ATTICUS ZHAO AND DANNI SIMA In recent years, cybersecurity incidents have occurred frequently, with the scope of impact and degree of harm continuously escalating. To regulate and respond to cybersecurity incidents in China, the Cyberspace Administration of China (CAC) issued the National Administrative Measures for Reporting Cybersecurity Incidents (the “Measures”) on September 1, 2025, which took effect on November 1, 2025. 1. Scope of Application and Management System The Measures require that network operators that build, operate networks, or provide services through networks within the territory of the PRC shall report cybersecurity incidents in accordance with the provisions of the Measures when such incidents occur. Under China Cybersecurity Law and the Measures, a network operator refers to the owner, manager, or network service provider of a network, and network refers to any internet or LAN or WAN used by a network operator. This means any entity that uses network in China will be a network operator under the said laws and regulations. On September 15, 2025, the CAC issued a press Q&A regarding the Measures (the “Q&A”). In Q3 (scope and reporting entities covered by the Measures), the Q&A clarifies that the scope of application and reporting entity under the Measures are network operators that build, operate networks, or provide services via networks within the territory of the PRC. Under the Measures, the CAC is responsible for overall coordination nationwide for cybersecurity incidents reporting, while provincial cyberspace administration departments are responsible for implementation within their respective administrative regions. In the meantime, a collaborative mechanism is formed with public security authorities and industry regulators. 2. Classification and Time Requirements for...