Released for public comment: July 10, 2026. Public-comment deadline: August 10, 2026.
Summary entry. The original Chinese consultation text released through the National Financial Regulatory Administration controls. DCC’s structured summary of the draft is published as a brief: NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures.
Source documents
- Official consultation page: NFRA
Structure
Eight chapters, 72 articles, plus a grading annex: General Provisions; Cybersecurity Governance; Cybersecurity Construction and Operation Management; Cybersecurity Risk Monitoring; Cybersecurity Incident Response and Disposal; Critical Information Infrastructure Management; Supervision and Administration; Supplementary Provisions. The annex sorts cybersecurity incidents into four tiers — extraordinarily major (Level 1), major (Level 2), relatively major (Level 3), and ordinary (Level 4) — by data-security impact, outage duration and geographic spread, and harm to national security, social order, and the public interest.
Relationship to the July 3 financial-sector draft
The NFRA states that this draft interlocks with the Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) released July 3 by the four State Council financial management departments: the cross-sector text sets the common frame, while this rule supplies the banking-and-insurance implementation layer, with materially tighter operational requirements — reporting clocks, disaster-recovery takeover capability, the 24/7 security operations center, and annual attack-defense exercises among them.