Law, Data Security Law, or Personal Information Protection Law. However, reporting in a timely manner and taking effective remedial measures are factors which will be considered in reducing or exempting penalties.

Third-party Obligations

In practice, third-party service providers are often engaged in daily network operations, maintenance, or security work, but may not be directly subject to the reporting obligations. The Measures require contractual or other means to be put in place to ensure these service providers will promptly report cybersecurity incidents and provide assistance to their instructors.

Entities providing network services in China are advised to promptly establish or enhance internal systems for identifying and reporting cybersecurity incidents, and should evaluate the capabilities of third-party providers in identifying and reporting incidents, and stipulate their obligations in contracts.

2. Other Legislative Developments

Draft Regulations on the Establishment of Personal Information Protection Supervisory Committees in Major Online Platforms

The CAC has also released the draft Regulations on the Establishment of Personal Information Protection Supervisory Committees in Major Online Platforms (Draft Regulations) for public comment. According to the Draft Regulations, the CAC will publish a list of “major online platforms”, which are required to establish a Personal Information Protection Supervisory Committee. The Committee will supervise the platform’s PI protection systems, policies and practices, and monitor compliance of PI incident handling, as well as cross-border transfer.

The Committee should comprise a minimum of seven individuals and include no fewer than two-thirds independent external members. The committee should hold regular meetings at least once every three months and may convene ad hoc meetings as necessary.

Major online platforms must respond to any requests from its Committee within 10 working days, and may be reported to the provincial CAC for failure to do so. The Draft Regulations is expected to enhance the transparency of PI handling by major online platforms in China.

Draft Amendments to the Cybersecurity Law

Draft amendments to the PRC Cybersecurity Law (“Draft Amendment”) were also proposed submitted to the Standing Committee of the National People’s Congress for first reading in September 2025. The Cybersecurity Law has been in force since 2017 and the Draft Amendment aims to align it with the PRC Data Security Law, Personal Information Protection Law, and Regulations on the Security Protection of Critical Information Infrastructure.

The Draft Amendment has proposed to adjust administrative penalties, including:

  • Raising the maximum fine for failure to comply with network security obligations from RMB 100,000to RMB 500,000 for entities, and the penalty range for responsible personnel from RMB 5,000-50,000 to RMB 10,000-100,000.
  • Introducing new penalties for violations of network security obligations with serious or extremely serious consequences, e.g., large-scale data breaches, with fines up to RMB 10 million for entities and RMB 1 million for responsible personnel.
  • Raising the maximum fine for failure to address unlawful online information from RMB 500,000 to RMB 2 million for entities, and the penalty range for responsible personnel from RMB 10,000-100,000 to RMB 50,000-200,000.
  • Introducing new penalties for the sale or provision of uncertified or unqualified key network equipment or cybersecurity products, including confiscation of products and illegal gains, as well as fines up to 3 times of illegal gains.

Business entities should stay alert to developments as China’s cybersecurity and data protection framework becomes more stringent and complex.

WRITTEN BY

For further information, please contact:

Dora Si – Deacons,
dora.si@deacons.com

Dora is a Partner in the China IP Practice.

Dora is admitted as a solicitor in Hong Kong and England and Wales. She holds a LLM (Commercial and Corporate Law) degree from the University College London and a LLB (Hons) degree from the University of Hong Kong.

Dora’s practice covers all aspects of China IP protection and enforcement. She has supported many multinational and Asian businesses in IP portfolio management, and has extensive experience in brand protection, particularly brand selection, re-branding, and conducting trade mark opposition proceedings and settlement negotiations. Dora has handled complex cross-border and online infringement cases, involving administrative actions and contentious proceedings in China and has successfully obtained well-known trade mark recognition for international clients in China.

Dora advices on a wide range of commercial IP transactions including e-commerce issues, advertising compliance, celebrity rights, licensing, franchising and distribution. She has represented many clients in relation to IP audits, due diligence for mergers and acquisitions, technology transfer, and technology development cooperation.

Dora also advises on China-related data privacy and cybersecurity issues including advising on the legal framework for the protection of personal data, important data, confidential information, trade secrets and state secrets in China, cross-border data transfer issues, data privacy audits, policies and compliance strategies.

Dora has been recognised as a Top 40 under 40 Lawyer (2020) by Asian Legal Business, as a Silver Tier Individual in Enforcement and Litigation in Hong Kong (2019-2021) by World Trademark Review 1000 and a Recommended IP Lawyer in China (2020-2021) by Legal 500.

Highlights

  • Advising on copyright transfer in China for a US video games and software company.
  • Successful recordal of franchise for a Swedish furniture wholesaler in China.
  • Advising on distribution and licensing arrangements involving garments and home products for a global sourcing firm based in Hong Kong.
  • Advising a US-based cosmetic and personal care corporation on data protection issues in relation to its launch of a new e-commerce platform including local law compliance of its global privacy policy and website terms and conditions.
  • Advising a Hong Kong-listed conglomerate on the compliance requirements to facilitate the cross-border transfer of personal data from Mainland China to Hong Kong, including preparing template data transfer contracts and data protection clauses in employees’ contract and assisting with self-security assessment.
  • Managing trade mark portfolios in China and Hong Kong for multinational clients including a US-based direct sales company, a leading US car manufacturer, a world leading fashion magazine, a global banking card company and a US-based food manufacturer.
  • Successful petition on behalf of a French veterinary pharmaceutical company to Beijing Communications Authority to close down website suspected of trade mark infringement in China.
  • Successful advising a US-based technology company in relation to a .CN domain name dispute and limitation issues.
  • Advising a US-based sports equipment company in trade mark proceedings in China resulting in recognition as a well-known trade mark.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES