According to the CAC, the document is intended to standardize the reporting of cybersecurity incidents and reduce the losses and damage caused by such incidents, so as to safeguard national cybersecurity.
The document clarifies that operators should promptly initiate emergency response plans to deal with network security incidents. Based on the guidelines for the classification of network security incidents, those considered large, severe, or extremely severe incidents should be reported within one hour.
According to the guidelines, if important networks and information systems suffer from particularly severe system losses, resulting in widespread system paralysis and loss of business processing capabilities, it is considered an extremely severe network security incident.
This classification also includes a situation in which state secret information, important sensitive information, and important data is lost or stolen, tampered with or counterfeited, posing a particularly serious threat to national security and social stability.
Other events that pose serious threats to national security, social order, economic development, and public interests are also considered to be extremely severe network security incidents.
Specifically, if provincial-level and above Party and government portal websites or key news websites cannot be accessed for more than 24 hours due to attacks or malfunctions, or if the overall operation of critical information infrastructure is interrupted for more than six hours or the main functions are interrupted for more than 24 hours, it can generally be identified as an extremely severe cybersecurity incident.
If the event affects the work and lives of more than 30 percent of the population in a single provincial-level administrative region, or affects the use of water, electricity, gas, oil, heating, or transportation of more than 10 million people, it also falls into this category.
Additionally, the guidelines specify that if the incident leads to the leakage of personal information of more than 100 million people or causes direct economic losses of more than 100 million yuan ($14 million), it will also be considered an extremely severe cybersecurity incident.
The draft for comment of the document shows that the governance of network security in China has entered an important stage of high-quality development, Qin An, deputy director of the expert committee of counter-terrorism and cyber security governance at the China Society of Police Law, told the Global Times on Friday.
Qin noted that the classification of network security incidents by severity level is a highlight of the document, as it allows for the categorization of incidents based on their urgency and importance. “The classification resolves some of the confusion that may arise during actual implementation,” he said.
According to the CAC, if the operator delays reporting, falsely reports, or conceals a cybersecurity incident, resulting in significant harmful consequences, the operator and relevant responsible individuals shall be severely punished according to the law.
“The implementation of relevant punitive measures is crucial to ensure the effective enforcement of laws and to safeguard national security,” the expert said.
According to the CAC, when encountering a cybersecurity incident, an operator should report the name of the unit where the incident happens and basic information about the facilities, systems, and platforms involved, as well as the time, location, type of event, and the impact and harm caused.
Additionally, the document states that the report should include the measures that have been taken and their effectiveness, the development trend of the situation, potential further impact and harm, and preliminary analysis of the causes of the incident.