Last review date: 13 January 2025

Yes.

• general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
• obligation to take specific security measures e.g., encryption
• requirement to undertake third party due diligence (security assessment of third party providers)

Last review date: 13 January 2025

Network information security requirements (broader than telecommunications)

Under the CSL, network operators are generally required to:

• Formulate internal security management systems and operating instructions, determine the persons responsible for cybersecurity, and implement the responsibility for cybersecurity protection
• Implement technological measures to prevent computer viruses, network attacks, network intrusions, and other actions endangering cybersecurity
• Implement technological measures to monitor and record the network operation status and cybersecurity incidents, and preserve relevant web logs for no less than six months
• Take measures such as data classification, back-up and encryption of important data, and
• Comply with other obligations stipulated by laws and administrative regulations.

Health regulatory requirements

According to the Measures for Cybersecurity Administration of Medical and Healthcare Institutions issued by the National Health Commission (NHC) together with the other two supervisory authorities and which became effective on 29 August 2022, licensed medical and healthcare institutions are required to conduct certification of Classified Protection of Cybersecurity (CCSP), also known as Multi-Level Protection Scheme (MLPS) as required under the CSL. The Measures also stipulate other cybersecurity requirements such as conducting annual security self-inspection in various forms: document verification, vulnerability scanning and penetration test in order to timely discover possible issues and potential dangers.

Financial services requirements

Each of the financial regulators in China has also formulated and implemented their industry-specific cybersecurity requirements for the financial institutions under their respective jurisdictions.

Telecommunication requirements

As key telecommunication operators are generally deemed as CIIOs, please refer to the cybersecurity obligations of the CIIO described below.

Providers of critical infrastructure

According to the Regulations on Critical Information Infrastructure Security Protection, a CIIO is responsible for the security protection of its CII(s). A CIIO should implement technical protection measures and other necessary measures to deal with cybersecurity incidents, prevent cyberattacks and other illegal and criminal activities, ensure the security and stable operation of critical information infrastructure, and maintain integrity, confidentiality and availability of data.

Digital or connected (IoT) products

According to the Measures for the Administration of Data Security in the Industrial and Information Technology Sector (for Trial Implementation), data processors in the field of industry and information technology shall take the main responsibility for the security of data processing activities, implement graded protection for different types of data, and where different levels of data are being processed at the same time and where it is difficult to take separate protection measures, data protection shall be implemented in accordance with the requirements of the highest level, so as to ensure that the relevant data continue to be in the state of being effectively protected and legally utilized. Such measures include:

1. Establishing a data security management system for the entire life cycle of data, and formulating specific hierarchical protection requirements and operational procedures for data collection, storage, use, processing, transmission, provision, and disclosure of data at different levels
2. Equipping data security management personnel as needed, coordinating and being responsible for the security supervision and management of data processing activities, and assisting industry regulators in their work
3. Reasonably determining the operating authority of data processing activities, and strictly implementing personnel authority management
4. Formulating emergency plans and carrying out emergency drills according to the needs of responding to data security incidents
5. Regularly carrying out data security education and training for practitioners, and
6. Complying with other measures stipulated by laws, administrative regulations and other provisions.

Other

The CSL also imposes a general obligation on all network operators to fulfill the CCSP obligations in order to ensure that the network is free from interference, damage or unauthorized access and prevent network data from being divulged, stolen or falsified. Such requirements include:

• Implementing technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cybersecurity
• Implementing technological measures to monitor and record the network operation status and cybersecurity incidents, and keeping relevant web logs for no less than six months in accordance with the relevant regulations
• Implementing measures such as data classification, back-up and encryption of important data

Last review date: 13 January 2025

• Data privacy
• Securities or public company
• network information security
• health
• financial services
• telecommunications

Last review date: 13 January 2025

Yes

A general breach notification mechanism has been set out in the PIPL.

In the event of leakage of, tampering with, or loss of personal information, or when such events may have occurred, personal information processors should take remedial actions at once and notify personal information protection authorities as well as any individual concerned. The notification should include information such as:

1. Categories of personal information involved, causes of the incidents and potential harm of the data breach incident
2. Remedial measures taken by the personal information processors and mitigation measures that individuals concerned may take, and
3. The contact information of the personal information processor

If the personal information processors consider that the measures taken can prevent any harm arising from the leakage of, tampering with, or loss of information, they may choose not to notify the individual concerned. Nonetheless, if personal information protection authorities consider that the personal information leakage may be detrimental to the individuals concerned, the authorities may still require the personal information processors to notify the individuals concerned.

In the draft Measures for the Administration of Reporting of Cybersecurity Incidents issued by the CAC in December 2023 (Draft Cybersecurity Incident Reporting Measures), it is proposed that network operators engaged in the development and operation of networks or in the provision of services through networks within China should report cybersecurity incidents (which are events that caused harm to a network or information system or its data due to human factors, software or hardware defects or malfunctions, natural disasters, etc., resulting in negative social impacts) to the CAC, the Public Security Bureau, the authority taking charge of critical information infrastructure operator and/or competent industry regulator.

Last review date: 13 January 2025

• Data protection authorities
  
  It is unclear for the time being, except for telecommunications service providers and network service providers, which must notify the Ministry of Industry and Information Technology (and its local offices) and banking financial institutions, which must notify the People's Bank of China (and its local offices).
  
  Under the PIPL, the CAC and its local counterparts are the authorities responsible for the management and supervision of personal information protection in general. However, as there are other Chinese regulators who are also vested with the responsibility of protecting personal information, it is unclear under the PIPL which regulator(s) are responsible for the handling of data breach notifications.
  
  For banking/financial institutions, the notification must be made within seven working days following the occurrence of the incident.
  
  For other types of business operators/network operators/personal information processors (as defined under the PIPL), although the response timeframe is not clearly stipulated, the notification must be made in a timely manner.
  
  According to the Draft Cybersecurity Incident Reporting Measures, the main authority will be the local or the state-level CAC. However, reporting may also be made to the Public Security Bureau, the authority taking charge of critical information infrastructure operator and/or competent industry regulator depending on the legal status of the network operator concerned.

• Cybersecurity authorities

• Affected individuals
  
  No specific conditions are stipulated. The PIPL prescribes that if the personal information processor has taken steps that can effectively prevent the information leakage, unauthorized alteration or loss from causing harm, the personal information processor can be exempted from notifying the affected individuals. However, if the competent authority deems that harm could still be caused by the incident, it could require the personal information processor to notify the affected individuals. Hence, currently, companies have certain discretion to determine whether or not the affected individuals should be notified unless specifically required by the relevant authorities.

• Other

Last review date: 13 January 2025

As a default rule under the PIPL, controllers are under the obligation to notify. However, as the notification requirement stipulated under the CSL broadly applies to any network operator without making the distinction between controllers and processors, it is also accepted that controllers and processors can agree on the party who will give the notification in case of a personal data breach.

• Controller/ owner
  
  Same response as for controllers. According to the Draft Cybersecurity Incident Reporting Measures, if the network operator experiencing the cybersecurity incident fails to make the reporting as required, the service provider(s) engaged by it shall make the reporting.

• Data protection authorities
  
  Same response as for controllers.

• Cybersecurity authorities

• Affected individuals
  
  Same response as for controllers.

Last review date: 13 January 2025

Yes

• cybersecurity authorities
• health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
• financial services requirements
• telecommunication requirements
• providers of critical infrastructure
• other

Details regarding the identified data security breach notification requirements

Currently, there is no detailed definition of security breach and specific requirements (e.g., contents to be reported) stipulated under the relevant industry-specific rules. Since the PIPL came into effect recently, it remains to be seen whether the sector-specific rules will be updated in light of the introduction of the PIPL. 

The Measures for Reporting, Investigating and Handling Cyber Security Incidents in Securities and Futures Industry require Key Institutions (e.g., stock exchanges) and Operation Institutions (e.g., securities companies, futures companies, and fund management companies) to report any cyber security incident to the China Securities Regulatory Commission (CSRC). The report to the CSRC should be in the form of a summary report of the incident, which should contain the following information:

1. Basic information concerning the incident, including the time, place, duration, affected scope and degree of the incident, the losses incurred, etc.
2. Information concerning the emergency treatment, including the information on the reporting of the incident, the measures taken and the effect of the respective measures
3. Information concerning the investigation conducted into the incident, including the cause of the incident, classification of the incident, responsible party and conclusions
4. Information concerning the handling of the incident, including the issues exposed, the remedial measures taken and accountability status

In the healthcare sector, the Interim Measures for Reporting of Information Security Incidents of Healthcare Quality require licensed healthcare institutions to report information security incidents concerning the quality of medical treatment to public health authorities. Reporting may be through the online system (or via a telephone call or fax if the online system is not available) and must be within specific timeframes depending on the seriousness of the incident, as follows:

1. within five days after the discovery of an ordinary information security incident
2. within 12 hours after the discovery of a major information security incident
3. within two hours after the discovery of an extremely serious information security incident

In the telecommunications sector, the Emergency Response Plan for Network Security Incidents of the Public Internet requires basic telecoms service operators, domain name registrars and internet enterprises to report to the Ministry of Industry and Information Technology (and its local offices) any network security emergencies within ten working days from the completion of the emergency measures conducted in response to the security incidents.

According to the Draft Cybersecurity Incident Reporting Measures, reporting shall be made by the CAC and other competent regulators by filing a template formulated by the CAC within one hour for any significant, major or critical incident or within 24 hours (if information other than the first two items is not available within one hour) to the provincial CAC (and to other competent authorities in case of CII operators):

• Details about the incident, including the type, impact, time and location, and measures taken. For ransomware cases, network operators must also include details about the ransom demand
• Name of company and information about systems impacted
• Trends in the development of the situation and potential further impact and harm
• Preliminary analysis of the cause of the incident
• Details required for further investigation and analysis, including information about the possible attacker, attack path, existing vulnerabilities, etc.
• Proposed further response measures and any support requested
• Preservation of the scene of the incident
• Any other circumstances that should be reported