Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Fields of the People's Bank of China
Order of the People's
Bank of China
(No. 4 [2025])
The Measures for the Administration of the Reporting of Cybersecurity Incidents
in the Business Field of the People's Bank of China, as deliberated and adopted
at the eighth executive meeting of the People's Bank of China on May 12, 2025,
are hereby issued, and shall come into force on August 1, 2025.
Pan Gongsheng, Governor
May 23, 2025
Measures for the Administration of the Reporting of Cybersecurity Incidents in
the Business Field of the People's Bank of China
Chapter I General Provisions
Article
1 These Measures are formulated in accordance
with the Cybersecurity
Law of the People's Republic of China, the Data Security Law of
the People's Republic of China, the Personal Information Protection Law of the
People's Republic of China, the Law of the People's Republic of China on the People's
Bank of China, and other laws and administrative regulations, for
the purpose of regulating the administration of the reporting of cybersecurity
incidents in the business fields of the People's Bank of China (“PBC”).
Article
2 A financial service provider that experiences a
cybersecurity incident in the PBC business fields within the territory of the
People's Republic of China shall report to the PBC or PBC branch office in its
domicile in accordance with these Measures. Cybersecurity incidents not within
the PBC business fields need not be reported in accordance with these Measures.
If a state secret is involved, the relevant provisions shall apply.
Article
3 In these Measures, "PBC business
fields" means the business fields which the PBC has a duty to supervise
and administer under laws, administrative regulations, and decisions of the
Central Committee of the Communist Party of China and the State Council.
In these Measures, "cybersecurity incident in the PBC business
fields" ("cybersecurity incident") means an incident, arising
from any human factor, cyberattack, vulnerability, software or hardware defect
or failure, force majeure, or other factor, which causes harm to a network in
the PBC business fields constructed, operated, maintained, or managed by an
institution or to data in the PBC business fields processed by it.
Article
4 A financial service provider shall also report
in accordance with the provisions established by a relevant national authority
or any other financial regulatory department on the reporting of cybersecurity
incidents, if any. In the case of a cybersecurity incident involving
endangering a computer information system or any other violation or crime, a
financial service provider shall also promptly report to public security
authorities.
The PBC strengthens the sharing of cybersecurity incident reports with relevant
state authorities and other financial regulatory departments, notifying the
relevant state authorities of cybersecurity incidents in accordance with the
provisions established by them and notifying the other financial regulatory
departments of cybersecurity incidents as needed by them.
Article
5 Any individual or organization has the right to
report to the PBC or its branch office a financial service provider's failure
to report a cybersecurity incident in accordance with these Measures. The PBC
or PBC branch office shall keep the information of the informant confidential.
Chapter II Classification of Cybersecurity
Incidents
Article
6 A financial service provider shall specify
cybersecurity incident classification standards ("classification
standards") in its cybersecurity management system or operating rules and
procedures, and classify cybersecurity incidents into four levels: critical,
high, medium, and low. The financial service provider shall organize annual
evaluations and update the classification standards as appropriate. Any updates
to the classification standards shall be submitted for approval to the
leadership responsible for cybersecurity.
When formulating classification standards, the financial service provider shall
take into account the impact of cybersecurity incidents on business and users,
among others. In developing classification standards for networks in the PBC
business fields that are closely related to deposits and withdrawals, payment
transactions, tax payments to the treasury, and interbank market transactions,
the financial service provider shall consider the different impact of
cybersecurity incidents on business processing during peak and non-peak
business hours.
The financial service provider shall also formulate classification standards
related to the tampering, destruction, or leakage of data in the PBC business
fields in accordance with relevant data security management regulations.
The financial service provider may develop classification standards applicable
specially to networks in the PBC business fields with a cybersecurity
protection level of 3 or above.
Article
7 Under any of the following circumstances, a
cybersecurity incident shall be classified as critical:
(1) A network in the PBC business field, as financial infrastructure that
directly serves more than 50 million natural persons or is closely related to
deposits and withdrawals, payment transactions, tax payments to the treasury,
or interbank market transactions, experiences a complete main function
interruption across not less than two provincial administrative regions for not
less than three hours during peak business hours or in a single provincial
administrative region for not less than six hours.
(2) A network in the PBC business fields that provides financial services
experiences a main function interruption or timeout error, among others,
causing impossibility of regular business, which, as reasonably assessed or
estimated, affects not less than 10 million natural persons or 1 million legal
persons and other organizations.
(3) Core data in the PBC business fields is tampered with, destroyed, or
leaked.
(4) Not less than 10 million pieces of sensitive personal information or not
less than 100 million pieces of personal information is leaked as a result.
(5) The cyberspace administration or public security authorities have specified
that the cybersecurity incident shall be classified as critical.
(6) The PBC or its Shanghai Head Office, provincial branch office, or branch
office in a city under separate state planning determines and notifies a
financial service provider in writing that a cybersecurity incident shall be
classified as critical.
Article
8 Under any of the following circumstances, a cybersecurity
incident shall be classified as high at a minimum:
(1) A network in the PBC business field, as financial infrastructure that
directly serves more than 50 million natural persons or is closely related to
deposits and withdrawals, payment transactions, tax payments to the treasury,
or interbank market transactions, experiences a complete main function
interruption across not less than two provincial administrative regions for not
less than 1.5 hours during peak business hours or in a single provincial
administrative region for not less than three hours.
(2) A network in the PBC business fields that provides financial services
experiences a main function interruption or timeout error, among others,
causing impossibility of regular business, which, as reasonably assessed or
estimated, affects not less than 1 million natural persons or 100,000 legal
persons and other organizations.
(3) Important data in the PBC business fields is tampered with, destroyed, or
leaked.
(4) Not less than 1 million pieces of sensitive personal information or not
less than 10 million pieces of personal information is leaked as a result.
(5) The cyberspace administration or public security authorities have specified
that the cybersecurity incident shall be classified as high.
(6) The PBC or its Shanghai Head Office, provincial branch office, or branch
office in a city under separate state planning determines and notifies a
financial service provider in writing that a cybersecurity incident shall be
classified as high.
Article
9 Under any of the following circumstances, a
cybersecurity incident shall be classified as medium at a minimum:
(1) A network in the P......