This is in breach of the 72hr GDPR notification window
China’s is even more stringent at 4 hours, down to 1 hour for high-severity incidents:
https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...
https://privacymatters.dlapiper.com/2025/09/china-new-strict...
Only the supervisory authorities are required to be informed in 72 hour, and even there, it's not a hard rule, you can have excuses.
this is for the regulator or governing body, not public. Most big clients will have an explicit reporting window in their contract though
China’s is even more stringent at 4 hours, down to 1 hour for high-severity incidents:
https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...
https://privacymatters.dlapiper.com/2025/09/china-new-strict...
Only the supervisory authorities are required to be informed in 72 hour, and even there, it's not a hard rule, you can have excuses.
this is for the regulator or governing body, not public. Most big clients will have an explicit reporting window in their contract though