China’s is even more stringent at 4 hours, down to 1 hour for high-severity incidents:

https://www.theregister.com/2025/09/16/china_1hour_cyber_rep...

https://privacymatters.dlapiper.com/2025/09/china-new-strict...

Only the supervisory authorities are required to be informed in 72 hour, and even there, it's not a hard rule, you can have excuses.

this is for the regulator or governing body, not public. Most big clients will have an explicit reporting window in their contract though