On 8 December 2023, the People's Republic of China issued the Draft Administrative Measures on Reporting Cybersecurity Incidents (网络安全事件报告管理办法（征求意见稿）) ("Draft Measures") for public consultation. The consultation is open for feedback on the Draft Measures until 7 January 2024.
The obligation to report cybersecurity incidents is an existing obligation for network operators under Article 25 of the PRC Cybersecurity Law (中华人民共和国网络安全法). The Draft Measures represent a further step by the Cyberspace Administration of China to detail the reporting procedure and the potential liability for failure to meet the reporting obligation. In this Update, we delve into some of the key highlights of the Draft Measures, including the scope of reportable cybersecurity incidents, the timelines for reporting, what should be included in the report, and the penalties for breach of the requirements.