Analysis of Administrative Measures for Data Security Management in the People’s Bank of China’s Business Areas
Published 15 May 2025
Sarah Xuan
On 1 May 2025, the PBC issued the “Administrative Measures for Data Security Management in the People’s Bank of China’s Business Areas” (hereinafter referred to as “the Measures”), to curb the risks associated with illegal use, leakage, and misuse of financial data. The Measures will go into effect on 30 June 2025.
The Data Security Law and the Personal Information Protection Law, both implemented in 2021, as well as the earlier-enacted Cybersecurity Law, set forth relevant provisions on safeguarding data security within the financial sector, particularly concerning sensitive personal information and data significantly impacting national economic security. To address specific challenges in financial data security, the PBC has issued the specialized regulatory measure, the Administrative Measures, based on these foundational laws. The Measures concretely implement and refine legal requirements regarding data security in the financial domain, clearly defining data security standards and operational norms applicable to business data under PBC supervision, to ensure that financial data can be circulated, developed, and utilized effectively within a lawful and compliant framework.
This article will briefly analyze the relevant provisions of the Measures and the impact that the implementation of the Measures will have.
I. Entities Subject to Regulation under the Administrative Measures
According to Article 2 of the Administrative Measures, these regulations apply to activities involving the processing of data within the business scope of the People’s Bank of China (PBOC), as well as related security supervision and management conducted within the territory of the People’s Republic of China. Consequently, any entities handling data related to PBOC operations, financial payments, credit reporting, and other sensitive financial information are subject to these Measures. Such entities specifically include:1. The People’s Bank of China and its branches, encompassing the headquarters, regional branches, local branches, and directly affiliated institutions such as the Credit Information Center, payment clearing institutions, and foreign exchange administrative departments.2. Banking financial institutions, including state-owned banks, joint-stock commercial banks, city commercial banks, rural commercial banks, and branches of foreign banks.3. Non-bank payment institutions, such as third-party payment platforms (e.g., Alipay, WeChat Pay) holding relevant payment licenses.4. Financial market infrastructure entities, including securities registration and settlement organizations, China UnionPay, and China Foreign Exchange Trade System.5. Credit reporting agencies and credit rating institutions.6. Technology companies or outsourced service providers engaged in fintech services, such as financial big data analytics and financial risk management.7. Providers of financial infrastructure technology services, including cloud computing, data hosting, and data center services.
II. Key elements of the Measures
The Measures are divided into seven chapters, covering comprehensive content, including specific data classification, full-process management requirements, technical security requirements, risk and incident management strategies, legal responsibilities, and relevant terminological definitions. Key elements include:
1. Data Security Classification
The Measures explicitly categorize business data into three levels: general data, important data, and core data. General data carries relatively lower security risks. Important data pertains directly to national security, economic stability, and social order. Core data is even more sensitive, with its unauthorized disclosure or misuse potentially directly threatening national political security. The PBC dynamically manages and updates the important data directory, requiring data handlers to accurately identify, declare, and register their important and core data, ensuring precise regulatory measures.
2. Full-Process Data Security Management Requirements
The Measures establish a comprehensive data security management system covering the entire lifecycle of data, including collection, storage, usage, processing, transmission, provision, and destruction. Data handlers must create detailed data resource catalogs, clearly establish classification and grading systems, and implement differentiated security protection measures tailored to data types. Particularly for highly sensitive data, encryption storage and transmission are mandated as a general rule, with strict controls on external export and sharing, thereby preventing unauthorized disclosure or misuse.
3. Technical Security Requirements
The Measures provide explicit technical guidelines for data security management, including enhancing access controls and identity authentication measures, strictly managing data processing accounts and permissions. Important data systems must meet the Level III cybersecurity protection standards, while core data systems must meet Level IV cybersecurity protection or critical information infrastructure protection standards. Additionally, the Measures emphasize establishing a comprehensive logging system for data processing activities, clearly specifying log retention periods for different sensitivities of data.
4. Risk Monitoring and Incident Management
For risk management, the Measures require data handlers to continuously monitor risks, with special attention to highly sensitive data security. In the event of data security incidents, immediate measures must be taken, and timely reports made to the PBC. Handlers of important data must conduct annual risk assessments and emergency response drills to enhance their risk control and incident management capabilities, ensuring effective containment of data security risks.
5. Penalty Provisions
The Measures specify outline specific legal responsibilities, including:
1) Clearly stating that when data processors fail to fulfill relevant obligations, the People’s Bank of China (PBOC) may adopt measures such as conducting regulatory talks, ordering rectifications, or imposing administrative penalties.2) For data-processing activities potentially threatening national security, cases will be directly referred to national security authorities for review.3) The following violations will incur penalties according to Article 45 of the Data Security Law:a) Failure to establish a comprehensive business-data security management system;b) Failure to organize data-security education and training;c) Failure to implement necessary technical and other measures to protect data security;d) Important data processors not clearly appointing security officers and management bodies;e) Ineffective monitoring of data-security risks;f) Failure to promptly implement remedial actions upon identifying risks;g) Failure to immediately respond to data-security incidents, promptly inform affected users, or report incidents as required;h) Important data processors failing to conduct annual risk assessments or submit required assessment reports.
According to Article 45 of the Data Security Law, the following penalties apply to the aforementioned violations:1. Orders to rectify violations and issuance of warnings;2. In cases of refusal to rectify or significant consequences, fines ranging from RMB 50,000 to RMB 500,000 for the responsible entities, and RMB 10,000 to RMB 100,000 for individuals directly responsible.
III. Impacts of Implementing the Administrative Measures
The implementation of the Measures will have varying implications for foreign and domestic enterprises:1. For foreign enterprises, stricter regulations on data classification, grading, and cross-border data transfer will increase compliance complexity and costs, prompting these enterprises to intensify data localization in China and invest additional resources to establish robust data-security systems.2. For domestic enterprises, these Measures will encourage financial institutions to strengthen their data governance structures, substantially improving their technological capabilities and risk-management standards, particularly in data classification and grading, encrypted transmission, risk monitoring, and emergency response.
Summary and Comments
The introduction of the Measures provides clear standards and norms for data security management within PBC’s business domains. This is mainly reflected in the following:3. Enhanced Data Classification Management: Clearly defines the sensitivity levels of different data types, explicitly stating security protection requirements, emphasizing important and core data management.4. Institutionalized Full-Process Data Security Management: Provides clear requirements covering the entire data lifecycle from generation to destruction, promoting meticulous and procedural data management.5. Clear and Standardized Technical Security Requirements: Establishes explicit technical security standards, facilitating specific and standardized data security protection.6. Systematic Risk Monitoring and Emergency Response: Sets up a robust system for risk monitoring and emergency response, emphasizing proactive risk management and enhancing controllability of data security risks.7. Explicit Legal Responsibilities: Clearly delineates legal consequences for violations, intensifying enforcement measures and penalties, thus increasing data handlers’ compliance awareness.
In conclusion, the introduction of the Measures will significantly enhance data security control capabilities. This promotes the coordinated development of financial data security and financial innovation applications, contributes to a safer and more stable data environment, and fosters the healthy and sustainable development of the financial sector.
The Data Security Law and the Personal Information Protection Law, both implemented in 2021, as well as the earlier-enacted Cybersecurity Law, set forth relevant provisions on safeguarding data security within the financial sector, particularly concerning sensitive personal information and data significantly impacting national economic security. To address specific challenges in financial data security, the PBC has issued the specialized regulatory measure, the Administrative Measures, based on these foundational laws. The Measures concretely implement and refine legal requirements regarding data security in the financial domain, clearly defining data security standards and operational norms applicable to business data under PBC supervision, to ensure that financial data can be circulated, developed, and utilized effectively within a lawful and compliant framework.
This article will briefly analyze the relevant provisions of the Measures and the impact that the implementation of the Measures will have.
I. Entities Subject to Regulation under the Administrative Measures
According to Article 2 of the Administrative Measures, these regulations apply to activities involving the processing of data within the business scope of the People’s Bank of China (PBOC), as well as related security supervision and management conducted within the territory of the People’s Republic of China. Consequently, any entities handling data related to PBOC operations, financial payments, credit reporting, and other sensitive financial information are subject to these Measures. Such entities specifically include:1. The People’s Bank of China and its branches, encompassing the headquarters, regional branches, local branches, and directly affiliated institutions such as the Credit Information Center, payment clearing institutions, and foreign exchange administrative departments.2. Banking financial institutions, including state-owned banks, joint-stock commercial banks, city commercial banks, rural commercial banks, and branches of foreign banks.3. Non-bank payment institutions, such as third-party payment platforms (e.g., Alipay, WeChat Pay) holding relevant payment licenses.4. Financial market infrastructure entities, including securities registration and settlement organizations, China UnionPay, and China Foreign Exchange Trade System.5. Credit reporting agencies and credit rating institutions.6. Technology companies or outsourced service providers engaged in fintech services, such as financial big data analytics and financial risk management.7. Providers of financial infrastructure technology services, including cloud computing, data hosting, and data center services.
II. Key elements of the Measures
The Measures are divided into seven chapters, covering comprehensive content, including specific data classification, full-process management requirements, technical security requirements, risk and incident management strategies, legal responsibilities, and relevant terminological definitions. Key elements include:
1. Data Security Classification
The Measures explicitly categorize business data into three levels: general data, important data, and core data. General data carries relatively lower security risks. Important data pertains directly to national security, economic stability, and social order. Core data is even more sensitive, with its unauthorized disclosure or misuse potentially directly threatening national political security. The PBC dynamically manages and updates the important data directory, requiring data handlers to accurately identify, declare, and register their important and core data, ensuring precise regulatory measures.
2. Full-Process Data Security Management Requirements
The Measures establish a comprehensive data security management system covering the entire lifecycle of data, including collection, storage, usage, processing, transmission, provision, and destruction. Data handlers must create detailed data resource catalogs, clearly establish classification and grading systems, and implement differentiated security protection measures tailored to data types. Particularly for highly sensitive data, encryption storage and transmission are mandated as a general rule, with strict controls on external export and sharing, thereby preventing unauthorized disclosure or misuse.
3. Technical Security Requirements
The Measures provide explicit technical guidelines for data security management, including enhancing access controls and identity authentication measures, strictly managing data processing accounts and permissions. Important data systems must meet the Level III cybersecurity protection standards, while core data systems must meet Level IV cybersecurity protection or critical information infrastructure protection standards. Additionally, the Measures emphasize establishing a comprehensive logging system for data processing activities, clearly specifying log retention periods for different sensitivities of data.
4. Risk Monitoring and Incident Management
For risk management, the Measures require data handlers to continuously monitor risks, with special attention to highly sensitive data security. In the event of data security incidents, immediate measures must be taken, and timely reports made to the PBC. Handlers of important data must conduct annual risk assessments and emergency response drills to enhance their risk control and incident management capabilities, ensuring effective containment of data security risks.
5. Penalty Provisions
The Measures specify outline specific legal responsibilities, including:
1) Clearly stating that when data processors fail to fulfill relevant obligations, the People’s Bank of China (PBOC) may adopt measures such as conducting regulatory talks, ordering rectifications, or imposing administrative penalties.2) For data-processing activities potentially threatening national security, cases will be directly referred to national security authorities for review.3) The following violations will incur penalties according to Article 45 of the Data Security Law:a) Failure to establish a comprehensive business-data security management system;b) Failure to organize data-security education and training;c) Failure to implement necessary technical and other measures to protect data security;d) Important data processors not clearly appointing security officers and management bodies;e) Ineffective monitoring of data-security risks;f) Failure to promptly implement remedial actions upon identifying risks;g) Failure to immediately respond to data-security incidents, promptly inform affected users, or report incidents as required;h) Important data processors failing to conduct annual risk assessments or submit required assessment reports.
According to Article 45 of the Data Security Law, the following penalties apply to the aforementioned violations:1. Orders to rectify violations and issuance of warnings;2. In cases of refusal to rectify or significant consequences, fines ranging from RMB 50,000 to RMB 500,000 for the responsible entities, and RMB 10,000 to RMB 100,000 for individuals directly responsible.
III. Impacts of Implementing the Administrative Measures
The implementation of the Measures will have varying implications for foreign and domestic enterprises:1. For foreign enterprises, stricter regulations on data classification, grading, and cross-border data transfer will increase compliance complexity and costs, prompting these enterprises to intensify data localization in China and invest additional resources to establish robust data-security systems.2. For domestic enterprises, these Measures will encourage financial institutions to strengthen their data governance structures, substantially improving their technological capabilities and risk-management standards, particularly in data classification and grading, encrypted transmission, risk monitoring, and emergency response.
Summary and Comments
The introduction of the Measures provides clear standards and norms for data security management within PBC’s business domains. This is mainly reflected in the following:3. Enhanced Data Classification Management: Clearly defines the sensitivity levels of different data types, explicitly stating security protection requirements, emphasizing important and core data management.4. Institutionalized Full-Process Data Security Management: Provides clear requirements covering the entire data lifecycle from generation to destruction, promoting meticulous and procedural data management.5. Clear and Standardized Technical Security Requirements: Establishes explicit technical security standards, facilitating specific and standardized data security protection.6. Systematic Risk Monitoring and Emergency Response: Sets up a robust system for risk monitoring and emergency response, emphasizing proactive risk management and enhancing controllability of data security risks.7. Explicit Legal Responsibilities: Clearly delineates legal consequences for violations, intensifying enforcement measures and penalties, thus increasing data handlers’ compliance awareness.
In conclusion, the introduction of the Measures will significantly enhance data security control capabilities. This promotes the coordinated development of financial data security and financial innovation applications, contributes to a safer and more stable data environment, and fosters the healthy and sustainable development of the financial sector.