It's Personal, Not Just Business: New Measures from China Focus on Data Protection and the Societal Impact of Cyber Incidents Within Critical National Infrastructure and OT Security

China’s new reporting measures for cybersecurity incidents and disclosure of data breaches will come into effect on November 1, 2025 as part of its new collection of operational cybersecurity mandates, released on September 11. Under Article 25 of the Administrative Measures for the Reporting of National Cybersecurity Incidents, operators must immediately set their emergency response plans in motion once an incident is detected, taking remedial actions and reporting the incident to the competent authority within either 4 hours for operators of non-critical infrastructure or within 1 hour for critical infrastructure operators. Consequently, operators have 3 weeks to brush up on their incident response plans and notification procedures.

• Short-Term Impact: In the short term, this newest mandate renders China a leading reference as it relates to shortening reporting and disclosure deadlines within cyber incident response. In other countries, growing interconnectivity between systems and the widening attack surface within Critical National Infrastructure (CNI) has prompted national governments to adopt a stricter approach to cyber incident notification rules. Under NIS 2 in Europe, essential and important entities are required to notify their competent authorities of an incident within 72 hours and deliver an early warning to other possibly affected countries within 24 hours. Similarly, while there are other state-to-state differences, under the U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), U.S. operators of critical infrastructure must report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Other countries have implemented a shorter deadline for reporting, with specified cyber incidents in India to be reported to the Indian Computer Emergency Response Team (CERT-In) within 6 hours. However, at 1 and 4 hours for CNI operators and non-CNI operators, respectively, China’s newest mandates represent a significant curtailment of the incident reporting period. While some vertical-specific reporting rules within the finance, telecommunications, and healthcare sectors require a similarly short notification time frame—including both real time and near-real time—outside of CNI and vertical-specific rules, China’s notification timelines are the most stringent measures to be broadly applied to all network operators and Non-State Actors (NSA), including both CNI and non-CNI operators.
• Medium-Term Impact: China’s measures conceptualize cyber incidents through the lens of data protection, aligned with Europe’s General Data Protection Regulation (GDPR), and extending beyond similar developments under the NIS 2 Directive. As CNI and Operational Technology (OT) infrastructure faces sustained threats from malicious actors, citizen data are increasingly a target, as manifest in recent events such as the January 2025 Russia-Ukraine cyberattacks and April 2025 breach of Morocco’s national social security fund. System interconnectivity compounds the impact of these breaches, especially as OT and Information Technology (IT) systems continue to converge and growing reliance on the Internet of Things (IoT) within OT expands the prospective attack surface. Since the GDPR’s conception, data breach reporting has become increasingly intertwined with CNI cyber incident reporting, with any breach of citizens’ personal data either demanding its own notification procedure—notwithstanding the relevant entities’ role as an operator of CNI—or considered as an aggravating factor for cyber incident reporting deadlines. However, contemporary mandates also tend to follow the 72-hour rule, rather than China’s 1- and 4-hour mandates. Further, although China’s tiered approach is similar to NIS 2’s tiered model, personal data loss is not a component of the “significant” incidents’ definition under this directive, while China’s new measures deem leakage of 100 million citizens’ personal information a particularly major incident, 10 million citizens a major incident, and 1 million a significant incident. Thus, unlike Europe, China has explicitly centered citizen data protection within its new security mandate. By underlining the significance of data protection within OT security, China’s measures further strengthen the relationship between cyber incidents and data breaches, setting a stricter precedent for other countries with regard to data protection in the OT context in the medium term.
• Long-Term Impact: China’s severity threshold takes into consideration the societal impact of a cyber incident, defining harm more broadly than operational disruption, physical harm, and economic loss. While other regulatory frameworks like NIS 2 consider the “non-material damage” done to citizens, China’s new measures specifically consider the impact of a cyber incident on national security, social stability, social order, or public interests. By explicitly considering the societal impact of cyber incidents, China’s approach demonstrates a forward-thinking approach to data protection and cyber incidents, which understands that cyberattacks targeting data are not exclusively for the purposes of espionage, determining trade secrets, or exfiltrating significant militarily information. Rather, any breach of citizen data can have a destabilizing and psychological effect by sowing fear and undermining social order within the target nation. Moving beyond a focus on the physical or material effects of cyber incidents demonstrates a growing appreciation within the international community that the psychological and societal impacts of cyber incidents constitute harm. In the long term, broader thresholds for harm, as exhibited within China’s newest measures, have the potential to impact proportionality calculations for cyberattacks and, even further, reshape the definition of an armed attack under international law, which is traditionally focused on attack kineticism and physicality.

For network operators with operations in China, early preparation and careful planning will help mitigate liability and limit penalization, including:

• Integrating Artificial Intelligence (AI) and Machine Learning (ML)-based automation to bolster the speed and efficiency of threat detection and response capabilities. Vendors like Palo Alto Networks combine ML with Generative Artificial Intelligence (Gen AI) and Deep Learning (DL) to combat cyberthreats through its Precision AI tooling, while local outfits like Factosecure offer AI-powered threat detection.
• Enhancing alert systems with incident record-taking capabilities and contextualized visibility. For example, OT security vendors like Rockwell Automation offer managed System-on-Chip (SOC) services to assist in alert triage, combining operations-specific intel with alert systems to bolster network surveillance and monitoring, while limiting alert fatigue.
• Optimizing internal cyber hygiene by integrating enhanced access control measures (e.g., passkeys, Multi-Factor Authorization (MFA), biometric authentication, zero trust models), advanced firewall and network protection, automated backup practices, and security updates (e.g., automated patching and patch prioritization based on business-specific needs). CyberArk Privileged Access Manager helps limit credential exposure and bolsters compliance documentation and auditing features.
• Conducting tabletop exercises to track current discovery and notification timelines across OT and IoT assets. Simulations led by Fortinet’s FortiGuard Incident Response experts are well-positioned for testing incident response plans and subsequent disclosure procedures.
• Investing in cyber awareness training and re-training staff in relation to the demands of the new administrative measures.
• Prioritizing flexibility in reporting timelines and disclosure practices, especially for operators with a global footprint that will have to adapt their processes in China, but also remain capable of following other nation-specific procedural rules.

Yet, China’s measures also bring key takeaways for state actors and non-state operators globally in both the medium and long terms, which should:

• Prioritize international cooperation via information sharing, joint tabletop exercises, and collaborative incident training drills to ensure incident procedures are aligned, particularly for organizations operating within multiple countries and regions.
• Consider harmonizing standards to ease compliance with various notification and reporting mandates, including harmonized templates for incident reporting where altering notification deadlines is too cumbersome.
• Integrate data protection and societal considerations into incident reporting thresholds and definitions, enabling a fuller consideration of the effect of cyber incidents outside of physical, economic, and business-related impacts.

China’s newest cybersecurity administrative measures represent a forward-thinking approach to incident response. If other nations are to boast the same degree of protection for their systems and citizens’ data, they should be looking to the example China has set.