China Issues a New Mandatory National Standard on Data Security Technology for Electronic Product Information Sanitization
Published 16 December 2025
Xia Yu
On 13 December 2025, China officially issued the Technical Requirements for Information Sanitization of Electronic Products (“Technical Requirements”), a new mandatory national standard aimed at enhancing data security in electronic products. The Technical Requirements is part of China’s broader effort to address the growing concerns surrounding data security and privacy in the context of electronic products. It will formally take effect on 1 January 2027.
As a mandatory national standard, the Technical Requirements serve as an essential technical specification for information sanitization, offering a structured approach to the secure processing of sensitive data in electronic products. These requirements also provide supporting implementation measures for key laws and regulations, including the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Personal Information Protection Law of the People’s Republic of China.
Scope and Application
The Technical Requirements apply to electronic products with non-volatile storage media that are produced and sold within China (excluding those processing state secrets). They are relevant to businesses involved in the manufacturing, recycling, refurbishment, or disposal of such products, including mobile phones, tablets, laptops, desktop computers, smart wearable devices, and office equipment. These businesses are now obligated to implement data sanitization measures to ensure the protection of sensitive information before sale, disposal or resale.
The Technical Requirements also extend to various sectors, including the consumer electronics industry, waste management companies, and e-waste recycling organizations. These entities must follow specific procedures for ensuring the effective sanitization of stored data, meeting the national standard to ensure compliance with the prevailing data protection laws.
Key Technical Measures and Compliance Obligations
According to the Technical Requirements, information sanitization refers to the technical processing of all user data stored on the storage media of an electronic product, rendering it irreversible and preventing subsequent access to or recovery of such data by technical means after the sanitization process. For this purpose, the Technical Requirements prescribe two core technical measures: data overwrite and block erase. Data overwrite applies to electronic products utilizing magnetic storage media. It involves writing fixed or random meaningless data to the electronic product, covering each storage unit associated with user data. For electronic products with magnetic storage media, overwriting must be performed at least three times, including at least one overwrite pass using random data. Block erase typically applies to electronic products utilizing semiconductor storage media that support hardware erase commands. It refers to the fundamental erasure operation performed on a physical block of the storage medium by invoking the medium’s specific command, thereby deleting all data within that physical block. Operations that merely clear the mapping between logical and physical addresses, or mark data as invalid without erasing the user data from the physical blocks, do not constitute block erase. For electronic products with semiconductor storage media, it is required to delete the mapping between the logical and physical addresses of the user data and to perform at least one data overwrite pass.
To ensure user data security at the source, the Technical Requirements stipulate that the electronic product manufacturers shall provide users with built-in information sanitization functionality. This sanitization functionality must cover various types of user-generated files, contact lists, applications and their data, authentication information, encryption keys, and similar elements. If the development of built-in functionality is not feasible, the manufacturers must provide external information sanitization tools, inform users of available information sanitization tools provided by third-party institutions, or offer users free information sanitization services. Prior to executing sanitization, the scope, methods, and implications of the information sanitization must be clearly disclosed to the user, and the user’s consent must be obtained. During the execution of sanitization, the manufacturers shall verify the conditions for performing the information sanitization and inform the user of the reasons if the conditions are not met. Should the information sanitization fail, the manufacturers shall re-execute the information sanitization function or provide the user with alternative information sanitization methods. For electronic products equipped with administrator-side applications, the manufacturers shall prompt the user to actively unbind the administrator account from the electronic product or perform the unbinding automatically.
Regarding the used electronic product recycling operators, the Technical Requirements stipulate that they must fulfill obligations related to notification and authorization, thorough sanitization, verification and record-keeping, and documentation establishment. The obligation of notification and authorization requires to proactively notify users to perform sanitization prior to recycling. Without the user’s consent, they must not access or retain user data. The obligation of thorough sanitization requires to use functions or tools compliant with the Technical Requirements to perform sanitization. If a product is damaged and cannot be sanitized using software methods, the storage media must be physically destroyed. The obligation of verification and record-keeping requires to verify the effectiveness of the sanitization before sale. The electronic products from which user data has not been sanitized are prohibited from being resold or exported. The obligation of documentation establishment requires to maintain records of sanitization operations and verification results for no less than three years.
Regulatory Compliance and Enforcement
The Technical Requirements not only mandates technical compliance but also emphasizes the importance of ensuring that data sanitization is carried out in a manner consistent with China’s Data Security Law and the Personal Information Protection Law. Failure to comply with these regulations can lead to significant legal and financial risks, including penalties for unauthorized data exposure or breaches.
Foreign-invested enterprises engaged in the manufacture, sale, or recycling of electronic products in China should pay particular attention to the compliance implications of the Technical Requirements. Specifically, companies must ensure that their operations align with the stringent data sanitization obligations and record-keeping requirements.
Conclusion
As China continues to strengthen its data protection laws, the introduction of the Technical Requirements represents a crucial step in addressing the increasing threats related to data security in the digital age. Companies involved in the manufacturing, recycling, disposal, or refurbishment of electronic products in China must act swiftly to ensure compliance with this new standard, safeguarding both their operations and the sensitive data entrusted to them by consumers.
As a mandatory national standard, the Technical Requirements serve as an essential technical specification for information sanitization, offering a structured approach to the secure processing of sensitive data in electronic products. These requirements also provide supporting implementation measures for key laws and regulations, including the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, and the Personal Information Protection Law of the People’s Republic of China.
Scope and Application
The Technical Requirements apply to electronic products with non-volatile storage media that are produced and sold within China (excluding those processing state secrets). They are relevant to businesses involved in the manufacturing, recycling, refurbishment, or disposal of such products, including mobile phones, tablets, laptops, desktop computers, smart wearable devices, and office equipment. These businesses are now obligated to implement data sanitization measures to ensure the protection of sensitive information before sale, disposal or resale.
The Technical Requirements also extend to various sectors, including the consumer electronics industry, waste management companies, and e-waste recycling organizations. These entities must follow specific procedures for ensuring the effective sanitization of stored data, meeting the national standard to ensure compliance with the prevailing data protection laws.
Key Technical Measures and Compliance Obligations
According to the Technical Requirements, information sanitization refers to the technical processing of all user data stored on the storage media of an electronic product, rendering it irreversible and preventing subsequent access to or recovery of such data by technical means after the sanitization process. For this purpose, the Technical Requirements prescribe two core technical measures: data overwrite and block erase. Data overwrite applies to electronic products utilizing magnetic storage media. It involves writing fixed or random meaningless data to the electronic product, covering each storage unit associated with user data. For electronic products with magnetic storage media, overwriting must be performed at least three times, including at least one overwrite pass using random data. Block erase typically applies to electronic products utilizing semiconductor storage media that support hardware erase commands. It refers to the fundamental erasure operation performed on a physical block of the storage medium by invoking the medium’s specific command, thereby deleting all data within that physical block. Operations that merely clear the mapping between logical and physical addresses, or mark data as invalid without erasing the user data from the physical blocks, do not constitute block erase. For electronic products with semiconductor storage media, it is required to delete the mapping between the logical and physical addresses of the user data and to perform at least one data overwrite pass.
To ensure user data security at the source, the Technical Requirements stipulate that the electronic product manufacturers shall provide users with built-in information sanitization functionality. This sanitization functionality must cover various types of user-generated files, contact lists, applications and their data, authentication information, encryption keys, and similar elements. If the development of built-in functionality is not feasible, the manufacturers must provide external information sanitization tools, inform users of available information sanitization tools provided by third-party institutions, or offer users free information sanitization services. Prior to executing sanitization, the scope, methods, and implications of the information sanitization must be clearly disclosed to the user, and the user’s consent must be obtained. During the execution of sanitization, the manufacturers shall verify the conditions for performing the information sanitization and inform the user of the reasons if the conditions are not met. Should the information sanitization fail, the manufacturers shall re-execute the information sanitization function or provide the user with alternative information sanitization methods. For electronic products equipped with administrator-side applications, the manufacturers shall prompt the user to actively unbind the administrator account from the electronic product or perform the unbinding automatically.
Regarding the used electronic product recycling operators, the Technical Requirements stipulate that they must fulfill obligations related to notification and authorization, thorough sanitization, verification and record-keeping, and documentation establishment. The obligation of notification and authorization requires to proactively notify users to perform sanitization prior to recycling. Without the user’s consent, they must not access or retain user data. The obligation of thorough sanitization requires to use functions or tools compliant with the Technical Requirements to perform sanitization. If a product is damaged and cannot be sanitized using software methods, the storage media must be physically destroyed. The obligation of verification and record-keeping requires to verify the effectiveness of the sanitization before sale. The electronic products from which user data has not been sanitized are prohibited from being resold or exported. The obligation of documentation establishment requires to maintain records of sanitization operations and verification results for no less than three years.
Regulatory Compliance and Enforcement
The Technical Requirements not only mandates technical compliance but also emphasizes the importance of ensuring that data sanitization is carried out in a manner consistent with China’s Data Security Law and the Personal Information Protection Law. Failure to comply with these regulations can lead to significant legal and financial risks, including penalties for unauthorized data exposure or breaches.
Foreign-invested enterprises engaged in the manufacture, sale, or recycling of electronic products in China should pay particular attention to the compliance implications of the Technical Requirements. Specifically, companies must ensure that their operations align with the stringent data sanitization obligations and record-keeping requirements.
Conclusion
As China continues to strengthen its data protection laws, the introduction of the Technical Requirements represents a crucial step in addressing the increasing threats related to data security in the digital age. Companies involved in the manufacturing, recycling, disposal, or refurbishment of electronic products in China must act swiftly to ensure compliance with this new standard, safeguarding both their operations and the sensitive data entrusted to them by consumers.