---
title_en: "Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation)"
title_zh: "银行业保险业网络安全管理办法（征求意见稿）"
abbreviation: "Banking & Insurance Cybersecurity Measures (Draft)"
hierarchy: "draft"
issuing_body: "National Financial Regulatory Administration"
status: "draft"
source_url: "https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951"
related_laws: ["csl", "dsl", "pipl", "cii-protection-regulations", "financial-sector-cybersecurity-management-measures-draft", "nfra-banking-insurance-data-security-measures"]
domains: ["finance", "data-security", "critical-information-infrastructure"]
url: https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft/
summary: "A July 10, 2026 public-consultation draft in which the National Financial Regulatory Administration (NFRA) would consolidate cybersecurity supervision of banking financial institutions, insurance financial institutions, and financial holding companies into a single 72-article sectoral rulebook under the CSL, DSL, PIPL, and CII Regulations, expressly interlocking with the cross-sector financial-industry cybersecurity measures released for comment on July 3. The draft fixes board and Party-committee primary responsibility with the institution's principal officer as first person responsible; requires an independent cybersecurity risk-management function, network security domains with minimum-necessary cross-domain access, a six-month log-retention floor, closed-loop vulnerability management with industry-impact reporting, pre-launch security testing for MLPS Level 3-and-above and internet-facing systems, supply-chain product inventories, and annual penetration testing plus a triennial cybersecurity audit. A four-tier incident scale keyed to data compromise and outage duration drives reporting clocks: two hours to the NFRA for Level 3 and above, with two-hourly progress reports for Level 1 incidents. A dedicated CII chapter requires domestic operation and maintenance, disaster-recovery centers capable of fully taking over production, MLPS grading no lower than Level 3, cybersecurity review of procurement that may affect national security, annual procurement-list filing, a 24/7 security operations center, in-house mastery of key technologies, and a one-hour incident-reporting deadline to the NFRA and public security authorities. Comments close August 10, 2026."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation)", https://datacompliancechina.com/laws/banking-insurance-cybersecurity-measures-draft/
**Released for public comment:** July 10, 2026.
**Public-comment deadline:** August 10, 2026.

> *Summary entry. The original Chinese consultation text released through the
> National Financial Regulatory Administration controls. DCC's structured
> summary of the draft is published as a brief:
> [NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures](/posts/nfra-banking-insurance-cybersecurity-measures-draft/).*

## Source documents

- **Official consultation page:** [NFRA](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951)

## Structure

Eight chapters, 72 articles, plus a grading annex: General Provisions;
Cybersecurity Governance; Cybersecurity Construction and Operation Management;
Cybersecurity Risk Monitoring; Cybersecurity Incident Response and Disposal;
Critical Information Infrastructure Management; Supervision and Administration;
Supplementary Provisions. The annex sorts cybersecurity incidents into four
tiers — extraordinarily major (Level 1), major (Level 2), relatively major
(Level 3), and ordinary (Level 4) — by data-security impact, outage duration
and geographic spread, and harm to national security, social order, and the
public interest.

## Relationship to the July 3 financial-sector draft

The NFRA states that this draft interlocks with the
[Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)](/laws/financial-sector-cybersecurity-management-measures-draft/)
released July 3 by the four State Council financial management departments: the
cross-sector text sets the common frame, while this rule supplies the
banking-and-insurance implementation layer, with materially tighter operational
requirements — reporting clocks, disaster-recovery takeover capability, the
24/7 security operations center, and annual attack-defense exercises among
them.
