China - Highlights Of The Administrative Measures For Cybersecurity Incident Reporting (Comment Draft).

January 9, 2024 by Rohin Pujari

On December 8, 2023, the Cyberspace Administration of China (CAC) issued for public comment the Administrative Measures for Cybersecurity Incident Reporting (Comment Draft) (Measures). The Measures include two appendices. Appendix 1 is a Guide to the Classification of Cybersecurity Incidents (Guide); and Appendix 2 is a Cybersecurity Incident Information Reporting Form (Form). The period for commenting on the Measures will end on January 7, 2024.

1. Applicable subjects

The Measures apply to any cyber-operator that develops and operates networks or provides services through networks within the territory of the People’s Republic of China. Article 8 of the Measures further requires that any organization or individual that provides services to an operator and becomes aware of a relatively serious, serious or especially serious cybersecurity incident shall remind the operator of the obligation to report the cybersecurity incident and may report the incident if the operator refuses. Article 9 also encourages social organizations and individuals to report relatively serious, serious or especially serious cybersecurity incidents to the cyberspace administration.

2. Content of the report

According to Article 5 of the Measures and Appendix 2 the Form, the content of the report shall include at least the following items:

1) basic information of the entity where the incident occurs;

2) when and where the incident occurred, the type of the incident, function description of the cyberspace system, the impacts and harm caused, the measures that have been taken and their effects;

3) brief introduction of the development of the incident;

4) preliminary analysis of the cause of incident;

5) items required for further investigation;

6) further measures to be taken and working suggestions;

7) the status of protection of the incident site, and;

8) other circumstances that should be reported.

3. Reporting procedures

Upon occurrence of a relatively serious, serious or especially serious cybersecurity incident, the operator shall make its report within one hour. The details of reporting procedures are set out in the chart below.

4. Legal liabilities

The Measures specify that any operators failing to report a cybersecurity incident as required shall be punished by the cyberspace administration in accordance with relevant laws and administrative regulations. Meanwhile, the Measures clarify that the operator and relevant responsible individuals shall be subject to severe punishment for delay or omission in reporting, false reporting or concealment of a cybersecurity incident. However, the liability of the operator and relevant responsible individuals may be exempted from punishment or have the level of punishment reduced if reasonable and necessary protective measures have been taken to mitigate the influence of the incident.

5. Conclusion

The Measures include two appendices. Appendix 1 the Guide provides guidance to the classification and categorization of cybersecurity incidents, demonstrating how to distinguish between especially serious, serious, relatively serious and general cybersecurity incidents. Appendix 2 the Form provides templates for the specific content of the cybersecurity incident report.

The Measures are still in comment draft form. Deacons will pay close attention to the status of legislation on cybersecurity incident reporting and provide updates on changes that may impact your business. Please contact us for tailored measures and practical advice regarding cybersecurity incident reporting.

WRITTEN BY

Deacons

For further information, please contact:

Edwarde Webre – Consultant – Corporate Commercial, Deacons
edwarde.webre@deacons.com

Edwarde specializes in cross-border transactional and operational matters in Greater China. He has over twenty years experience handling Hong Kong transactions and assisting foreign investors in China. He has assisted both foreign and domestic parties with inbound and outbound transactions involving the PRC. He advises both operational and financial investors, including venture capital and private equity funds on portfolio investments. He handles public and private mergers and acquisitions, reorganisations and direct investment transactions.

He has acted across a range of industries sectors and has handled major projects in manufacturing, electronics, pharmaceuticals, chemicals, medical devices, hotel/hospitality, technology, financial services, tobacco, energy and advertising industry sectors. Transactions handled have included major green field projects and the acquisitions on non-circulating state owned shares, block share acquisitions of listed shares, negotiated acquisitions of registered capital and the conversion of non-circulating shares into listed shares.

He also advises on clean energy projects and has handled biogas, natured gas, hydro power and wind energy projects. He has advised on PRC regulatory requirements and ERPA issues with respect to the acquisition of CERs under the Kyoto Protocol and other arrangements.

At an operational level, Edwarde advises on technology licensing and transfers, operational and distribution arrangements, anti-corruption investigations, treasury functions, general commercial agreements and labour matters.

Edwarde was resident in Beijing for three years. He frequently spends time in the Deacons China offices.

Highlights

Assisting a French multinational with the establishment of major reconstituted tobacco joint venture production facility in Yunnan in a project that involved multiple PRC investors, including major state-owned enterprises, and required specialized industry sector approvals.
Assisting the Bankruptcy estate of a major European auto manufacturer with the sale of its European production assets to a Chinese lead consortium, including multi-national investors with significant security arrangements.
Assisting a major Japanese multinational in the acquisition of a controlling interest in a service business as an integral part of a strategic alliance with a major Hong Kong listed company which relationship included cross-holding of equity interests in each others subsidiaries in Hong Kong and China. The transaction was a notifiable transaction under the rules of the Hong Kong Stock Exchange.
Assisting a major Brazilian mining conglomerate with PRC anti-monopoly clearance for a minority investment by a major Japanese multi-national in the development and exploitation of an integrated iron ore mining project in the State of Minas Gervias in Brazil. This project did not involve any PRC entities.
Assisting a major Japanese multinational on litigation and settlement arrangements related to the discontinuation of a major product line and the termination of the related processing contracts and distribution arrangements. Disputes were handled both in the PRC and Hong Kong.
Assisting a European private equity fund with the reorganization of its Hong Kong and PRC operations as a part of global reorganization and assisting with the review of portfolio investments.
Assisting a French energy multinational with the review of seventeen 49.5 MW wind firm projects in Northern China and combined cycle power plants in Central and Southern China in connection with a green house gas emission reduction projects.

More about Edwarde Webre

Accolades

Appointments/Memberships

Education

Recent Activities

China – Highlights Of The Administrative Measures For Cybersecurity Incident Reporting (Comment Draft).

UK – Changes To Pensions And Inheritance Tax: More Than Meets The Eye.

India – Jet, Set And Grounded – Supreme Court Orders liquidation Of Jet Airways.

India – The Paradox Of Security Interest For Dissenting Secured Creditors: Has The Paridhi Finvest Judgement Settled The Issue?

India – Simultaneous IBC Proceedings Against Corporate Debtor And Corporate Guarantor: Critical Takeaways From BRS Ventures Case.

Overseas Companies And The EU And UK Carbon Border Adjustment Mechanisms.

Malaysia – Case Law Discourse On The Non-compliance Or Breach Of Express Conditions Of Alienated Land.

Malaysia – Taxation Of Legal Fees.

Indonesia – Refining The Indonesian Core Tax Administration System.

Malaysia – Suing Shareholders For The Failure Of A Company To Redeem The Redeemable Convertible Cumulative Preference Shares (RCCPs).

EU Court Clarifies VAT Rules For Gambling Businesses – Key Insights For Operators In The Industry.

CONVENTUS LAW

OTHERS