Our Expert in China
Understanding China data breach notification requirements is now an operational priority for every company that processes data within the People’s Republic of China. Since 1 January 2026, the Cyberspace Administration of China (CAC) has enforced tighter cybersecurity incident reporting obligations, including a mandatory four‑hour reporting window for qualifying incidents, new severity classifications, and designated reporting channels such as the 12387 incident reporting hotline. This guide sets out the full legal framework, walks through the decision flow for who must report and to whom, and provides the practical checklists and templates compliance teams need to respond within the compressed timelines that now apply.
Before diving into the detail, here is the headline roadmap every DPO, general counsel and security‑operations lead should internalise.
China does not have a single, self‑contained breach‑notification statute. Instead, data breach reporting obligations arise from three principal laws and a newer set of implementing measures that took effect at the start of 2026. Each instrument addresses a different slice of the data‑protection landscape, and most organisations will find that at least two, and often all four, apply simultaneously.
Effective since 1 November 2021, PIPL China is the closest analogue to the EU’s GDPR. Article 57 requires personal information processors to notify the authority exercising personal information protection duties and, where the incident may cause harm, to notify affected individuals. PIPL does not set a fixed hour‑count for regulator notification; instead, it uses the language “immediately” (立即), leaving the operational timeline to be clarified by subordinate measures, which is precisely what the CAC’s 2026 rules now do.
The Data Security Law, effective since 1 September 2021, addresses the broader category of “data”, not only personal information, and imposes security‑incident reporting obligations on data processors. Article 29 requires organisations to take remedial measures immediately upon discovering a data security incident, notify users, and report to the competent authority. The DSL is especially relevant for incidents involving “important data” or “core data” as designated under China’s tiered data‑classification scheme.
The Cybersecurity Law (effective 1 June 2017) applies to “network operators,” a broad category that captures virtually any entity operating a computer network in China. Critical Information Infrastructure Operators (CIIOs), companies in sectors such as telecommunications, energy, transport, finance and public services whose systems, if compromised, could endanger national security, bear heightened obligations, including mandatory CAC security assessments for outbound data transfers.
The State Measures on the Management of Cybersecurity Incident Reporting, finalised in late 2025 and effective from 1 January 2026, are the most operationally significant development. They codify the four‑hour reporting window, define four tiers of incident severity, designate the 12387 hotline and WeChat mini‑program as official reporting channels, and establish the provincial‑to‑national escalation framework. Industry observers note that these measures transformed what was previously a patchwork of guidance documents into a binding and enforceable procedural regime.
| Law / Measure | Trigger for reporting | Primary regulator |
|---|---|---|
| PIPL (Art. 57) | Leakage, tampering or loss of personal information that may cause harm | Authority exercising PI protection duties (in practice, often provincial CAC) |
| Data Security Law (Art. 29) | Data security incident affecting any category of data | Competent sectoral authority + CAC where applicable |
| Cybersecurity Law | Network security incident; heightened for CIIOs | Provincial CAC (escalating to national CAC for severe incidents) |
| CAC 2026 Measures | Cybersecurity incident meeting any of the four severity tiers | Provincial CAC → national CAC (for severe / extremely severe) |
Not every security event rises to the level of a reportable cybersecurity incident. The CAC’s 2026 Measures establish four severity tiers, each carrying different reporting and escalation obligations. Mapping your incident to the correct tier is the first critical step.
The State Measures on the Management of Cybersecurity Incident Reporting define the following tiers:
The data breach reporting obligations differ depending on the nature of the reporting entity. In practice, most companies fall into at least one, and sometimes more than one, of these categories.
| Entity type | Typical incidents to report | Where to report (first point of contact) |
|---|---|---|
| Critical Information Infrastructure Operator (CIIO) | Large‑scale data exfiltration, service disruption, national security impact | Provincial CAC → national CAC (provincial escalates for severe / extremely severe) |
| Network operator / ISP | Service interruptions affecting users, upstream compromises, malware propagation | Provincial CAC or relevant sectoral body per local rules |
| Personal information processor (data controller / processor) | Leakage, tampering or loss of personal information that may cause harm | Local or regional supervisory authority + CAC if severity threshold is met |
The default first point of contact is the provincial‑level CAC office where the entity’s principal operations or registered office is located. For CIIOs, sector‑specific regulators (for example, the People’s Bank of China for financial institutions, or MIIT for telecommunications companies) may also require concurrent notification. The provincial CAC serves as the gateway: it receives the initial report within four hours, assesses severity, and, for severe or extremely severe incidents, escalates to the national CAC within one hour. Companies should pre‑map their provincial CAC contact details and any applicable sectoral regulator well before an incident occurs.
The four‑hour reporting requirement is the single most operationally demanding element of the 2026 framework. Getting it right requires clarity on three questions: when does the clock start, which incidents are in scope, and how does the escalation ladder work?
The CAC Measures use the concept of “discovery” (发现) as the trigger. The clock starts when the organisation, through its monitoring systems, staff reports, third‑party alerts, or any other means, becomes aware or reasonably should have become aware that a cybersecurity incident has occurred. This is not the moment the incident began (which may have been days or weeks earlier), but the moment the organisation gained actual or constructive knowledge. In practice, the likely effect is that automated monitoring tools and SOC (Security Operations Centre) alert timestamps will be treated as the evidence of awareness, making investment in real‑time detection critical.
All four severity tiers, from minor to extremely severe, require an initial report to the provincial CAC within four hours. However, the completeness of the initial report may differ. For minor incidents, a brief factual notification with the core fields (what happened, when it was detected, preliminary impact assessment, containment actions taken) is expected. For serious, severe and extremely severe incidents, the CAC expects a more detailed initial submission and may issue follow‑up requests within hours.
After receiving a report that it classifies as severe or extremely severe, the provincial CAC must escalate to the national CAC within one hour. This one‑hour escalation is the provincial authority’s obligation, not the reporting entity’s. However, companies should be prepared for the national CAC to contact them directly once escalation has occurred, and response teams should have senior management availability confirmed around the clock.
The following timeline illustrates how the four‑hour rule might play out in practice for a serious incident detected by an automated intrusion‑detection system at 02:00.
The CAC has designated multiple reporting channels to accommodate different operational scenarios. Companies should identify and test their preferred channel before an incident occurs, discovering that a portal URL has changed or that a WeChat mini‑program requires corporate verification at 03:00 during a live incident is a failure mode that can be eliminated through advance preparation.
The 12387 incident reporting hotline is a dedicated voice line operated by the CAC. Callers will navigate an automated menu (in Mandarin Chinese) before being connected to an operator. To use the hotline effectively during a live incident, prepare the following information in advance:
The CAC has deployed a WeChat mini‑program that allows incident reports to be submitted directly through the WeChat platform. Users can locate it by searching for the official CAC cybersecurity reporting mini‑program within WeChat’s search function. The mini‑program presents a structured form with required fields that mirror the hotline submission requirements. Early indications suggest that the mini‑program is the fastest channel for after‑hours submissions, as it avoids telephone queue times and produces an automatic receipt with a timestamp, valuable evidence for compliance records.
Most provincial‑level CAC offices maintain online portals for incident submissions. Portal URLs and interfaces vary by province, and not all portals are available 24/7. Companies should bookmark and periodically test their relevant provincial CAC portal, confirm login credentials (some portals require pre‑registration), and save offline copies of the submission form template.
A PIPL incident response requires two parallel notification streams: one to the regulator (covered above) and one to affected individuals. These obligations are legally independent, and completing one does not excuse delay in the other.
Under Article 57 of PIPL, personal information processors must notify affected individuals when a leakage, tampering, or loss of personal information “occurs or may occur” and the incident may cause harm to the rights and interests of individuals. The threshold is low: if there is a reasonable possibility of harm, including identity theft, financial loss, reputational damage or discrimination, notification is required. PIPL permits organisations to forgo individual notification only where effective measures have been taken to avoid the harm, and the processor can document that conclusion.
Individual notifications should, at a minimum, include the following elements (modelled on Article 57 of PIPL):
PIPL does not expressly authorise a general delay in individual notification. However, if the regulator instructs the organisation to postpone public disclosure to protect an ongoing investigation or to prevent further harm, compliance with that instruction will ordinarily shield the processor from liability for delayed individual notification. Companies should document any such instruction in writing and retain it as part of the incident record.
Effective PIPL incident response depends on evidence that is collected and preserved from the first moments of detection. Regulators and, in enforcement proceedings, courts will scrutinise the quality of an organisation’s contemporaneous records.
Companies should define a standing escalation matrix that identifies, by role, who must be informed and who has authority to approve the CAC submission. A typical matrix includes the SOC analyst (detection), the CISO or IT security manager (confirmation and containment), the DPO or chief compliance officer (legal assessment and submission drafting), and the CEO or general manager (sign‑off for severe or extremely severe incidents). Pre‑delegated authority is essential: if the CEO is unreachable at 03:00, the compliance function must have standing authorisation to submit.
Maintain a single, centralised incident log for each event. The log should record every action taken, the timestamp, the responsible person, and the outcome. This log serves three purposes: it evidences compliance with the four‑hour rule; it supports any subsequent CAC investigation or audit; and it forms the basis for internal lessons‑learned reviews. Store incident logs for a minimum of three years, longer if the incident involves important data or triggers litigation.
For multinational companies, a cybersecurity incident in China may have consequences that extend beyond domestic compliance. Where the compromised data was the subject of an approved cross‑border data transfer mechanism, whether a CAC security assessment, a cross‑border data transfer certification, or standard contractual clauses (SCCs), the incident creates additional obligations.
The short answer is: it can. A serious or severe data breach may be treated by the CAC as a material change in the circumstances upon which the original security assessment or certification was granted. In practice, companies should expect the CAC to inquire whether the incident was caused by or facilitated by the cross‑border transfer, and whether the data‑importing party’s security measures were adequate. If the CAC determines that the transfer mechanism is no longer compliant, it may require a supplemental assessment or, in extreme cases, suspend the transfer.
The following phased checklist distils the obligations discussed above into an actionable workflow. Compliance teams should adapt it to their organisation’s size, sector and risk profile.
The 2026 regulatory landscape for China data breach notification requirements leaves little margin for improvisation. The four‑hour CAC reporting window, the four‑tier severity classification, the parallel PIPL individual‑notification obligation, and the potential impact on cross‑border data transfer certification all demand that companies build, test, and maintain an incident‑response capability that is operational around the clock. Compliance is not a document, it is a rehearsed, staffed, and continuously updated operational function. Organisations that invest in pre‑mapped escalation matrices, pre‑drafted submission templates, and regular tabletop exercises will be positioned not only to meet the legal requirements but to contain incidents faster and limit regulatory exposure.
Those that treat the framework as an afterthought will likely discover the cost of non‑compliance in the form of enforcement actions, reputational damage, and disrupted cross‑border data flows.
Last reviewed: 20 May 2026. This article will be updated following any new CAC guidance, implementing rules, or significant enforcement decisions.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Maggie Meng at Beijing Global Law Office, a member of the Global Law Experts network.
posted 20 minutes ago
posted 45 minutes ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 6 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message