China opens consultation on draft measures for network data security risk assessments
China’s Cyberspace Administration has launched a public consultation on draft rules governing how organisations must assess and report network data security risks. The proposal sets detailed obligations for processors of important data, introduces oversight mechanisms for third-party assessors, and outlines new enforcement tools.
The Cyberspace Administration of China (CAC) has opened a consultation on its draft measures for network data security risk assessments. The draft regulation, available for comment until 5 January 2026, aims to clarify how organisations should identify, analyse and evaluate risks associated with network data processing under the Data Security Law and related frameworks.
The proposed rules establish differentiated requirements based on the type of data being handled. Organisations that process important data would be required to conduct risk assessments at least once a year and whenever changes in security conditions could affect data security. Those handling general data are encouraged to conduct assessments at least every three years. All assessments must align with national standards and relevant industry provisions.
The draft outlines procedures for internal assessments and for assessments conducted by certified third-party agencies, which must meet qualification and confidentiality requirements and operate under regulatory oversight. In certain circumstances, authorities may instruct processors to use certified agencies, with safeguards to prevent repeated commissioning for the same incident or risk.
Processors of important data would need to produce assessment reports following a standardised template, retain them for at least three years, and submit them to competent authorities within prescribed timelines. Authorities are tasked with reviewing submissions, maintaining reporting channels, and may carry out verification checks where needed.
The regulation sets expectations for cooperation when assessments are commissioned, including providing necessary access, bearing costs, implementing rectification measures, and avoiding interference in assessment outcomes. It allows for the recognition of overlapping results from other mandated security assessments to avoid duplication.
Additional provisions apply to important data processors, core data processors, and assessments involving state secrets or work secrets. The draft also introduces mechanisms for risk information sharing, complaint handling and enforcement, including penalties and corrective measures.
