China Releases Measures for Network Data Security Risk Assessment
On 18 June 2026, the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security jointly released the Measures for Network Data Security Risk Assessment (“Measures”). The Measures will come into effect on 20 August 2026.
The key issues and critical compliance requirements under the Measures for data processors are summarized as follows.
1. What drove the issuance of the Measures?
According to the relevant provisions of the already-effective PRC Data Security Law and the Regulations on the Administration of Network Data Security, important data processors shall conduct an annual security risk assessment for their network data processing activities and submit risk assessment reports to the competent authorities. The Measures were released to provide practical guidance to data processors, especially those handling important data, on the methods, procedures and legal liabilities of security risk assessments. Notably, the Measures is the first departmental regulation in China specifically governing data security risk assessment activities.
2. Who are important data processors?
Important data processors are network data processors engaging in important data processing. Based on Article 62 of the Regulations on Network Data Security, important data refers to data from specific sectors (such as finance, healthcare, telecommunications, energy and transportation, etc.), concerning specific groups or geographic regions, or reaching a certain level of precision and scale. If such data is tampered with, damaged, leaked, or illegally accessed or exploited, it may directly endanger national security, economic operations, social stability, as well as public health and safety. Catalogues of important data for specific regions, departments, and relevant industries and sectors will be issued by the respective competent authorities. In practice, whether a company is deemed to be an important data processor largely depends on official notifications from the competent authorities.
3. What is network data security risk assessment?
It refers to activities involving the identification, analysis and evaluation of risks related to the security of network data and network data processing activities.
4. Who is required to conduct risk assessments?
Important data processors are subject to a mandatory requirement to conduct risk assessments on an annual basis. They must also carry out a timely risk assessment whenever there is a significant change in the security status of important data that may adversely affect data security, in order to evaluate the relevant changes and their potential impact. In practice, whether a company is deemed to be an important data processor largely depends on official notifications from the competent authorities.
Other network data processors handling general data are not subject to a mandatory obligation but are encouraged to conduct risk assessments at least once every three years.
Further, regardless of the category of data processed, if competent authorities identify significant data security risks in a network data processor’s activities, e.g. risks to national security, public interests, or potential leakage of important data, they may require the relevant processor to engage a certified assessment institution to conduct risk assessment.
5. What are the approaches for conducting risk assessments?
Network data processors may conduct risk assessments either internally or by engaging a third-party assessment institution, depending on their own capabilities.
If the assessment is conducted internally, the processor shall designate dedicated personnel. If a third-party institution is engaged, the rights and obligations of both parties shall be clearly defined through contracts. To ensure independence, impartiality and effectiveness of assessment institutions, the Measures prohibit subcontracting, limit consecutive engagements with the same processor to no more than three times, impose strict confidentiality obligations and require the timely notification of any material risks identified to the data processor.
6. What are the applicable standards for risk assessments?
In general, network data processors shall refer to the GB/T 45577-2025 Data Security Technology — Risk Assessment Method for Data Security. It provides detailed guidance on the implementation process, assessment content, analytical and evaluation methodologies, as well as templates for risk assessment reports.
7. What is the submission process for assessment reports?
The relevant industry-specific competent authorities will publish the channels for submitting risk assessment reports and their contact information. Based on such public information, important data processors shall submit their risk assessment reports to the relevant industry-specific competent authorities accordingly within 20 working days upon completion of their annual risk assessments. If the industry-specific competent authority is not clearly designated, the reports shall be submitted to the provincial or national cyberspace authority.
8. What is the legal liability for non-compliance?
If a data processor fails to conduct risk assessments as required, it may be subject to legal liabilities under the applicable laws, including the PRC Data Security Law and the Regulations on the Administration of Network Data Security. In serious cases, a company may face fines of up to RMB 10 million and suspension of relevant business operations.
Further, if the authorities identify that the processing of important data poses risks to national security or public interests, they may require the company to take corrective actions. The important data processors that refuse to make rectification or fail to meet rectification requirements may be subject to measures such as being ordered to cease the processing of important data.
