China ransomware and cyber extortion policy

China Mandates Ransomware Payment Disclosure to Regulators, Creating New Compliance Risks for Victims

New CAC reporting rules and tenfold penalty hikes build a disclosure regime that may deter incident reporting altogether.

China's Ransomware Policy at a Glance People of Internet Research · China RMB 10M Max CSL operator fine Maximum penalty under amended Cybe… 1 hour CIIO reporting window Critical infrastructure operators … RMB 50M Max reporting violation fine Maximum penalty for failing to rep… 45,000+ MIIT plan participants Companies enrolled in MIIT's indus… peopleofinternet.com

Key Takeaways

China has spent the last eight months assembling a sweeping legal framework to govern ransomware and cyber extortion — one that requires victims to disclose ransom payment details to the state within hours, significantly amplifies penalties, and extends enforcement jurisdiction overseas. The policy package addresses a genuine threat. But several provisions create perverse incentives for victims, generate disproportionate compliance burdens, and suggest a regime structured around state information collection as much as genuine cybersecurity defence.

A Three-Layer Policy Package

The overhaul arrived in two rapid-fire instruments. First, the Cyberspace Administration of China (CAC) issued the Administrative Measures for the Reporting of National Cybersecurity Incidents (AMRNCI) on September 11, 2025, effective November 1, 2025. Second, the Standing Committee of the National People's Congress passed amendments to the Cybersecurity Law on October 28, 2025, taking effect January 1, 2026.

Beneath both sits a criminal backstop: Article 286 of China's Criminal Law already treats the intentional creation or distribution of ransomware as "sabotaging a computer information system," punishable by up to five years' imprisonment for serious cases and extended terms where consequences are particularly severe.

The Ransom Disclosure Requirement

The most novel element is a ransomware-specific reporting clause. When organisations file an incident report with the CAC, they must include "the amount, method, and date of ransom payment requests." Critical information infrastructure operators (CIIOs) — covering energy, finance, and telecoms — must file within one hour of identifying a qualifying incident. Other network operators have four hours.

The steelman case for this is genuine. Centralised ransomware payment data allows regulators to correlate attacks, identify threat-actor patterns, and calibrate law enforcement responses. Some Western jurisdictions have moved in a similar direction: the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires ransomware payment disclosures within 24 hours.

The problem is operational timing. A four-hour window — and especially the one-hour deadline for CIIOs — falls almost entirely inside the acute response phase of an active ransomware incident. Security teams are still scoping the infection and containing lateral movement, not drafting regulatory submissions. Filing prematurely before the full impact assessment is complete risks inaccurate reports, which can themselves trigger enhanced penalties for "delayed, incomplete, false, or concealed reporting" under the same measures. The rules effectively penalise both silence and premature speech.

Tenfold Penalties and the End of Courtesy Warnings

The amended Cybersecurity Law restructured China's penalty regime substantially. Prior to January 1, 2026, maximum fines for operators were capped at RMB 1 million. The amendments raise that ceiling to RMB 10 million (~USD 1.4 million) for violations causing "particularly serious" consequences, with individual liability for responsible managers reaching RMB 1 million. Reporting non-compliance carries separate exposure of up to RMB 50 million under the AMRNCI.

Critically, the amendment also removed the prior requirement for an initial regulatory warning before fines could be issued. Regulators can now move directly to financial sanctions for certain failures — eliminating the informal grace period operators historically used to quietly patch gaps before formal enforcement action began.

The case for raising penalties reflects a real threat environment. China's Ministry of Industry and Information Technology (MIIT) has enrolled over 45,000 companies across manufacturing, energy, and telecoms in industrial cybersecurity programmes that include mandatory ransomware simulation drills. Ransomware groups claimed dozens of Chinese industrial and infrastructure victims in 2025, and the domestic cybersecurity market surpassed RMB 120 billion for the first time in a single year. These are not hypothetical risks. The question is whether escalating penalties without proportionate procedural safeguards produces better security outcomes or simply transfers liability from sophisticated attackers — who remain largely beyond enforcement reach — onto already-victimised domestic operators.

Extraterritorial Overreach

The amended law extends China's enforcement jurisdiction to cover "any overseas institution, organization, or individual" whose activities "endanger the cybersecurity" of China. The prior text targeted specific hostile acts against critical infrastructure; the new language covers a much broader class of conduct, potentially applying to any foreign company whose products or platforms contribute to a cybersecurity incident inside China — regardless of whether they maintain a Chinese legal presence.

For multinationals, this creates compliance exposure that extends well beyond their Chinese subsidiaries. A cloud provider, software vendor, or third-party IT supplier that suffers a breach in one jurisdiction that cascades into systems used in China could theoretically face PRC enforcement action. Legal practitioners advising on China compliance have identified the extraterritorial expansion as one of the amendments' most consequential — and least proportionate — changes.

Surveillance Architecture or Security Architecture?

One policy detail cuts against a purely sceptical reading. China's Cybersecurity Insurance Guidelines, effective November 2025, explicitly permit insurance coverage for ransomware losses, including ransom payments, data recovery, and incident assessment costs. This is a meaningful liberalisation: the state acknowledges that paying ransoms is sometimes the least-bad option and should not be treated as an absolute moral failure.

Taken alongside the mandatory payment disclosure requirement, however, the combination is revealing. The state permits ransomware payments and simultaneously requires detailed documentation of every such payment — the amount, the method, the date. A centralised registry of which Chinese organisations paid which ransoms, to which wallets, on which days, gives the CAC and public security organs detailed insight into victim behaviour, enterprise risk tolerance, and attacker infrastructure. How that data is protected from misuse — and by whom it can be accessed — is not addressed by either instrument.

The framework's core components are defensible: mandatory incident reporting, criminal penalties for ransomware operators, and insurance legitimacy are reasonable building blocks for any national cyber defence posture. But the compressed reporting timelines, removal of prior-warning requirements, and expansive extraterritorial clause tilt the architecture toward state information collection rather than proportionate victim protection.

The most predictable outcome — if enforcement is applied aggressively rather than calibrated to genuine harm — is the one regulators should least want: organisations managing ransomware incidents quietly, outside the disclosure system, specifically to avoid triggering the cascade of regulatory liability that a formal CAC submission now carries.

Sources & Citations

  1. CAC — Cybersecurity Incident Reporting Measures (Official Text)
  2. CAC — Amended Cybersecurity Law (Official Text)
  3. Latham & Watkins — CSL Amendments Analysis
  4. Hunton — China's New Incident Reporting Rules
  5. China Briefing — Incident Reporting Compliance Guide
  6. ICLG — China Cybersecurity Laws and Regulations 2026