| | |
| Order of the People's Bank of China | | 中國人民銀行令 |
| (No. 4 [2025]) | | (〔2025〕第4號) |
| The Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China, as deliberated and adopted at the eighth executive meeting of the People's Bank of China on May 12, 2025, are hereby issued and take effect on August 1, 2025. | | 《中國人民銀行業務領域網絡安全事件報告管理辦法》已經2025年5月12日中國人民銀行第8次行務會議審議通過,現予發布,自2025年8月1日起施行。 |
| Pan Gongsheng, Governor | | 行 長 潘功勝 |
| May 23, 2025 | | 2025年5月23日 |
| Measures for the Administration of the Reporting of Cybersecurity Incidents in the Business Field of the People's Bank of China | | 中國人民銀行業務領域網絡安全事件報告管理辦法 |
| Chapter I General Provisions | | 第一章 總 則 |
| Article 1 These Measures are formulated in accordance with the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Law of the People's Republic of China on the People's Bank of China, and other laws and administrative regulations, for the purpose of standardizing the administration of the reporting of cybersecurity incidents in the business fields of the People's Bank of China (“PBC”). | | 第一條 為規范中國人民銀行業務領域網絡安全事件報告管理,根據《中華人民共和國網絡安全法》《中華人民共和國數據安全法》《中華人民共和國個人信息保護法》《中華人民共和國中國人民銀行法》等法律、行政法規,制定本辦法。 |
| Article 2 A financial service provider that experiences a cybersecurity incident in the PBC business fields within the territory of the People's Republic of China shall report to the PBC or PBC branch office in its domicile in accordance with these Measures. Cybersecurity incidents not within the PBC business fields need not be reported in accordance with these Measures. If a state secret is involved, the relevant provisions shall apply. | | 第二條 金融從業機構在中華人民共和國境內發生中國人民銀行業務領域網絡安全事件時,應當按照本辦法規定向中國人民銀行或者住所地中國人民銀行分支機構報告。非中國人民銀行業務領域網絡安全事件無須按照本辦法規定報告。涉及國家秘密的,按照有關規定執行。 |
| Article 3 In these Measures, "PBC business fields" means the business fields which the PBC has a duty to supervise and administer under laws, administrative regulations, and decisions of the Central Committee of the Communist Party of China and the State Council. | | 第三條 本辦法所稱中國人民銀行業務領域,指依據法律、行政法規,黨中央、國務院決定,由中國人民銀行承擔監督和管理職責的業務領域。 |
| In these Measures, "cybersecurity incident in the PBC business fields" ("cybersecurity incident") means an incident, arising from any human factor, cyberattack, vulnerability, software or hardware defect or failure, force majeure, or other factor, which causes harm to a network in the PBC business fields constructed, operated, maintained, or managed by an institution or to data in the PBC business fields processed by it. | | 本辦法所稱中國人民銀行業務領域網絡安全事件(以下簡稱網絡安全事件),指由于人為原因、遭受網絡攻擊、存在漏洞隱患、軟硬件缺陷或故障、不可抗力等因素,對本機構建設、運營、維護、管理的中國人民銀行業務領域網絡或者處理的中國人民銀行業務領域數據造成危害的事件。 |
| Article 4 A financial service provider shall also report in accordance with the provisions established by a relevant national authority or any other financial regulatory department on the reporting of cybersecurity incidents, if any. In the case of a cybersecurity incident involving endangering a computer information system or any other violation or crime, a financial service provider shall also promptly report to public security authorities. | | 第四條 國家有關部門和其他金融管理部門等對網絡安全事件報告有規定的,金融從業機構還應當從其規定報告。涉及危害計算機信息系統等違法犯罪的網絡安全事件,金融從業機構還應當及時向公安機關報案。 |
| The PBC strengthens the sharing of cybersecurity incident reports with relevant state authorities and other financial regulatory departments, notifying the relevant state authorities of cybersecurity incidents in accordance with the provisions established by them and notifying the other financial regulatory departments of cybersecurity incidents as needed by them. | | 中國人民銀行加強與國家有關部門和其他金融管理部門間的網絡安全事件報告內容共享,按照國家有關部門規定向其通報網絡安全事件,并根據其他金融管理部門需要向其通報網絡安全事件。 |
| Article 5 Any individual or organization has the right to report to the PBC or a branch office a financial service provider's failure to report a cybersecurity incident in accordance with these Measures. The PBC or PBC branch office shall keep the information of the informant confidential. | | 第五條 任何個人和組織有權向中國人民銀行或其分支機構舉報金融從業機構未按照本辦法規定報告網絡安全事件的行為。中國人民銀行或其分支機構對舉報人的相關信息予以保密。 |
| Chapter II Classification of Cybersecurity Incidents | | 第二章 網絡安全事件分級 |
| Article 6 A financial service provider shall specify cybersecurity incident classification standards ("classification standards") in its cybersecurity management system or operating rules and procedures, and classify cybersecurity incidents into four levels: critical, high, medium, and low. The financial service provider shall organize annual evaluations and update the classification standards as appropriate. Any updates to the classification standards shall be submitted for approval to the leadership responsible for cybersecurity. | | 第六條 金融從業機構應當在本機構網絡安全管理制度或者操作規程中明確網絡安全事件分級標準(以下簡稱分級標準),將網絡安全事件分為特別重大、重大、較大和一般四個等級。金融從業機構應當每年組織評估并視情更新分級標準。分級標準如有更新,應當報本機構主管網絡安全的領導班子成員批準。 |
| When formulating classification standards, the financial service provider shall take into account the impact of cybersecurity incidents on business and users, among others. In developing classification standards for networks in the PBC business fields that are closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, and interbank market transactions, the financial service provider shall consider the different impact of cybersecurity incidents on business processing during peak and non-peak business hours. | | 金融從業機構制定分級標準時,應當綜合考慮網絡安全事件對業務、用戶等的影響程度。金融從業機構針對與貨幣存取款、支付交易、稅款繳庫、銀行間市場交易密切相關的中國人民銀行業務領域網絡制定分級標準時,應當差異化考慮業務高峰時段和非業務高峰時段網絡安全事件對業務處理的影響程度。 |
| The financial service provider shall also formulate classification standards related to the tampering, destruction, or leakage of data in the PBC business fields in accordance with relevant data security management regulations. | | 金融從業機構還應當結合中國人民銀行業務領域數據安全管理相關規定,制定與中國人民銀行業務領域數據遭到篡改、破壞、泄露相關的分級標準。 |
| The financial service provider may develop classification standards applicable specially to networks in the PBC business fields that are classified as cybersecurity protection level 3 or above. | | 金融從業機構可以針對網絡安全等級保護三級以上的中國人民銀行業務領域網絡,逐一細化制定專門適用的分級標準。 |
| Article 7 Under any of the following circumstances, a cybersecurity incident shall be classified as critical: | | 第七條 符合下列情形之一的,應當分級為特別重大網絡安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than three hours during peak business hours or in a single provincial administrative region for not less than six hours. | | (一)屬于金融基礎設施、直接服務5000萬個以上自然人或者與貨幣存取款、支付交易、稅款繳庫、銀行間市場交易密切相關的中國人民銀行業務領域網絡,主要功能在業務高峰時段出現兩個以上省級行政區范圍整體中斷運行3小時以上或者單個省級行政區范圍整體中斷運行6小時以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 10 million natural persons or 1 million legal persons and other organizations. | | (二)提供金融服務的中國人民銀行業務領域網絡,主要功能出現中斷、超時報錯等情形,導致業務無法正常開展,經合理測算或者估算,已實際影響1000萬個以上自然人或者100萬個以上法人和其他組織的; |
| (3) Core data in the PBC business fields is tampered with, destroyed, or leaked. | | (三)中國人民銀行業務領域核心數據遭到篡改、破壞、泄露的; |
| (4) Not less than 10 million pieces of sensitive personal information or not less than 100 million pieces of personal information is leaked as a result. | | (四)致使泄露1000萬條以上敏感個人信息或者1億條以上個人信息的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as critical. | | (五)網信部門、公安機關已明確應當分級為特別重大網絡安全事件的; |
| (6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as critical. | | (六)中國人民銀行或其上海總部、省級分行、計劃單列市分行研判并書面告知金融從業機構,應當分級為特別重大網絡安全事件的。 |
| Article 8 Under any of the following circumstances, a cybersecurity incident shall be classified as high at a minimum: | | 第八條 符合下列情形之一的,應當至少分級為重大網絡安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than 1.5 hours during peak business hours or in a single provincial administrative region for not less than three hours. | | (一)屬于金融基礎設施、直接服務5000萬個以上自然人或者與貨幣存取款、支付交易、稅款繳庫、銀行間市場交易密切相關的中國人民銀行業務領域網絡,主要功能在業務高峰時段出現兩個以上省級行政區范圍整體中斷運行1.5小時以上或者單個省級行政區范圍整體中斷運行3小時以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 1 million natural persons or 100,000 legal persons and other organizations. | | (二)提供金融服務的中國人民銀行業務領域網絡,主要功能出現中斷、超時報錯等情形,導致業務無法正常開展,經合理測算或者估算,已實際影響100萬個以上自然人或者10萬個以上法人和其他組織的; |
| (3) Important data in the PBC business fields is tampered with, destroyed, or leaked. | | (三)中國人民銀行業務領域重要數據遭到篡改、破壞、泄露的; |
| (4) Not less than 1 million pieces of sensitive personal information or not less than 10 million pieces of personal information is leaked as a result. | | (四)致使泄露100萬條以上敏感個人信息或者1000萬條以上個人信息的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as high. | | (五)網信部門、公安機關已明確應當分級為重大網絡安全事件的; |
| (6) The PBC or its Shanghai Head Office, provincial branch office, or branch office in a city under separate state planning determines and notifies a financial service provider in writing that a cybersecurity incident shall be classified as high. | | (六)中國人民銀行或其上海總部、省級分行、計劃單列市分行研判并書面告知金融從業機構,應當分級為重大網絡安全事件的。 |
| Article 9 Under any of the following circumstances, a cybersecurity incident shall be classified as medium at a minimum: | | 第九條 符合下列情形之一的,應當至少分級為較大網絡安全事件: |
| (1) A network in the PBC business field, as financial infrastructure that directly serves more than 50 million natural persons or is closely related to deposits and withdrawals, payment transactions, tax payments to the treasury, or interbank market transactions, experiences a complete main function interruption across not less than two provincial administrative regions for not less than 15 minutes during peak business hours or in a single provincial administrative region for not less than 30 minutes. | | (一)屬于金融基礎設施、直接服務5000萬個以上自然人或者與貨幣存取款、支付交易、稅款繳庫、銀行間市場交易密切相關的中國人民銀行業務領域網絡,主要功能在業務高峰時段出現兩個以上省級行政區范圍整體中斷運行15分鐘以上或者單個省級行政區范圍整體中斷運行30分鐘以上的; |
| (2) A network in the PBC business fields that provides financial services experiences a main function interruption or timeout error, among others, causing impossibility of regular business, which, as reasonably assessed or estimated, affects not less than 100,000 natural persons or 5,000 legal persons and other organizations. | | (二)提供金融服務的中國人民銀行業務領域網絡,主要功能出現中斷、超時報錯等情形,導致業務無法正常開展,經合理測算或者估算,已實際影響10萬個以上自然人或者5000個以上法人和其他組織的; |
| (3) Not less than 500 pieces of credit reporting or property information or not less than 50,000 pieces of personal information is leaked as a result. | | (三)致使泄露500條以上征信信息、財產信息,或者致使泄露5萬條以上個人信息的; |
| (4) A ransomware attack has harmed a network or data in the PBC business fields. | | (四)遭受勒索惡意程序攻擊,已對中國人民銀行業務領域網絡或者中國人民銀行業務領域數據造成危害后果的; |
| (5) The cyberspace administration or public security authorities have specified that the cybersecurity incident shall be classified as medium. | | (五)網信部門、公安機關已明確應當分級為較大網絡安全事件的。 |
| Article 10 Under any of the following circumstances, a cybersecurity incident shall be classified as low at a minimum: | | 第十條 符合下列情形之一的,應當至少分級為一般網絡安全事件: |
| ...... | | ...... |
Dear visitor,you are attempting to view a subscription-based section of lawinfochina.com. If you are already a subscriber, please login to enjoy access to our databases . If you are not a subscriber, please subscribe . Should you have any questions, please contact us at:
+86 (10) 8268-9699 or +86 (10) 8266-8266 (ext. 153)
Mobile: +86 133-1157-0713
Fax: +86 (10) 8266-8268
database@chinalawinfo.com
| |
您好:您現在要進入的是北大法律英文網會員專區,如您是我們英文用戶可直接 登錄,進入會員專區查詢您所需要的信息;如您還不是我們 的英文用戶,請注冊并交納相應費用成為我們的英文會員 。如有問題請來電咨詢;
Tel: +86 (10) 82689699, +86 (10) 82668266 ext. 153
Mobile: +86 13311570713
Fax: +86 (10) 82668268
E-mail: database@chinalawinfo.com
|
| | | |
| | | |