The financial sector sits under a dedicated supervisory layer built by China’s two principal financial regulators on top of the general data regime. This domain collects the instruments that banks, insurers, payment institutions, and their technology vendors must layer onto the Data Security Law, the Cybersecurity Law, and PIPL: the People’s Bank of China (PBOC) Measures for Data Security Management in the Business Areas of the People’s Bank, and the National Financial Regulatory Administration (NFRA) Measures for Data Security Management of Banking and Insurance Institutions, together with the legacy CBIRC regulatory-data-security measures.
What distinguishes the financial regime is its own data-classification scheme keyed to the sensitivity of financial information, a heightened full-lifecycle security baseline, mandatory security assessments before outsourcing or sharing, and incident-reporting lines that run to the financial regulators in parallel with the general cybersecurity-incident channel. These rules operationalize the Data Security Law’s call for sector regulators to govern “important data” within their own remit.