当前位置:首页 > 法规标准 > 法规全文
操作说明
法规全文 法条导读
<
>
合规网标识码:网络安全

Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Fields of the People's Bank of China

中文
Document Number:中国人民银行令〔2025〕第4号 Issuing Authority:People's Bank of China
Date Issued Effective Date Level of Authority Partially Invalid Area of Law 网络与信息安全 Status Not Yet
Summary Revision record
Full Text

Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Fields of the People's Bank of China

Order of the People's Bank of China
(No. 4 [2025])


The Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China, as deliberated and adopted at the eighth executive meeting of the People's Bank of China on May 12, 2025, are hereby issued, and shall come into force on August 1, 2025.

Pan Gongsheng, Governor
May 23, 2025


Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China

Chapter I General Provisions
Article 1 These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the People's Bank of China, and other laws and administrative regulations, for the purpose of regulating the administration of the reporting of cybersecurity incidents in the business fields of the People's Bank of China (“PBC”).
Article 2 A financial service provider that experiences a cybersecurity incident in the PBC business fields within the territory of the People's Republic of China shall report to the PBC or PBC branch office in its domicile in accordance with these Measures. Cybersecurity incidents not within the PBC business fields need not be reported in accordance with these Measures. If a state secret is involved, the relevant provisions shall apply.
Article 3 In these Measures, "PBC business fields" means the business fields which the PBC has a duty to supervise and administer under laws, administrative regulations, and decisions of the Central Committee of the Communist Party of China and the State Council.
In these Measures, "cybersecurity incident in the PBC business fields" ("cybersecurity incident") means an incident, arising from any human factor, cyberattack, vulnerability, software or hardware defect or failure, force majeure, or other factor, which causes harm to a network in the PBC business fields constructed, operated, maintained, or managed by an institution or to data in the PBC business fields processed by it.
Article 4 A financial service provider shall also report in accordance with the provisions established by a relevant national authority or any other financial regulatory department on the reporting of cybersecurity incidents, if any. In the case of a cybersecurity incident involving endangering a computer information system or any other violation or crime, a financial service provider shall also promptly report to public security authorities.
The PBC strengthens the sharing of cybersecurity incident reports with relevant state authorities and other financial regulatory departments, notifying the relevant state authorities of cybersecurity incidents in accordance with the provisions established by them and notifying the other financial regulatory departments of cybersecurity incidents as needed by them.
Article 5 Any individual or organization has the right to report to the PBC or its branch office a financial service provider's failure to report a cybersecurity incident in accordance with these Measures. The PBC or PBC branch office shall keep the information of the informant confidential.
Chapter II Classification of Cybersecurity Incidents
Article 6 A financial service provider shall specify cybersecurity incident classification standards ("classification standards") in its cybersecurity management system or operating rules and procedures, and classify cybersecurity incidents into four levels: critical, high, medium, and low. The financial service provider shall organize annual evaluations and update the classification standards as appropriate. Any updates to the classification standards shall be submitted for approval to the leadership responsible for cybersecurity.
When formulating classification standards, the financial service provider shall take into account the impact of cybersecurity incidents on business and users, among others. In developing classification standards for networks in the PBC business fields that are closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, and interbank market transactions, the financial service provider shall consider the different impact of cybersecurity incidents on business processing during peak and non-peak business hours.
The financial service provider shall also formulate classification standards related to the tampering, destruction, or leakage of data in the PBC business fields in accordance with relevant data security management regulations.
The financial service provider may develop classification standards applicable specially to networks in the PBC business fields with a cybersecurity protection level of 3 or above.
Article 7 Under any of the following circumstances, a cybersecurity incident shall be classified as critical:
(1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than three hours during peak business hours or in a single provincial administrative region for not less than six hours.
(2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 10 million natural persons or 1 million legal persons and other organizations.
(3) Core data in the PBC business fields is tampered with, destroyed, or leaked.
(4) Not less than 10 million pieces of sensitive personal information or not less than 100 million pieces of personal information is leaked as a result.
(5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as critical.
(6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as critical.
Article 8 Under any of the following circumstances, a cybersecurity incident shall be classified as high at a minimum:
(1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than 1.5 hours during peak business hours or in a single provincial administrative region for not less than three hours.
(2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 1 million natural persons or 100,000 legal persons and other organizations.
(3) Important data in the PBC business fields is tampered with, destroyed, or leaked.
(4) Not less than 1 million pieces of sensitive personal information or not less than 10 million pieces of personal information is leaked as a result.
(5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as high.
(6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as high.
Article 9 Under any of the following circumstances, a cybersecurity incident shall be classified as medium at a minimum:
(1) A network in the P......

未登录只显示部分原文内容 继续阅读> 登录后可查看全部内容 请登录