China’s CAC Issues New Draft Measures for Network Data Security Risk Assessments
Published 12 December 2025
Sarah Xuan
On December 6, 2025, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) issued the Measures for Network Data Security Risk Assessments (Draft for Comments) (hereinafter referred to as the “Measures”), soliciting public comments nationwide, with the feedback deadline set for January 5, 2026.
Judging from its form of release and timing, the draft serves as an important supporting document issued after the implementation of the Data Security Law (effective as of September 1, 2021) and the Regulation on the Administration of Network Data Security (effective as of January 1, 2025). It further refines institutional arrangements and solidifies responsibilities in the field of network data security. Its purpose is to establish a standardized mechanism for network data security risk assessments, to systematically identify and prevent data security risks, safeguard national security, public interests, and the lawful rights and interests of citizens and organizations, while also providing a stable and predictable institutional environment for the lawful, reasonable, and effective use of data.
This article provides an item-by-item analysis of the main contents of the Measures.
I. Organizational System and Regulatory Structure of Risk Assessment
Articles 3 to 5 of the Measures establish an organizational structure of “unified coordination by the national cybersecurity authority – division-of-labor responsibility by relevant competent authorities – regional coordination by provincial cybersecurity authorities.” Under the guidance of the national data security coordination mechanism, the national cybersecurity authority coordinates risk assessment efforts across regions and departments, emphasizing information sharing and coordination. This effectively incorporates risk assessments into the overall national framework for data security governance, helping prevent siloed actions and fragmented regulation among government departments.
Article 4 sets forth the principle that “whoever oversees the business shall oversee the business data and data security.” It requires competent authorities to regularly organize risk assessments within their respective industries and sectors, and to submit annual risk assessment and inspection plans before the end of January each year. Provincial cybersecurity authorities are responsible for coordinating annual plans within their administrative regions. This arrangement shifts organizational responsibility downward to the bodies most familiar with business operations and data contexts, strengthening the combination of territorial management and industry regulation, and helping ensure that “those who understand the business manage its data security.”Article 5 further emphasizes the national cybersecurity authority’s overall coordination of plans submitted by various departments and provincial authorities. It requires the avoidance of duplicate assessments and inspections, and clarifies that authorities may not charge fees to data processors during inspections. This provision both responds to longstanding corporate concerns over compliance burdens arising from “multiple inspections by multiple agencies” and reflects regulators’ efforts to balance “risk prevention” with “burden reduction.”
II. Risk Assessment Obligations of Network data Processors
Article 6 is one of the central provisions of the Measures. The draft requires network data processors handling important data to conduct annual risk assessments of their network data processing activities. If the security status of important data undergoes major changes that may adversely affect data security, a special risk assessment must be conducted for the affected portion. For processors of general data, a “recommended” requirement is adopted, advising that risk assessments be conducted at least once every three years.
In the context of the broader legal framework on data, this arrangement corresponds to provisions on “important data” and “data security risk monitoring and early warning” under the Data Security Law. It imposes higher-level and higher-frequency compliance obligations on important data processors, making risk assessment a routine “fundamental skill.” The recommended approach for general data processors reflects proportionality and an optimized allocation of regulatory resources, enabling differentiated supervision focused on scenarios with greater implications for national security and public interests.
Article 7 specifies that risk assessments must be conducted in accordance with the Regulation on the Administration of Network data Security and relevant national standards such as Data Security Technology—Methods for Data Security Risk Assessment (GB/T 45577) (Effective as of November 1, 2025). It also authorizes competent authorities to establish additional requirements for their industries and sectors. This embeds national standards within the institutional framework, providing enterprises with a basis for conducting assessments and promoting standardization, comparability, and auditability of assessment processes.
Articles 8, 13, and 14 elaborate operational obligations regarding “how to conduct assessments,” “what outcomes to produce,” and “how to submit and retain results.” Network data processors may conduct assessments themselves or engage third-party agencies. For self-assessments, a designated responsible person is required; for commissioned assessments, certified agencies should be prioritized, and rights, obligations, and confidentiality responsibilities must be stipulated in contracts or other legal instruments. Annual risk assessments for important data processors must follow the reporting template in the Measures’ annex, with reports retained for at least three years. Reports must be submitted within ten working days after completion, following the requirements of the competent authority; if no authority is specified, submission should be made to the provincial or national cybersecurity authority. Competent authorities must forward the reports to the cybersecurity authority at the same level within ten working days.
From a compliance perspective, this means important data processors must establish robust internal compliance mechanisms as early as possible, including data asset inventories and classification systems, assessment processes and methodologies, reporting templates, and audit-trail mechanisms. For large platform enterprises operating across regions and business lines, a unified group-level assessment system is essential; otherwise, it will be difficult to complete each assessment cycle on time and with high quality.
III. Qualification Requirements and Conduct Standards for Assessment Agencies
The Measures impose strict regulatory requirements on third-party assessment agencies, reflecting a regulatory orientation of ensuring that the assessment market not only grows in size but also improves in professionalism and credibility.
Articles 8 and 9 provide that certification bodies approved by the Certification and Accreditation Administration of China and possessing qualifications for data security service certification may certify assessment agencies based on standards such as Data Security Technology—Capability Requirements for Data Security Assessment Agencies (GB/T 45389)(Effective as of October 1, 2025). This creates a multi-tier responsibility chain of “certification body – assessment agency – data processor,” helping establish data security assessment as a compliance service industry with professional entry thresholds and quality controls.
Article 10 requires assessment agencies to comply with laws and regulations, make fair and objective risk judgments, and assume responsibility for the authenticity, validity, and completeness of their reports. They may not subcontract assessments to other agencies, thereby preventing “layered subcontracting” or nominal assessments. Article 11 establishes a rotation mechanism prohibiting an assessment agency and its affiliates from conducting more than three consecutive assessments for the same network data processor. This balances continuity and independence: it prevents excessive binding or collusion risks while retaining the efficiency benefits of repeated cooperation.
Article 12 further details assessment agencies’ obligations regarding risk detection and information protection: upon identifying major data security risks during assessment, agencies must promptly notify the data processor and report to provincial-level or higher cybersecurity authorities and competent authorities as required. They must also strictly protect the data, trade secrets, and confidential business information obtained during assessments, and delete such information after completion. This reinforces their role as “frontline sentinels” in the risk-warning chain and raises expectations for their compliance and internal controls.
IV. Regulatory Measures, Mandatory Assessments, and Legal Liabilities
Articles 15 and 16 address “follow-up actions after regulators discover problems.” When provincial-level or higher cybersecurity authorities or competent authorities, during report verification or inspections, find that a data processor has significant security risks, has experienced important data leakage or a large-scale personal information breach, or engages in network data processing activities that may endanger national security or public interests, they must require the processor to engage a certified assessment agency to conduct a risk assessment. The same incident or risk may not be subject to repeated assessment requirements. This means regulators may escalate from “encouraged self-assessment” to “mandatory third-party assessment” in high-risk cases, using external expertise for systematic diagnosis and supporting subsequent remediation or penalties.
Article 16 clarifies the cooperation obligations of data processors when required to engage an assessment agency: providing necessary access for assessors, completing assessments on schedule and bearing the associated costs, implementing remediation for identified issues and submitting remediation reports within fifteen working days after completion, and refraining from pressuring agencies to produce false or improper reports. This links assessment directly with remediation, emphasizing that “the goal of assessment is not merely to produce a report, but to resolve risks.”
Article 17 further grants competent authorities disposal powers in high-risk situations: if network data processing activities are found to potentially endanger national security or public interests, rectification must be ordered; for inadequate or refused rectification, measures such as ordering suspension of important data processing may be taken. This aligns with regulatory measures under the Data Security Law and is concretized here through linkage with risk assessment results.
Regarding legal liabilities, Article 20 provides that if provincial-level or higher cybersecurity authorities or competent authorities discover that a data processor has failed to conduct risk assessments as required, penalties shall be imposed in accordance with the Data Security Law and other laws. If an assessment agency violates the Measures’ requirements, rectification may be ordered, and in serious cases, it may be restricted or prohibited from conducting assessments, with responsible personnel held liable. Criminal liability applies where crimes are constituted. This reflects a “two-way accountability” mechanism, holding both data processors and assessment agencies responsible and preventing assessments from deteriorating into mere formalities.
Article 19 allows any organization or individual to report illegal or non-compliant conduct related to risk assessments, providing regulators with social-supervision channels that may also serve as sources of compliance risk in future governance practice.
V. Institutional Coordination and Mutual Recognition of Assessment Results
Particularly noteworthy is Article 21 on mutual recognition of assessment results. The Measures clarify that where risk assessments overlap with cybersecurity classified protection evaluations, data security management certifications, personal information protection compliance audits, or commercial cryptography application security assessments, relevant results may be mutually recognized to avoid repeated assessments, audits, and certifications.
This article has important implications for institutional integration. Prior to this, China’s requirements regarding data security and network data security risk assessments had in fact already appeared in a wide range of regulations across multiple levels and sectors: 1. At the level of higher-level laws, the Data Security Law establishes a principled requirement for important data processors to conduct periodic risk assessments and submit assessment reports to the competent authorities; the Cybersecurity Law (Effective as of June 1, 2017) sets forth the basic requirement that cybersecurity certifications, testing, and risk assessment activities “must comply with relevant national regulations”; and the Personal Information Protection Law (Effective as of November 1, 2021) establishes a personal information protection impact assessment system for high-risk personal information processing scenarios.2. At the level of administrative regulations, the Regulation on the Administration of Network Data Security provides a framework for annual risk assessments by important data processors and for conducting assessments prior to the provision, commissioned processing, or joint processing of important data.3. At the level of specialized regulatory rules, the Measures for Security Assessment of Data Export (Effective as of September 1, 2022)require data processors to complete a self-assessment of outbound data risks before submitting an application; and industry regulators in sectors such as telecommunications and finance have embedded data security risk assessments into the governance practices for important data and core data in their respective industries through implementation rules and administrative measures.4. Meanwhile, national standards and practice guidelines—such as Data Security Technology—Methods for Data Security Risk Assessment, Implementation Guide for Network Data Security Risk Assessment (Effective as of May, 2025), and the Guidelines for Personal Information Security Impact Assessment (Effective as of June 1, 2021)—provide the technical foundation and operational pathways for the concepts, processes, contents, and methodologies of risk assessments.
Against this institutional backdrop, the Measures for the Security Risk Assessment of Network Data (Draft for Comments), on the one hand, inherit and refine the dispersed requirements concerning “risk assessment” found in the above-mentioned laws, regulations, and standards, systematizing and proceduralizing them within the network data context, and clarifying the assessment agencies, assessment frequency, assessment report format, and mechanisms for submission. On the other hand, by establishing a rule of mutual recognition of assessment results in Article 21, the Measures attempt to integrate network data security risk assessments with existing system such as cybersecurity classified protection evaluations, data security management certifications, personal information protection compliance audits, and commercial cryptography application security assessments. While preserving the professionalism and independence of each subsystem, the Measures provide a normative basis for the mutual acceptance of results across different assessments and audits, thereby promoting a shift from “parallel and overlapping” compliance requirements to “coordinated and integrated” compliance frameworks.
Articles 22, 23, and 24 provide coordination rules for risk assessments prior to the provision, commission, or joint processing of important data, for core data processors, and for assessments involving state secrets or work secrets. They specify that relevant national regulations and confidentiality laws must be followed. It is foreseeable that more targeted system will be promulgated for core data and state-secret-related scenarios, with the Measures serving primarily as a general coordinating framework in this respect.
Comment
The Measures create a relatively complete framework for network data security risk assessment across multiple dimensions: assessment organization, assessment implementation, oversight of assessment agencies, report management, supervision and inspection, and legal responsibilities. They represent an effort to make existing laws and regulations more practical and operable. They elevate risk assessment from a principled requirement to a rigid obligation with clear frequency, procedures, and consequences, while reducing compliance burdens through mutual recognition of results and avoiding repetitive inspections.
For network data processors, the Measures imply at least three practical impacts: 1. Processors of important data must promptly complete inventories and classifications of their data assets, identify whether they qualify as “important data processors,” and determine the scope of their important data processing activities; otherwise, they cannot determine whether annual risk assessments are required.2. Risk assessment must be institutionalized within corporate governance and coordinated with internal audit, information security management systems, and privacy impact assessments to avoid fragmented or redundant processes.3. Processors must select qualified and experienced third-party assessment agencies and clearly define responsibility boundaries, confidentiality obligations, and data-access permissions in contracts, ensuring assessment quality while preventing unnecessary data leakage and compliance risks.
For assessment agencies and certification bodies, the Measures provide clearer business boundaries and development space. On one hand, qualification requirements, capability standards, and conduct rules help guide agencies away from generic IT services toward specialized data security assessment, fostering a sustainable professional market. On the other hand, strict independence requirements, confidentiality obligations, and heavy penalties for violations significantly raise entry and compliance costs, which will ultimately upgrade industry quality in the long run.
It should also be recognized that certain challenges may arise during implementation. For instance, identifying “important data” still requires clearer, more detailed standards in some industries. Small and medium-sized enterprises may lack the capability or financial capacity to conduct professional assessments; therefore, moderate policy support and technical assistance, while maintaining security baselines, will directly affect implementation outcomes. In the future, regulators may consider issuing model assessment templates, industry guidelines, and case libraries for key sectors to improve practical operability.
Overall, the Measures for Network Data Security Risk Assessments (Draft for Comments) represent a significant improvement of China’s data security governance system amid a period when data elements are becoming key factors of production and data security risks are rapidly accumulating.
Judging from its form of release and timing, the draft serves as an important supporting document issued after the implementation of the Data Security Law (effective as of September 1, 2021) and the Regulation on the Administration of Network Data Security (effective as of January 1, 2025). It further refines institutional arrangements and solidifies responsibilities in the field of network data security. Its purpose is to establish a standardized mechanism for network data security risk assessments, to systematically identify and prevent data security risks, safeguard national security, public interests, and the lawful rights and interests of citizens and organizations, while also providing a stable and predictable institutional environment for the lawful, reasonable, and effective use of data.
This article provides an item-by-item analysis of the main contents of the Measures.
I. Organizational System and Regulatory Structure of Risk Assessment
Articles 3 to 5 of the Measures establish an organizational structure of “unified coordination by the national cybersecurity authority – division-of-labor responsibility by relevant competent authorities – regional coordination by provincial cybersecurity authorities.” Under the guidance of the national data security coordination mechanism, the national cybersecurity authority coordinates risk assessment efforts across regions and departments, emphasizing information sharing and coordination. This effectively incorporates risk assessments into the overall national framework for data security governance, helping prevent siloed actions and fragmented regulation among government departments.
Article 4 sets forth the principle that “whoever oversees the business shall oversee the business data and data security.” It requires competent authorities to regularly organize risk assessments within their respective industries and sectors, and to submit annual risk assessment and inspection plans before the end of January each year. Provincial cybersecurity authorities are responsible for coordinating annual plans within their administrative regions. This arrangement shifts organizational responsibility downward to the bodies most familiar with business operations and data contexts, strengthening the combination of territorial management and industry regulation, and helping ensure that “those who understand the business manage its data security.”Article 5 further emphasizes the national cybersecurity authority’s overall coordination of plans submitted by various departments and provincial authorities. It requires the avoidance of duplicate assessments and inspections, and clarifies that authorities may not charge fees to data processors during inspections. This provision both responds to longstanding corporate concerns over compliance burdens arising from “multiple inspections by multiple agencies” and reflects regulators’ efforts to balance “risk prevention” with “burden reduction.”
II. Risk Assessment Obligations of Network data Processors
Article 6 is one of the central provisions of the Measures. The draft requires network data processors handling important data to conduct annual risk assessments of their network data processing activities. If the security status of important data undergoes major changes that may adversely affect data security, a special risk assessment must be conducted for the affected portion. For processors of general data, a “recommended” requirement is adopted, advising that risk assessments be conducted at least once every three years.
In the context of the broader legal framework on data, this arrangement corresponds to provisions on “important data” and “data security risk monitoring and early warning” under the Data Security Law. It imposes higher-level and higher-frequency compliance obligations on important data processors, making risk assessment a routine “fundamental skill.” The recommended approach for general data processors reflects proportionality and an optimized allocation of regulatory resources, enabling differentiated supervision focused on scenarios with greater implications for national security and public interests.
Article 7 specifies that risk assessments must be conducted in accordance with the Regulation on the Administration of Network data Security and relevant national standards such as Data Security Technology—Methods for Data Security Risk Assessment (GB/T 45577) (Effective as of November 1, 2025). It also authorizes competent authorities to establish additional requirements for their industries and sectors. This embeds national standards within the institutional framework, providing enterprises with a basis for conducting assessments and promoting standardization, comparability, and auditability of assessment processes.
Articles 8, 13, and 14 elaborate operational obligations regarding “how to conduct assessments,” “what outcomes to produce,” and “how to submit and retain results.” Network data processors may conduct assessments themselves or engage third-party agencies. For self-assessments, a designated responsible person is required; for commissioned assessments, certified agencies should be prioritized, and rights, obligations, and confidentiality responsibilities must be stipulated in contracts or other legal instruments. Annual risk assessments for important data processors must follow the reporting template in the Measures’ annex, with reports retained for at least three years. Reports must be submitted within ten working days after completion, following the requirements of the competent authority; if no authority is specified, submission should be made to the provincial or national cybersecurity authority. Competent authorities must forward the reports to the cybersecurity authority at the same level within ten working days.
From a compliance perspective, this means important data processors must establish robust internal compliance mechanisms as early as possible, including data asset inventories and classification systems, assessment processes and methodologies, reporting templates, and audit-trail mechanisms. For large platform enterprises operating across regions and business lines, a unified group-level assessment system is essential; otherwise, it will be difficult to complete each assessment cycle on time and with high quality.
III. Qualification Requirements and Conduct Standards for Assessment Agencies
The Measures impose strict regulatory requirements on third-party assessment agencies, reflecting a regulatory orientation of ensuring that the assessment market not only grows in size but also improves in professionalism and credibility.
Articles 8 and 9 provide that certification bodies approved by the Certification and Accreditation Administration of China and possessing qualifications for data security service certification may certify assessment agencies based on standards such as Data Security Technology—Capability Requirements for Data Security Assessment Agencies (GB/T 45389)(Effective as of October 1, 2025). This creates a multi-tier responsibility chain of “certification body – assessment agency – data processor,” helping establish data security assessment as a compliance service industry with professional entry thresholds and quality controls.
Article 10 requires assessment agencies to comply with laws and regulations, make fair and objective risk judgments, and assume responsibility for the authenticity, validity, and completeness of their reports. They may not subcontract assessments to other agencies, thereby preventing “layered subcontracting” or nominal assessments. Article 11 establishes a rotation mechanism prohibiting an assessment agency and its affiliates from conducting more than three consecutive assessments for the same network data processor. This balances continuity and independence: it prevents excessive binding or collusion risks while retaining the efficiency benefits of repeated cooperation.
Article 12 further details assessment agencies’ obligations regarding risk detection and information protection: upon identifying major data security risks during assessment, agencies must promptly notify the data processor and report to provincial-level or higher cybersecurity authorities and competent authorities as required. They must also strictly protect the data, trade secrets, and confidential business information obtained during assessments, and delete such information after completion. This reinforces their role as “frontline sentinels” in the risk-warning chain and raises expectations for their compliance and internal controls.
IV. Regulatory Measures, Mandatory Assessments, and Legal Liabilities
Articles 15 and 16 address “follow-up actions after regulators discover problems.” When provincial-level or higher cybersecurity authorities or competent authorities, during report verification or inspections, find that a data processor has significant security risks, has experienced important data leakage or a large-scale personal information breach, or engages in network data processing activities that may endanger national security or public interests, they must require the processor to engage a certified assessment agency to conduct a risk assessment. The same incident or risk may not be subject to repeated assessment requirements. This means regulators may escalate from “encouraged self-assessment” to “mandatory third-party assessment” in high-risk cases, using external expertise for systematic diagnosis and supporting subsequent remediation or penalties.
Article 16 clarifies the cooperation obligations of data processors when required to engage an assessment agency: providing necessary access for assessors, completing assessments on schedule and bearing the associated costs, implementing remediation for identified issues and submitting remediation reports within fifteen working days after completion, and refraining from pressuring agencies to produce false or improper reports. This links assessment directly with remediation, emphasizing that “the goal of assessment is not merely to produce a report, but to resolve risks.”
Article 17 further grants competent authorities disposal powers in high-risk situations: if network data processing activities are found to potentially endanger national security or public interests, rectification must be ordered; for inadequate or refused rectification, measures such as ordering suspension of important data processing may be taken. This aligns with regulatory measures under the Data Security Law and is concretized here through linkage with risk assessment results.
Regarding legal liabilities, Article 20 provides that if provincial-level or higher cybersecurity authorities or competent authorities discover that a data processor has failed to conduct risk assessments as required, penalties shall be imposed in accordance with the Data Security Law and other laws. If an assessment agency violates the Measures’ requirements, rectification may be ordered, and in serious cases, it may be restricted or prohibited from conducting assessments, with responsible personnel held liable. Criminal liability applies where crimes are constituted. This reflects a “two-way accountability” mechanism, holding both data processors and assessment agencies responsible and preventing assessments from deteriorating into mere formalities.
Article 19 allows any organization or individual to report illegal or non-compliant conduct related to risk assessments, providing regulators with social-supervision channels that may also serve as sources of compliance risk in future governance practice.
V. Institutional Coordination and Mutual Recognition of Assessment Results
Particularly noteworthy is Article 21 on mutual recognition of assessment results. The Measures clarify that where risk assessments overlap with cybersecurity classified protection evaluations, data security management certifications, personal information protection compliance audits, or commercial cryptography application security assessments, relevant results may be mutually recognized to avoid repeated assessments, audits, and certifications.
This article has important implications for institutional integration. Prior to this, China’s requirements regarding data security and network data security risk assessments had in fact already appeared in a wide range of regulations across multiple levels and sectors: 1. At the level of higher-level laws, the Data Security Law establishes a principled requirement for important data processors to conduct periodic risk assessments and submit assessment reports to the competent authorities; the Cybersecurity Law (Effective as of June 1, 2017) sets forth the basic requirement that cybersecurity certifications, testing, and risk assessment activities “must comply with relevant national regulations”; and the Personal Information Protection Law (Effective as of November 1, 2021) establishes a personal information protection impact assessment system for high-risk personal information processing scenarios.2. At the level of administrative regulations, the Regulation on the Administration of Network Data Security provides a framework for annual risk assessments by important data processors and for conducting assessments prior to the provision, commissioned processing, or joint processing of important data.3. At the level of specialized regulatory rules, the Measures for Security Assessment of Data Export (Effective as of September 1, 2022)require data processors to complete a self-assessment of outbound data risks before submitting an application; and industry regulators in sectors such as telecommunications and finance have embedded data security risk assessments into the governance practices for important data and core data in their respective industries through implementation rules and administrative measures.4. Meanwhile, national standards and practice guidelines—such as Data Security Technology—Methods for Data Security Risk Assessment, Implementation Guide for Network Data Security Risk Assessment (Effective as of May, 2025), and the Guidelines for Personal Information Security Impact Assessment (Effective as of June 1, 2021)—provide the technical foundation and operational pathways for the concepts, processes, contents, and methodologies of risk assessments.
Against this institutional backdrop, the Measures for the Security Risk Assessment of Network Data (Draft for Comments), on the one hand, inherit and refine the dispersed requirements concerning “risk assessment” found in the above-mentioned laws, regulations, and standards, systematizing and proceduralizing them within the network data context, and clarifying the assessment agencies, assessment frequency, assessment report format, and mechanisms for submission. On the other hand, by establishing a rule of mutual recognition of assessment results in Article 21, the Measures attempt to integrate network data security risk assessments with existing system such as cybersecurity classified protection evaluations, data security management certifications, personal information protection compliance audits, and commercial cryptography application security assessments. While preserving the professionalism and independence of each subsystem, the Measures provide a normative basis for the mutual acceptance of results across different assessments and audits, thereby promoting a shift from “parallel and overlapping” compliance requirements to “coordinated and integrated” compliance frameworks.
Articles 22, 23, and 24 provide coordination rules for risk assessments prior to the provision, commission, or joint processing of important data, for core data processors, and for assessments involving state secrets or work secrets. They specify that relevant national regulations and confidentiality laws must be followed. It is foreseeable that more targeted system will be promulgated for core data and state-secret-related scenarios, with the Measures serving primarily as a general coordinating framework in this respect.
Comment
The Measures create a relatively complete framework for network data security risk assessment across multiple dimensions: assessment organization, assessment implementation, oversight of assessment agencies, report management, supervision and inspection, and legal responsibilities. They represent an effort to make existing laws and regulations more practical and operable. They elevate risk assessment from a principled requirement to a rigid obligation with clear frequency, procedures, and consequences, while reducing compliance burdens through mutual recognition of results and avoiding repetitive inspections.
For network data processors, the Measures imply at least three practical impacts: 1. Processors of important data must promptly complete inventories and classifications of their data assets, identify whether they qualify as “important data processors,” and determine the scope of their important data processing activities; otherwise, they cannot determine whether annual risk assessments are required.2. Risk assessment must be institutionalized within corporate governance and coordinated with internal audit, information security management systems, and privacy impact assessments to avoid fragmented or redundant processes.3. Processors must select qualified and experienced third-party assessment agencies and clearly define responsibility boundaries, confidentiality obligations, and data-access permissions in contracts, ensuring assessment quality while preventing unnecessary data leakage and compliance risks.
For assessment agencies and certification bodies, the Measures provide clearer business boundaries and development space. On one hand, qualification requirements, capability standards, and conduct rules help guide agencies away from generic IT services toward specialized data security assessment, fostering a sustainable professional market. On the other hand, strict independence requirements, confidentiality obligations, and heavy penalties for violations significantly raise entry and compliance costs, which will ultimately upgrade industry quality in the long run.
It should also be recognized that certain challenges may arise during implementation. For instance, identifying “important data” still requires clearer, more detailed standards in some industries. Small and medium-sized enterprises may lack the capability or financial capacity to conduct professional assessments; therefore, moderate policy support and technical assistance, while maintaining security baselines, will directly affect implementation outcomes. In the future, regulators may consider issuing model assessment templates, industry guidelines, and case libraries for key sectors to improve practical operability.
Overall, the Measures for Network Data Security Risk Assessments (Draft for Comments) represent a significant improvement of China’s data security governance system amid a period when data elements are becoming key factors of production and data security risks are rapidly accumulating.