The People's Bank of China issued measures to standardise the management and reporting of cybersecurity incidents affecting business areas under its remit, aiming to guide and督促 financial sector institutions to report such incidents in accordance with applicable requirements. The rules take effect on 1 August 2025. The measures cover incidents related to monetary and credit policy, macroprudential policy, cross-border renminbi, the interbank market, comprehensive financial statistics, payment and settlement, renminbi issuance and circulation, treasury management, credit reporting and credit rating, and anti-money laundering. They set out a graded incident classification framework with baseline rules for four levels (particularly major, major, relatively major and general), specify reporting workflows, required content, timelines and channels, and establish supervisory responsibilities for the People's Bank of China and its branches, including penalties for non-compliance. The People's Bank of China indicated it will organise implementation of the measures and guide institutions to report cybersecurity incidents in a timely and accurate manner.
Central Bank of the Republic of China 2025-05-30
People's Bank of China issues cybersecurity incident reporting rules for central bank business domains effective 1 August 2025
The People's Bank of China has issued measures to standardize the management and reporting of cybersecurity incidents across financial sectors, effective 1 August 2025. The rules introduce a graded incident classification framework, specify reporting workflows, and establish supervisory responsibilities, including penalties for non-compliance. The bank will oversee implementation and ensure timely and accurate reporting by institutions.