---
title_en: "Measures for the Administration of Data Security in the Energy Industry (Trial)"
title_zh: "能源行业数据安全管理办法（试行）"
hierarchy: "rule"
issuing_body: "National Energy Administration"
adopted_date: 2025-12-08
effective_date: 2026-07-01
status: "effective"
related_laws: ["dsl", "energy-industry-data-classification-grading-guide"]
domains: ["energy-resources", "data-security"]
url: https://datacompliancechina.com/laws/energy-industry-data-security-measures/
summary: "Issued by the National Energy Administration as a departmental normative document (Doc. No. Guo Neng Fa Gui Hua Gui [2025] No. 108) on December 8, 2025, effective July 1, 2026, with a five-year term. These trial measures implement the Data Security Law within the energy sector. They define 'energy industry data' (data collected and generated in energy activities — planning, design, construction, production, storage and transport, consumption, and research) and establish the three-tier classification of general, important, and core data. The measures assign supervisory roles to the National Energy Administration, provincial energy authorities, and central energy enterprises; set out catalog-reporting duties for important and core data; and impose graduated protection requirements keyed to Multi-Level Protection Scheme (MLPS) levels — Level 3 or above for important data, and Level 4 (or CII protection) for core data. They also require annual risk assessments for important-data processors, cross-border security assessment for outbound important data, risk-assessment thresholds for core-data transfers (the 30% annual cumulative volume trigger), and a monitoring, early-warning, and emergency-response regime with a one-working-day reporting deadline for major incidents."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/energy-industry-data-security-measures/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Measures for the Administration of Data Security in the Energy Industry (Trial)", https://datacompliancechina.com/laws/energy-industry-data-security-measures/
**Promulgated by:** National Energy Administration.  
**Document Number:** Guo Neng Fa Gui Hua Gui [2025] No. 108.  
**Date of Issue:** December 8, 2025.  
**Effective Date:** July 1, 2026.  
**Legal Effect Level:** Departmental normative document.

**To all relevant entities:**

In order to implement the Data Security Law of the People's Republic of China and other laws and regulations, our Administration has formulated the *Measures for the Administration of Data Security in the Energy Industry (Trial)*, which are hereby issued and shall take effect on July 1, 2026.

National Energy Administration  
December 8, 2025

---

## Chapter 1 General Provisions

**Article 1.** These Measures are formulated in accordance with the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Energy Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulations, and other laws and regulations, in order to regulate data processing activities in the energy industry, strengthen data security management, prevent data security risks, promote the development and utilization of data, protect the lawful rights and interests of individuals and organizations, and safeguard national security and development interests.

**Article 2.** These Measures shall apply to the carrying out of data processing activities in the energy industry within the territory of the People's Republic of China and to the security supervision and administration thereof.

Where energy data processors carry out energy industry data processing activities involving State secrets, or matters that constitute State secrets after being aggregated and correlated by them, they shall comply with the provisions of the Law of the People's Republic of China on Guarding State Secrets and other laws and administrative regulations.

**Article 3.** The term "data" as used in these Measures means any record of information in electronic or other form.

The term "energy industry data" as used in these Measures means data collected and generated in the course of carrying out energy activities. Energy activities mainly include energy-related planning, design, construction, production, storage and transport, consumption, scientific research, and the like. Data related to energy activities such as urban gas, heat supply, and filling stations shall comply with the provisions of the relevant competent authorities.

The term "energy data processor" as used in these Measures means all types of entities in the energy industry that carry out energy industry data processing activities. Energy industry data processing activities include the collection, storage, use, processing, transmission, provision, disclosure, deletion, and the like, of energy industry data.

The term "data security" as used in these Measures means ensuring, by taking necessary measures, that energy industry data is in a state of effective protection and lawful utilization, as well as the capability to ensure a continuous state of security.

**Article 4.** Based on the importance, precision, scale, security risk, and the like, of the data, energy industry data is divided into three levels: general, important, and core.

Energy industry important data means energy industry data of a specific field, specific group, specific region, or reaching a certain precision and scale, that, once leaked or tampered with, damaged, or destroyed, may directly endanger national security, economic operation, social stability, public health, and safety. Energy industry data that affects only the organization itself or individual citizens shall generally not be treated as energy industry important data.

Energy industry core data means energy industry important data that has a relatively high coverage of a field, group, or region, or reaches a relatively high precision, relatively large scale, or certain depth, and that, once illegally used or shared, may directly affect political security. It mainly includes: data concerning key fields of national security; data concerning the lifelines of the national economy, important aspects of people's livelihood, and major public interests; and other energy industry data determined through assessment.

Energy industry general data means energy industry data other than energy industry important data and energy industry core data.

**Article 5.** Energy data processors are encouraged to actively carry out innovative applications of energy industry data, and to promote the development and utilization of data while ensuring security and compliance.

## Chapter 2 Basic Responsibilities for Energy Industry Data Security

**Article 6.** Under the overall coordination of the national data security work coordination mechanism, the National Energy Administration shall be responsible for the supervision and administration of energy industry data security; supervise and guide the energy competent authorities of provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps (hereinafter referred to as provincial energy competent authorities) in carrying out data security supervision and administration; supervise and guide the energy enterprises administered by the State-owned Assets Supervision and Administration Commission of the State Council (hereinafter referred to as central energy enterprises) and the nationwide energy industry associations guided and supervised by the National Energy Administration in performing the responsibilities and obligations of energy data processors in accordance with laws and regulations; organize the formulation and release of standards and norms for the classification and grading of energy industry data; review and determine the catalog of energy industry important data; put forward recommendations on the catalog of core data to the relevant authorities and implement dynamic management thereof; and strengthen the building of monitoring, early-warning, and emergency-response capabilities for energy industry data security.

**Article 7.** Provincial energy competent authorities shall be responsible for the supervision and administration of energy industry data processing activities and security protection in their respective regions; supervise and guide energy data processors in their regions (including subsidiaries and controlled enterprises at all levels of central energy enterprises in the region) in performing the responsibilities and obligations of energy data processors in accordance with laws and regulations; in accordance with the standards and norms for the classification and grading of energy industry data, compile and submit, with annual updates, the catalog of energy industry important data for their regions; and carry out energy industry data security monitoring and early warning, information reporting, formulation of emergency plans, emergency response, and other work in their regions.

**Article 8.** Energy data processors shall perform their data security protection responsibilities and obligations in accordance with laws and regulations. Processors of energy industry important data and energy industry core data shall bear principal responsibility for their own data security; they shall designate a data security officer and a management body. The legal representative or principal person-in-charge of the entity is the primary person responsible for data security, and the leader in charge of data security is the directly responsible person. Central energy enterprises shall be responsible for the supervision and administration of the data processing activities and security protection of their subsidiaries and controlled enterprises at all levels.

**Article 9.** Energy data processors shall, in accordance with the standards and norms for the classification and grading of energy industry data, identify and compile their entity's catalog of energy industry important data, and submit the catalog of important data as required by the provincial energy competent authority of the place where the data carrier is located. The catalogs of energy industry important data compiled by subsidiaries and controlled enterprises at all levels of central energy enterprises shall be submitted separately as required by the provincial energy competent authority of the place where the data carrier is located and by the headquarters of the central energy enterprise.

The content submitted in the catalog of important data shall include, but not be limited to, data field information such as the category, level, scale, precision, source, carrier, scope of application, external sharing, cross-border transmission, security status, and responsible entity of the data, but shall not include the data content itself.

**Article 10.** Provincial energy competent authorities and central energy enterprises shall be respectively responsible for compiling and reviewing the catalog of energy industry important data of their regions and their enterprises, and submitting it to the National Energy Administration. For data confirmed through procedures as energy industry important data or energy industry core data, the provincial energy competent authorities and central energy enterprises shall promptly inform the energy data processors.

**Article 11.** Where, since the last submission of the catalog of important data, a material change occurs in the level, responsible-entity situation, data processing situation, or data security situation of energy industry important data or core data, the energy data processor shall, within three months, re-submit the catalog of important data through the prescribed procedure.

## Chapter 3 Energy Industry Data Protection Requirements

**Article 12.** When carrying out data processing activities, energy data processors shall establish and improve data security management systems, and clarify the management requirements for each stage of the data lifecycle; and shall regularly organize education and training on energy industry data security knowledge and skills. Processors of energy industry important data and energy industry core data shall establish a data security work system, strengthen personnel and funding support, and cooperate with the relevant authorities in carrying out supervision and inspection.

**Article 13.** Where energy industry data processing activities are carried out using the Internet or other information networks, the requirements of systems such as cybersecurity multi-level protection, critical information infrastructure security protection, cryptographic protection, and secrecy protection shall be implemented.

Information networks that store and process energy industry important data shall implement Level 3 or above cybersecurity multi-level protection requirements.

For information networks that store and process energy industry core data, where critical information infrastructure is involved, the critical information infrastructure security protection requirements shall be implemented on the basis of the cybersecurity multi-level protection scheme; where critical information infrastructure is not involved, Level 4 cybersecurity multi-level protection requirements shall be implemented.

Where laws, regulations, and relevant State provisions require the use of commercial cryptography for protection, the relevant provisions on commercial cryptography protection shall also be complied with.

**Article 14.** Processors of energy industry important data shall, on their own or by entrusting a third-party assessment institution with risk-assessment capabilities, carry out a risk assessment of their data processing activities at least once a year, promptly rectify risk problems, and submit risk assessment reports as required by the provincial energy competent authority. Provincial energy competent authorities and central energy enterprises shall submit the data security risk assessment status of their regions and their enterprises to the National Energy Administration on an annual basis.

The risk assessment report shall accurately and clearly describe the main content of the assessment activities, specifically including, but not limited to, the basic information of the data processor, the basic situation of the assessment team, the situation of the data processing activities carried out and the evaluation of their compliance, the types and quantities of energy industry important data processed, the data security risks faced and the response measures, the conclusions of the risk assessment, and rectification recommendations, and other elements.

**Article 15.** Energy industry data security risk assessment shall focus on assessing the following content:

(I) the basic situation of the identification and determination of energy industry important data and core data, the security state in which they are located, and risk analysis;

(II) whether the data processing activities are lawful, legitimate, and necessary;

(III) the situation regarding the data security officer, management body, position staffing, and performance of responsibilities;

(IV) the establishment and implementation of the whole-process data security management system and safeguard mechanism;

(V) the management, education, and training of personnel involved in data processing activities;

(VI) the implementation of the national data classification and grading protection system, and the implementation of protection requirements for energy industry important data and core data;

(VII) the building and application of data security technical protection capabilities;

(VIII) data security cases and incidents that have occurred and their handling, as well as the implementation of data security risk monitoring and early-warning work;

(IX) where data provision, transfer, entrusted processing, or joint processing is involved, the security safeguard capabilities, responsibility and obligation constraints, and performance of the data recipient;

(X) other relevant matters involving data security.

**Article 16.** Processors of energy industry important data shall, at the stages of collection, storage, use, processing, transmission, provision, disclosure, deletion, and the like, of important data, comprehensively apply technical means such as encryption, authentication, certification, de-identification, verification, and auditing to carry out security protection.

**Article 17.** Processors of energy industry important data shall, in accordance with business needs and the principle of least authorization, set data processing permissions based on position responsibilities, control the scope of access to important data, and promptly adjust permissions when personnel changes occur.

**Article 18.** Processors of energy industry important data shall strengthen security management and control over data sharing and invocation, take technical measures to regularly monitor data sharing and invocation, and deploy security protection measures such as risk isolation, authentication and authorization, and threat alerts.

**Article 19.** Where the processing of energy industry important data is entrusted to another party or is jointly carried out with another party, the entrusting party shall inform the entrusted party of the data level in advance, and data security responsibility shall not change as a result of the entrustment. The entrusting party shall strictly examine and approve and clarify the data processing permissions and protection responsibilities of the entrusted party, and supervise the entrusted party in performing its data security protection obligations. The entrusted party shall perform its data security protection obligations in accordance with the provisions of laws and regulations and the contractual stipulations, and shall not, without authorization, retain, use, leak, or provide energy industry important data to others.

Where the processing of energy industry important data involves the use of cloud computing services, cloud computing services that have passed the cloud computing service security assessment may be selected, and the relevant requirements of these Measures shall be complied with.

**Article 20.** Without the approval of the entrusting party, information system construction and operation-and-maintenance projects involving energy industry important data shall not be subcontracted or sub-subcontracted.

Without the express authorization of the entrusting party, personnel engaged in the construction and operation and maintenance of information systems involving energy industry important data shall not process the important data of the entrusting party.

Data collected or generated during the construction and operation and maintenance of information systems involving energy industry important data shall not be used for other purposes, and shall, after the service is completed, be handled as agreed with the entrusting party or promptly deleted.

**Article 21.** Energy industry important data processing activities shall record and maintain the logs necessary for safeguarding data security. Where security incident handling or traceability is involved, the relevant logs shall be retained for not less than one year. Where the provision to others, entrusted processing, or joint processing of energy industry important data is involved, the relevant logs shall be retained for not less than three years.

When processors of energy industry important data organize a data security risk assessment, they shall carry out audit analysis of the logs of key operations such as data query, download, modification, and deletion, and shall take corresponding handling measures upon discovering violations or abnormal behavior.

**Article 22.** Where a processor of energy industry important data needs to transfer or destroy energy industry important data due to merger, division, dissolution, declaration of bankruptcy, or the like, it shall take necessary security protection measures and report the data handling plan in advance to the provincial energy competent authority. Where a change in the catalog of important data is thereby caused, it shall promptly file a report with the provincial energy competent authority of the place where the data carrier is located.

**Article 23.** Where energy industry important data collected and generated within the territory of China truly needs to be provided overseas, the energy data processor shall, in accordance with laws and regulations, apply for a data export security assessment.

**Article 24.** Where a processor of energy industry core data provides, transfers, or shares core data across different legal-person entities, it shall take necessary security protection measures and inform the data recipient to carry out classification and grading protection according to the corresponding level. Where the cumulative amount from January 1 of the current year may reach 30% or more of the total static volume of such core data as of the end of the previous year, a risk assessment shall be organized by the relevant authorities upon submission by the National Energy Administration; where it does not reach 30%, the provincial energy competent authority shall put forward a preliminary assessment opinion and submit it to the National Energy Administration to carry out the assessment. Energy industry core data involved in the lawful performance of duties by State organs, or in the internal flow within a State organ or an enterprise or public institution, shall be excepted.

**Article 25.** On the basis of implementing the above protection requirements for energy industry important data, processors of energy industry core data may take the following measures to strengthen the protection of energy industry core data:

(I) give priority to using commercial cryptography for protection;

(II) give priority to using secure and trustworthy products and services;

(III) give priority to using third-party assessment institutions to carry out risk assessments;

(IV) for logs involving the handling and traceability of core data security incidents, retain them for not less than three years;

(V) for relevant personnel in key positions, and entities engaged in the construction and operation and maintenance of information systems involving core data, submit them to the public security authorities and national security authorities for national security background review in accordance with laws and regulations.

**Article 26.** Where data of different categories and levels is processed simultaneously and it is difficult to take protective measures separately, protection shall be implemented in accordance with the requirements for the highest level among them, so as to ensure that the data set as a whole is continuously in a state of effective protection and lawful utilization.

## Chapter 4 Energy Industry Data Security Monitoring, Early Warning, and Emergency Response

**Article 27.** Provincial energy competent authorities and central energy enterprises shall respectively strengthen the building of energy industry data security monitoring, early-warning, and emergency-response capabilities in their regions and their enterprises; guide data processors in their regions and the subsidiaries and controlled enterprises at all levels of central energy enterprises in carrying out risk monitoring, incident handling, and reporting; strengthen research and assessment of energy industry data security risks arising from new technologies and new applications; and strengthen the capability to monitor energy industry data security risks that may be triggered by the aggregation and correlation of data from public channels.

**Article 28.** Where an energy data processor discovers risks such as data security defects or vulnerabilities, it shall immediately take remedial measures; where a data security incident occurs, it shall immediately take handling measures, promptly inform the relevant users in accordance with provisions, and report to the provincial energy competent authority. Among them, the subsidiaries and controlled enterprises at all levels of central energy enterprises shall simultaneously report to the headquarters of the central energy enterprise.

The content of risk monitoring and early warning shall include: the basic situation of the risk, the harm and degree that may be caused, the evolution and development trend of the risk, the scope that may be affected, countermeasure recommendations for handling the risk, and other matters that should be reported.

The content of the incident situation report shall include: the time of occurrence of the incident, a brief account of the incident, the harm and impact caused, the measures already taken, recommendations for the next-step countermeasures, and other matters that should be reported.

**Article 29.** When an energy industry data security incident occurs in a region or an enterprise, the provincial energy competent authority or the central energy enterprise shall, in accordance with the level of the incident, activate the emergency plan in accordance with the law, take corresponding emergency response measures to prevent the harm from expanding and eliminate security hazards, and promptly release warning information relevant to the public to society.

**Article 30.** Where a provincial energy competent authority or a central energy enterprise discovers a major or particularly major energy industry data security risk or incident that may directly endanger national security, economic operation, social stability, public health, and safety, or that directly affects political security, it shall, within one working day after discovering or learning of it, report the relevant situation to the National Energy Administration, and submit follow-up reports as required. In urgent circumstances, it may report promptly by telephone, and subsequently submit a supplementary written report. The National Energy Administration shall be responsible for reporting the relevant situation to the relevant authorities as prescribed.

**Article 31.** After completing the emergency-response work for a major or particularly major energy industry data security incident, the provincial energy competent authority or the central energy enterprise shall promptly summarize and distill its experience, form a handling-situation report within 3 working days and a summary report within 10 working days, and submit them respectively to the National Energy Administration. The National Energy Administration shall be responsible for submitting the summary report to the relevant authorities as prescribed.

## Chapter 5 Supervision and Inspection and Legal Liability

**Article 32.** The National Energy Administration and provincial energy competent authorities shall, in accordance with the relevant provisions of the Network Data Security Management Regulations, carry out supervision and inspection of energy industry data security work.

**Article 33.** Where, in performing their data security supervision and administration duties, the National Energy Administration or a provincial energy competent authority discovers that a data processing activity poses a relatively large security risk, it may, in accordance with the prescribed authority and procedures, conduct interviews with the relevant energy data processor, require it to take rectification measures to eliminate hidden dangers, and promptly transfer problem leads to the relevant competent authorities.

**Article 34.** For conduct in violation of the provisions of these Measures, the relevant competent authorities shall handle and punish it in accordance with the provisions of the Data Security Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the Network Data Security Management Regulations, and other laws and regulations; where a crime is constituted, the matter shall be transferred to the judicial authorities for pursuit of criminal liability in accordance with the law.

## Chapter 6 Supplementary Provisions

**Article 35.** Where data processing activities involving personal information are carried out, the provisions of the relevant laws and regulations shall also be complied with.

**Article 36.** These Measures shall be interpreted by the National Energy Administration.

**Article 37.** These Measures shall take effect on July 1, 2026, with a term of validity of 5 years.
