The State Internet Information Office and three other departments jointly released the "Internet Data Security Risk Assessment Measures". Important data must be evaluated annually.

On June 18th, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security jointly announced the "Network Data Security Risk Assessment Measures" (referred to as the "Measures" hereinafter). It will be implemented starting from August 20, 2026. The Measures stipulate that network data handlers of important data should conduct risk assessments annually, and if significant changes occur in the security status of important data that may have a negative impact on data security, they should promptly assess the changes and their effects. Additionally, the Measures encourage network data handlers processing general data to conduct a risk assessment at least once every 3 years. Under the guidance of the national data security work coordination mechanism, the Cyberspace Administration of China, in conjunction with relevant departments such as the State Council's telecommunications and public security departments, will establish a special mechanism for the assessment of network data security risks to guide and supervise the risk assessment work. Annual risk assessment inspection plans should be submitted to the Cyberspace Administration of China by the end of January each year. Furthermore, for the same network data security incidents or risks, network data handlers shall not repeatedly require assessment agencies to conduct risk assessments. The text of the Measures includes regulations on the risk assessment of network data security, with the first chapter outlining general provisions. It states that the Measures are formulated to regulate the activities of network data security risk assessment, ensure network data security, promote the lawful and effective utilization of network data, and is based on laws and regulations such as the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, and the Regulation on Network Data Security Management. In conducting network data security risk assessment within the territory of the People's Republic of China, one must comply with these Measures. The Measures define network data security risk assessment as activities conducted for the identification, analysis, and evaluation of risks related to the security of network data and network data processing activities. Under the guidance of the national data security work coordination mechanism, the Cyberspace Administration of China, together with relevant departments such as the State Council's telecommunications and public security departments, will establish a special mechanism for the assessment of network data security risks to guide and supervise the risk assessment work. Relevant competent authorities shall organize and conduct regular industry and field risk assessments in accordance with the principle of managing industry business, industry business data, and data security. They shall inspect the risk assessment of network data handlers processing important data in their industry or field in accordance with work needs, and submit an annual risk assessment inspection plan to the Cyberspace Administration of China by the end of January each year. Through the national data security work coordination mechanism, the Cyberspace Administration of China will share the plan with relevant departments such as the State Council's telecommunications, public security, and national security departments for coordination, to avoid unnecessary inspections and cross-repeated inspections. Relevant competent authorities shall not charge important data handlers being inspected for their risk assessments. Important data handlers should conduct a risk assessment annually. If there is a significant change in the security status of important data that may have a negative impact on data security, they should promptly assess the changes and their effects. Network data handlers processing general data are encouraged to conduct a risk assessment at least once every 3 years. Risk assessment work should be carried out in accordance with the requirements of the Data Security Law of the People's Republic of China, the Regulation on Network Data Security Management, and relevant national standards for data security risk assessment. If relevant competent authorities have other provisions for industry and field risk assessment work, those provisions shall apply. Network data handlers may conduct risk assessments on their own or entrust third-party assessment agencies (referred to as assessment agencies) to conduct risk assessments. When network data handlers conduct risk assessments on their own, they should designate specific individuals responsible for the assessment. If the assessment agencies are entrusted to conduct risk assessments, both parties should clearly define their rights and obligations through contracts or other legally effective documents. Assessment agencies are encouraged to obtain certification. The certification of assessment agencies shall be in accordance with the relevant provisions of the Regulations on Certification and Accreditation of the People's Republic of China. Under the guidance of the national data security work coordination mechanism, the Cyberspace Administration of China and relevant departments such as the State Council's telecommunications and public security departments actively promote the development of network data security risk assessment services and cultivate assessment agencies. Assessment agencies conducting risk assessments should comply with laws and regulations, make risk judgments impartially and objectively, and be responsible for the authenticity, effectiveness, and completeness of the risk assessment reports they issue. Assessment agencies are not allowed to subcontract risk assessments to other organizations. The same assessment agency and its affiliated organizations are not allowed to conduct annual risk assessments on the same network data handler more than three times in a row. If assessment agencies discover significant data security risks in the course of risk assessment, they should notify the network data handlers promptly. Assessment agencies and their staff should keep data, trade secrets, confidential commercial information, etc., obtained during the risk assessment confidential in accordance with the law, and not disclose or illegally provide them to others. They should promptly delete or handle relevant information as stipulated in the contract after the risk assessment is completed. Important data handlers conducting annual risk assessments should compile risk assessment reports in accordance with the provisions of the relevant competent authorities. If the relevant competent authorities have no regulations on risk assessment reports, they can refer to national standards for data security risk assessment reports. Risk assessment reports should be kept for at least three years. After completing the annual risk assessment, important data handlers should submit the risk assessment report to the relevant competent authorities within 20 working days as required. If the supervising authority is not specified, they shall submit the report to the provincial-level Cyberspace Administration or the national Cyberspace Administration. Relevant competent authorities should publicize the channels and contact information for submitting risk assessment reports, and promptly receive the risk assessment reports submitted by important data handlers. Within 10 working days of receiving the risk assessment report, they shall notify the reports to the same-level Cyberspace Administration. The national Cyberspace Administration shall summarize the relevant reports and share them with relevant departments such as the State Council's telecommunications, public security, and national security. Provincial-level and above Cyberspace Administrations, telecommunications authorities, public security agencies, national security agencies, and other relevant departments may check the authenticity and accuracy of risk assessment reports of important data handlers. Important data handlers should cooperate with the inspection and verification. Provincial-level and above Cyberspace Administrations, telecommunications authorities, public security agencies, and other relevant departments may require important data handlers to entrust certified assessment agencies to conduct risk assessments if they find that the processing activities of network data pose significant security risks that may harm national security or public interests, or if a network data security incident leads to significant data leaks or theft of large-scale personal information, among other scenarios. For the same network data security incident or risk, network data handlers shall not be repeatedly required to entrust assessment agencies for risk assessments. Network data handlers are required to fulfill the following obligations if they are required by the relevant departments to entrust assessment agencies to conduct risk assessments: Provide necessary support for assessment agencies to conduct risk assessments, including providing necessary access to network data facilities, network data, system, and operation log recording permissions. Complete the risk assessment within the stipulated time. In complex situations, with the approval of the relevant departments, the time limit can be appropriately extended. After completing the risk assessment, submit the risk assessment report issued by the assessment agency to the relevant departments. The risk assessment report should be signed by the head of the assessment agency and the person in charge of the risk assessment and stamped with the organization's official seal. Rectify the issues identified in the risk assessment according to the requirements of the relevant departments. After completing the rectification, submit a report on the rectification within 15 working days to the relevant departments. Network data handlers are not allowed to request or imply assessment agencies to issue false or inappropriate risk assessment reports in any way. If the relevant departments find that network data handlers have not conducted risk assessments as required or if assessment agencies violate the Measures in conducting risk assessments, they shall handle the situation in accordance with the Data Security Law of the People's Republic of China, the Regulation on Network Data Security Management, and other related laws and regulations. The risk assessment of network data handlers handling core data shall be carried out in accordance with relevant national regulations. When it involves technologies such as important data encryption, commercial password application security assessment should be conducted in accordance with the relevant national laws and regulations on passwords. Activities involving national secrets and work secrets in risk assessment shall be carried out in accordance with the laws and regulations on the protection of national secrets in the People's Republic of China and other relevant laws, administrative regulations, and national confidentiality provisions. These Measures shall be implemented starting from August 20, 2026. "Q&A on the Network Data Security Risk Assessment Measures" Q1: Please introduce the background of the Measures. A: The "Fifteenth Five-Year Plan for National Economic and Social Development of the People's Republic of China" proposes the implementation of classified management of data and the enhancement of data security protection capabilities. Article 30 of the Data Security Law stipulates that handlers of important data should conduct regular risk assessments of their data processing activities in accordance with regulations and submit risk assessment reports to the relevant competent authorities. Article 33 of the Regulation on Network Data Security Management stipulates that handlers of important data should conduct risk assessments of their network data processing activities annually. Article 48 specifies that relevant competent authorities are responsible for supervising and managing network data security in their respective industries and fields, organizing regular industry and field risk assessments. The issuance of the Measures is an important measure to implement the deployment of the Party Central Committee and the State Council on data security governance and the requirements of laws and regulations, aimed at clarifying the methods and procedures of risk assessment work, strengthening coordination and coordination of risk assessment at all levels, guiding network data handlers to enhance data security protection capabilities through network data security risk assessment, safeguarding the security of important data nationwide, and promoting high-quality development of the digital economy with high-level security. Q2: What is the scope of application of the Measures? A: The Measures must be followed when conducting network data security risk assessment within the territory of the People's Republic of China. The network data security risk assessment (hereinafter referred to as risk assessment) as mentioned in the Measures refers to activities carried out for the identification, analysis, and evaluation of risks related to the security of network data and network data processing activities. Q3: Which entities need to conduct risk assessments? A: According to laws and regulations such as the Data Security Law and the Regulation on Network Data Security Management, the Measures specify that handlers of important data should conduct a risk assessment annually. If there is a significant change in the security status of important data that may have a negative impact on data security, they should promptly assess the changes and their effects. Additionally, the Measures encourage network data handlers processing general data to conduct a risk assessment at least once every 3 years. Q4: How to avoid unnecessary inspections and cross-repeated inspections related to network data security? A: As required by the Measures, under the guidance of the national data security work coordination mechanism, the Cyberspace Administration of China, in conjunction with relevant departments such as the State Council's telecommunications and public security departments, will establish a special mechanism for the assessment of network data security risks to guide and supervise the risk assessment work. Relevant competent authorities shall organize and conduct regular industry and field risk assessments based on the principle of managing industry business, industry business data, and data security. They will inspect the risk assessment of network data handlers processing important data in their industry or field according to work needs and submit an annual risk assessment inspection plan to the Cyberspace Administration of China by the end of January each year. The Cyberspace Administration of China will share the plan with relevant departments such as the State Council's telecommunications, public security, and national security departments through the national data security work coordination mechanism for coordination, to avoid unnecessary inspections and cross-repeated inspections. Additionally, the Measures stipulate that for the same network data security incidents or risks, network data handlers shall not be repeatedly required to entrust assessment agencies for risk assessments. Q5: Can risk assessments be conducted by oneself or entrusted to third-party agencies? A: Network data handlers can choose to conduct risk assessments on their own or entrust third-party assessment agencies to conduct them based on their capabilities and conditions. As required by the Measures, network data handlers conducting risk assessments on their own should designate specific individuals responsible for the assessment. If they entrust assessment agencies to conduct risk assessments, both parties should clearly define their rights and obligations through contracts or other legally effective documents. Q6: What standards or norms can network data handlers refer to when conducting risk assessments? A: The recommended national standards "Data Security Technology - Data Security Risk Assessment Method" (GB/T 45577-2025) implemented on November 1, 2025, specify the implementation process, assessment content, analysis and evaluation methods, and assessment report templates for data security risk assessment. The recommended national standards "Data Security Technology - Capability Requirements for Data Security Assessment Organizations" (GB/T 45389-2025) implemented on October 1, 2025, specify the basic requirements, management capabilities, technical capabilities, human resource capabilities, and facility and equipment resource capabilities of assessment organizations. If there are no specific requirements from relevant competent authorities for industry and field risk assessment work, network data handlers can conduct risk assessments and develop corresponding capabilities based on the above standards. If there are other provisions from relevant competent authorities, they can conduct risk assessments according to those standards and specifications. Q7: What requirements are put forward by the Measures for the cultivation and management of third-party assessment agencies? A: The Measures strengthen the capacity building of third-party assessment agencies and the standardized management of risk assessment activities. Specific requirements include: Encouraging relevant assessment agencies to obtain certification to demonstrate their capacity for assessment services. The Cyberspace Administration of China and relevant departments such as the State Council's telecommunications and public security actively promote the development of network data security risk assessment services and cultivate assessment agencies. Assessment agencies conducting risk assessments must comply with laws and regulations, make risk judgments impartially and objectively, and be responsible for the authenticity, effectiveness, and completeness of the risk assessment reports they issue. Assessment agencies are not allowed to subcontract risk assessments to other organizations. The same assessment agency and its affiliated organizations are not allowed to conduct annual risk assessments on the same network data handler more than three times in a row. If assessment agencies discover significant data security risks in the course of risk assessment, they should notify the network data handlers promptly. Assessment agencies and their staff should keep data, trade secrets, confidential commercial information, etc., obtained during the risk assessment confidential in accordance with the law and not disclose or illegally provide them to others. After the risk assessment is completed, they should promptly delete or handle the relevant information as stipulated in the contract. Q8: How does the Measures strengthen the pre-, during-, and post-supervision of risk assessment? A: To ensure comprehensive and effective supervision throughout the risk assessment and mitigation process, the Measures specify the following requirements: Relevant competent authorities must organize regular industry and field risk assessments to identify and prevent network data security risks promptly. Provincial-level and above departments should check and verify the risk assessment reports of important data handlers, require assessments when security risks are identified, and take administrative guidance measures to eliminate network data security risks. If significant data processing activities are found to harm national security or public interests, relevant departments must promptly demand rectification, stop important data handling activities, etc., for important data handlers who refuse or fail to meet the rectification requirements. Relevant departments are required to enhance risk information sharing and collaborative risk resolution. They must also report promptly according to relevant regulations. Any organization or individual has the right to complain or report illegal activities identified in risk assessments to relevant departments. Departments that receive complaints or reports must handle them promptly in accordance with the law. Provincial-level and above Cyberspace Administrations, telecommunications authorities, public security agencies, national security agencies, or relevant departments should take action in accordance with the Data Security Law of the People's Republic of China, the Regulation on Network Data Security Management, and other relevant laws and regulations if they find that network data handlers have not conducted risk assessments as required or if assessment agencies violate the Measures in conducting risk assessments. For risk assessments of network data handlers handling core data, relevant national regulations must be followed. When it involves technologies like important data encryption, a commercial password application security assessment should be conducted according to national laws and regulations on passwords. Risk assessments involving national secrets and work secrets must comply with the laws and regulations on the protection of national secrets in the People's Republic of China, as well as national confidentiality provisions. These Measures will take effect starting from August 20, 2026.