Reed Smith Client Alerts

Key takeaways

  • China has issued draft measures to impose stringent requirements on reporting of data incidents
  • Significant business implications for MNCs and their business operations in China
  • Business organisations are advised to take steps in response to enhanced compliance regime

In order to standardise the reporting of data incidents, reduce the losses and damage caused by data incidents, and maintain national cybersecurity, the Cyberspace Administration of China (CAC) released the draft Measures for the Administration of Cybersecurity Incident Reporting (Draft Measures) on 8 December 2023 for public consultation, with a closing date of 7 January 2024.

Reporting of cybersecurity incidents is not a new legal requirement in China. It is a provision of the Cybersecurity Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL), and other relevant legislation, but specific details are still lacking, and the legal provisions are not always consistent with each other. Once enacted, the Draft Measures will set out the specific requirements with respect to cybersecurity incidents and have a significant impact on business organisations. This client alert summarises the key requirements and highlights under the Draft Measures and discusses the major implications for business organisations.