| | |
| Order of the People's Bank of China | | 中国人民银行令 |
| (No. 4 [2025]) | | (〔2025〕第4号) |
| The Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China, as deliberated and adopted at the eighth executive meeting of the People's Bank of China on May 12, 2025, are hereby issued and take effect on August 1, 2025. | | 《中国人民银行业务领域网络安全事件报告管理办法》已经2025年5月12日中国人民银行第8次行务会议审议通过,现予发布,自2025年8月1日起施行。 |
| Pan Gongsheng, Governor | | 行 长 潘功胜 |
| May 23, 2025 | | 2025年5月23日 |
| Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China | | 中国人民银行业务领域网络安全事件报告管理办法 |
| Chapter I General Provisions | | 第一章 总 则 |
| Article 1 These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the People's Bank of China, and other laws and administrative regulations, for the purpose of standardizing the administration of the reporting of cybersecurity incidents in the business fields of the People's Bank of China (“PBC”). | | 第一条 为规范中国人民银行业务领域网络安全事件报告管理,根据《中华人民共和国网络安全法》《中华人民共和国数据安全法》《中华人民共和国个人信息保护法》《中华人民共和国中国人民银行法》等法律、行政法规,制定本办法。 |
| Article 2 A financial service provider that experiences a cybersecurity incident in the PBC business fields within the territory of the People's Republic of China shall report to the PBC or PBC branch office in its domicile in accordance with these Measures. Cybersecurity incidents not within the PBC business fields need not be reported in accordance with these Measures. If a state secret is involved, the relevant provisions shall apply. | | 第二条 金融从业机构在中华人民共和国境内发生中国人民银行业务领域网络安全事件时,应当按照本办法规定向中国人民银行或者住所地中国人民银行分支机构报告。非中国人民银行业务领域网络安全事件无须按照本办法规定报告。涉及国家秘密的,按照有关规定执行。 |
| Article 3 In these Measures, "PBC business fields" means the business fields which the PBC has a duty to supervise and administer under laws, administrative regulations, and decisions of the Central Committee of the Communist Party of China and the State Council. | | 第三条 本办法所称中国人民银行业务领域,指依据法律、行政法规,党中央、国务院决定,由中国人民银行承担监督和管理职责的业务领域。 |
| In these Measures, "cybersecurity incident in the PBC business fields" ("cybersecurity incident") means an incident, arising from any human factor, cyberattack, vulnerability, software or hardware defect or failure, force majeure, or other factor, which causes harm to a network in the PBC business fields constructed, operated, maintained, or managed by an institution or to data in the PBC business fields processed by it. | | 本办法所称中国人民银行业务领域网络安全事件(以下简称网络安全事件),指由于人为原因、遭受网络攻击、存在漏洞隐患、软硬件缺陷或故障、不可抗力等因素,对本机构建设、运营、维护、管理的中国人民银行业务领域网络或者处理的中国人民银行业务领域数据造成危害的事件。 |
| Article 4 A financial service provider shall also report in accordance with the provisions established by a relevant national authority or any other financial regulatory department on the reporting of cybersecurity incidents, if any. In the case of a cybersecurity incident involving endangering a computer information system or any other violation or crime, a financial service provider shall also promptly report to public security authorities. | | 第四条 国家有关部门和其他金融管理部门等对网络安全事件报告有规定的,金融从业机构还应当从其规定报告。涉及危害计算机信息系统等违法犯罪的网络安全事件,金融从业机构还应当及时向公安机关报案。 |
| The PBC strengthens the sharing of cybersecurity incident reports with relevant state authorities and other financial regulatory departments, notifying the relevant state authorities of cybersecurity incidents in accordance with the provisions established by them and notifying the other financial regulatory departments of cybersecurity incidents as needed by them. | | 中国人民银行加强与国家有关部门和其他金融管理部门间的网络安全事件报告内容共享,按照国家有关部门规定向其通报网络安全事件,并根据其他金融管理部门需要向其通报网络安全事件。 |
| Article 5 Any individual or organization has the right to report to the PBC or a branch office a financial service provider's failure to report a cybersecurity incident in accordance with these Measures. The PBC or PBC branch office shall keep the information of the informant confidential. | | 第五条 任何个人和组织有权向中国人民银行或其分支机构举报金融从业机构未按照本办法规定报告网络安全事件的行为。中国人民银行或其分支机构对举报人的相关信息予以保密。 |
| Chapter II Classification of Cybersecurity Incidents | | 第二章 网络安全事件分级 |
| Article 6 A financial service provider shall specify cybersecurity incident classification standards ("classification standards") in its cybersecurity management system or operating rules and procedures, and classify cybersecurity incidents into four levels: critical, high, medium, and low. The financial service provider shall organize annual evaluations and update the classification standards as appropriate. Any updates to the classification standards shall be submitted for approval to the leadership responsible for cybersecurity. | | 第六条 金融从业机构应当在本机构网络安全管理制度或者操作规程中明确网络安全事件分级标准(以下简称分级标准),将网络安全事件分为特别重大、重大、较大和一般四个等级。金融从业机构应当每年组织评估并视情更新分级标准。分级标准如有更新,应当报本机构主管网络安全的领导班子成员批准。 |
| When formulating classification standards, the financial service provider shall take into account the impact of cybersecurity incidents on business and users, among others. In developing classification standards for networks in the PBC business fields that are closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, and interbank market transactions, the financial service provider shall consider the different impact of cybersecurity incidents on business processing during peak and non-peak business hours. | | 金融从业机构制定分级标准时,应当综合考虑网络安全事件对业务、用户等的影响程度。金融从业机构针对与货币存取款、支付交易、税款缴库、银行间市场交易密切相关的中国人民银行业务领域网络制定分级标准时,应当差异化考虑业务高峰时段和非业务高峰时段网络安全事件对业务处理的影响程度。 |
| The financial service provider shall also formulate classification standards related to the tampering, destruction, or leakage of data in the PBC business fields in accordance with relevant data security management regulations. | | 金融从业机构还应当结合中国人民银行业务领域数据安全管理相关规定,制定与中国人民银行业务领域数据遭到篡改、破坏、泄露相关的分级标准。 |
| The financial service provider may develop classification standards applicable specially to networks in the PBC business fields that are classified as cybersecurity protection level 3 or above. | | 金融从业机构可以针对网络安全等级保护三级以上的中国人民银行业务领域网络,逐一细化制定专门适用的分级标准。 |
| Article 7 Under any of the following circumstances, a cybersecurity incident shall be classified as critical: | | 第七条 符合下列情形之一的,应当分级为特别重大网络安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than three hours during peak business hours or in a single provincial administrative region for not less than six hours. | | (一)属于金融基础设施、直接服务5000万个以上自然人或者与货币存取款、支付交易、税款缴库、银行间市场交易密切相关的中国人民银行业务领域网络,主要功能在业务高峰时段出现两个以上省级行政区范围整体中断运行3小时以上或者单个省级行政区范围整体中断运行6小时以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 10 million natural persons or 1 million legal persons and other organizations. | | (二)提供金融服务的中国人民银行业务领域网络,主要功能出现中断、超时报错等情形,导致业务无法正常开展,经合理测算或者估算,已实际影响1000万个以上自然人或者100万个以上法人和其他组织的; |
| (3) Core data in the PBC business fields is tampered with, destroyed, or leaked. | | (三)中国人民银行业务领域核心数据遭到篡改、破坏、泄露的; |
| (4) Not less than 10 million pieces of sensitive personal information or not less than 100 million pieces of personal information is leaked as a result. | | (四)致使泄露1000万条以上敏感个人信息或者1亿条以上个人信息的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as critical. | | (五)网信部门、公安机关已明确应当分级为特别重大网络安全事件的; |
| (6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as critical. | | (六)中国人民银行或其上海总部、省级分行、计划单列市分行研判并书面告知金融从业机构,应当分级为特别重大网络安全事件的。 |
| Article 8 Under any of the following circumstances, a cybersecurity incident shall be classified as high at a minimum: | | 第八条 符合下列情形之一的,应当至少分级为重大网络安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than 1.5 hours during peak business hours or in a single provincial administrative region for not less than three hours. | | (一)属于金融基础设施、直接服务5000万个以上自然人或者与货币存取款、支付交易、税款缴库、银行间市场交易密切相关的中国人民银行业务领域网络,主要功能在业务高峰时段出现两个以上省级行政区范围整体中断运行1.5小时以上或者单个省级行政区范围整体中断运行3小时以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 1 million natural persons or 100,000 legal persons and other organizations. | | (二)提供金融服务的中国人民银行业务领域网络,主要功能出现中断、超时报错等情形,导致业务无法正常开展,经合理测算或者估算,已实际影响100万个以上自然人或者10万个以上法人和其他组织的; |
| (3) Important data in the PBC business fields is tampered with, destroyed, or leaked. | | (三)中国人民银行业务领域重要数据遭到篡改、破坏、泄露的; |
| (4) Not less than 1 million pieces of sensitive personal information or not less than 10 million pieces of personal information is leaked as a result. | | (四)致使泄露100万条以上敏感个人信息或者1000万条以上个人信息的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as high. | | (五)网信部门、公安机关已明确应当分级为重大网络安全事件的; |
| (6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as high. | | (六)中国人民银行或其上海总部、省级分行、计划单列市分行研判并书面告知金融从业机构,应当分级为重大网络安全事件的。 |
| Article 9 Under any of the following circumstances, a cybersecurity incident shall be classified as medium at a minimum: | | 第九条 符合下列情形之一的,应当至少分级为较大网络安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than 15 minutes during peak business hours or in a single provincial administrative region for not less than 30 minutes. | | (一)属于金融基础设施、直接服务5000万个以上自然人或者与货币存取款、支付交易、税款缴库、银行间市场交易密切相关的中国人民银行业务领域网络,主要功能在业务高峰时段出现两个以上省级行政区范围整体中断运行15分钟以上或者单个省级行政区范围整体中断运行30分钟以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 100,000 natural persons or 5,000 legal persons and other organizations. | | (二)提供金融服务的中国人民银行业务领域网络,主要功能出现中断、超时报错等情形,导致业务无法正常开展,经合理测算或者估算,已实际影响10万个以上自然人或者5000个以上法人和其他组织的; |
| (3) Not less than 500 pieces of credit reporting or property information or not less than 50,000 pieces of personal information is leaked as a result. | | (三)致使泄露500条以上征信信息、财产信息,或者致使泄露5万条以上个人信息的; |
| (4) A ransomware attack has harmed a network or data in the PBC business fields. | | (四)遭受勒索恶意程序攻击,已对中国人民银行业务领域网络或者中国人民银行业务领域数据造成危害后果的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as medium. | | (五)网信部门、公安机关已明确应当分级为较大网络安全事件的。 |
| Article 10 Under any of the following circumstances, a cybersecurity incident shall be classified as low at a minimum: | | 第十条 符合下列情形之一的,应当至少分级为一般网络安全事件: |
| ...... | | ...... |
Dear visitor,you are attempting to view a subscription-based section of lawinfochina.com. If you are already a subscriber, please login to enjoy access to our databases . If you are not a subscriber, please subscribe . Should you have any questions, please contact us at:
+86 (10) 8268-9699 or +86 (10) 8266-8266 (ext. 153)
Mobile: +86 133-1157-0713
Fax: +86 (10) 8266-8268
database@chinalawinfo.com
| |
您好:您现在要进入的是北大法律英文网会员专区,如您是我们英文用户可直接 登录,进入会员专区查询您所需要的信息;如您还不是我们 的英文用户,请注册并交纳相应费用成为我们的英文会员 。如有问题请来电咨询;
Tel: +86 (10) 82689699, +86 (10) 82668266 ext. 153
Mobile: +86 13311570713
Fax: +86 (10) 82668268
E-mail: database@chinalawinfo.com
|
| | | |
| | | |