China Releases Draft Rules for Classifying Financial Data by Risk Level

On 24 January 2026, the Cyberspace Administration of China (“CAC”) released the Guidelines for Data Classification and Grading in Financial Information Services (Draft for Comments) (“Draft Guidelines”), formulated in conjunction with relevant authorities. Serving as the standard specification for data classification and grading and the rules for identifying and declaring important data within the financial information services sector, this marks the first time China’s data classification and grading protection system, established under laws such as the Data Security Law of the People’s Republic of China (“Data Security Law”), has been systematically translated into enforceable and reviewable specific standards for this domain. Targeting financial information service providers such as Bloomberg, Refinitiv, and Wind, it constitutes not merely a set of classification and grading norms but a cornerstone for restructuring the data compliance logic within the sector.
China’s Data Classification and Grading System
China’s data classification and grading system, established under Article 21 of the Data Security Law, forms the core mechanism of its data governance. This system requires all data providers to classify and grade their data based on its importance and sensitivity, and accordingly fulfill differentiated legal obligations.
The system primarily involves three components: identification and declaration, review and confirmation, and differentiated obligations. The identification and declaration component obligates data providers to proactively inventory, classify, and identify data that may constitute important data, declaring it in accordance with national and sector-specific standards, such as the implemented Guidelines for Identifying Important Data in the Industrial Field for the industrial sector and the Guidelines for Identifying Important Data in the Telecommunications Field for the telecommunications sector. Relevant competent authorities are responsible for reviewing the declared data and will notify the data providers of confirmed important data or publish it. Differentiated obligations refer to the triggering of varying legal responsibilities once data is graded. Confirmed important data imposes subsequent stringent protection obligations on the data provier
The Network Data Security Management Regulation stipulates special protection obligations for providers of important data, including organizational safeguards, process controls, ongoing monitoring, and restrictions on outbound transfer. The regulation requires providers of important data to designate a person in charge of data security and a management body; conduct risk assessments before providing or entrusting the processing of important data; implement safeguards and report to relevant departments in circumstances that may affect the security of important data; and conduct annual risk assessments of network data processing activities, reporting the findings.
The rules governing the cross-border flow of important data are a focal point of China’s data classification and grading system. In principle, important data collected and generated within China should be stored domestically. Regarding the outbound transfer of important data, pursuant to relevant provisions in the Cybersecurity Law of the People’s Republic of China, the Data Security Law, the Network Data Security Management Regulation, the Measures for the Security Assessment of Outbound Data Transfer  and the Provisions on Promoting and Regulating Cross-Border Data Flow, where a data provider genuinely needs to provide important data collected and generated within China to entities overseas, it must first undergo a data outbound transfer security assessment organized by the CAC. Only important data assessed as not endangering national security or the public interest may be transferred out of China.
Draft Guidelines Apply Specifically to the Financial Information Services Sector
Within the financial sector, two distinct data classification and grading systems exist: one applicable to the business scope of the People’s Bank of China (“PBOC”) and another applicable to the financial information services sector. The Measures for the Administration of Data Security in the Business Scope of the People’s Bank of China stipulates the system applicable to the PBOC’s business scope. Its regulated entities are financial institutions, including banking financial institutions, payment institutions, and clearing institutions. The data involved primarily includes that generated and processed in areas such as monetary credit, payment and settlement, credit reporting, anti-money laundering, financial market supervision, and financial consumer rights protection.
The Draft Guidelines apply specifically to the data classification and grading system for the financial information services sector. Its regulated entities are all providers engaged in financial information services within China, i.e., organizations that provide information and/or financial data services that may influence financial markets to users engaged in financial analysis, transactions, decision-making, or other financial activities. This includes, but is not limited to, financial information platforms, data service providers, and fintech companies. The data involved is that collected and generated during the provision of financial information services, including market data and user data, excluding data related to state secrets or military affairs. This sector’s system provides financial information service providers with specific elements for identifying important data within the field, a classification framework, and reporting templates, assisting them in fulfilling the identification and declaration obligations.
The Data Classification and Grading System for Financial Information Services
According to the Draft Guidelines, the core framework of this system is divided into two parts: classification and grading. Data in this sector is classified into three tiers based on business attributes, comprising three top-level categories: business data, user data, and enterprise data. These are subdivided into nine second-level categories: under business data—financial market data, macroeconomic data, organizational data, industry indicator data, and information report data; under user data—personal user data and institutional user data; under enterprise data—operations management data and system operation and maintenance data. These second-level categories are further detailed into 66 third-level categories, including under business data—equity data, bond data, fund data, wealth management product data, foreign exchange data, commodity data; under user data—transaction data, biometric recognition information; under enterprise data—financial data, settlement management data, human resources data, marketing data, etc.
Based on this classification, and according to the potential harm should the data be compromised or illegally processed, it is graded from high to low into four levels (core data, important data, sensitive general data, regular general data), thereby triggering different legal obligations. Important data is data which, if leaked or damaged, could directly endanger national security, economic operation, social stability, public health, and safety. Core data refers to important data which, if illegally used or shared, could directly impact national political security. Core data constitutes the most critical and sensitive subset of important data. Sensitive general data refers to data which, if leaked or damaged, could significantly impact economic operation, public interests, or organizational/individual rights and interests. Regular general data refers to all other data not falling into the above three levels.
The Draft Guidelines establish two key operational principles for this system to ensure alignment between provider assessments and regulatory requirements. The first is the highest-level principle. When grading a dataset composed of multiple data items, the dataset’s level is determined by the highest level among its constituent items. The second is the deference to authority principle, meaning the regulatory authority holds final decision-making power over data grading. If certain data has been explicitly designated as core or important data, the regulatory designation must be followed regardless of internal assessment outcomes. Furthermore, data grading is subject to dynamic updates. Appendix A provides illustrative scenarios. Appendix B furnishes a template for reporting catalogs of important data.
Comment
China’s data classification and grading system constitutes a regulatory framework based on data risk levels. The release of the Draft Guidelines signifies a pivotal shift in the regulation of China’s financial information services sector from principle-based to rule-based oversight. It mandates that financial information service providers proactively establish a complete internal compliance control process encompassing “identification, grading, reporting, and protection”. For multinational enterprises, the era of passive response has ended. Before the comment period closes on 23 February 2026, actively understanding the rules, assessing their own data assets, and even providing feedback through compliant channels are not merely defensive measures to mitigate risk but represent a strategic starting point for building long-term, robust data competitiveness in China.