---
title_en: "Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)"
title_zh: "金融业网络安全管理办法（征求意见稿）"
abbreviation: "Financial Sector Cybersecurity Measures (Draft)"
hierarchy: "draft"
issuing_body: "People's Bank of China; National Financial Regulatory Administration; China Securities Regulatory Commission; State Administration of Foreign Exchange"
status: "draft"
source_url: "https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1263328&itemId=951"
related_laws: ["csl", "dsl", "pipl", "cii-protection-regulations", "cybersecurity-review-measures", "network-data-security-regulations", "cybersecurity-incident-reporting-measures", "pboc-data-security-measures", "nfra-banking-insurance-data-security-measures"]
domains: ["finance", "data-security", "critical-information-infrastructure", "cybersecurity-review"]
url: https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft/
summary: "A July 3, 2026 public-consultation draft that would create a cross-financial-sector cybersecurity rulebook for financial institutions and other entities approved or recognized by China's State Council financial management departments. The draft sits on top of the Cybersecurity Law, Data Security Law, PIPL, the CII Regulations and the Network Data Security Regulation, and translates them into a financial-sector baseline: cybersecurity responsibility systems, governance structures, network operation security, MLPS, commercial cryptography, network-data and personal-information protection, emerging-technology risk management, illegal-information response, app-download security duties, and a dedicated CII layer for financial critical information infrastructure. For financial CIIOs, the draft adds identification by the State Council financial management departments, a chief cybersecurity officer, a dedicated security body and background checks, cybersecurity-review pre-judgment for network-product and service procurement, annual reporting of network products, services and cloud procurement, annual testing and risk assessment, and sector-specific incident plans and drills. It also creates a coordination frame among the PBOC, NFRA, CSRC, SAFE and the CAC/public security/cryptography authorities, with legal liability routed through the existing financial, cybersecurity, data, personal-information, CII and cryptography statutes. Public comments are due August 3, 2026."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)", https://datacompliancechina.com/laws/financial-sector-cybersecurity-management-measures-draft/
**Released for public comment:** July 3, 2026.  
**Public-comment deadline:** August 3, 2026.

> *DCC translation. No official English translation exists. The original Chinese
> PDF released through the National Financial Regulatory Administration controls.
> This is a translation of the draft text only; the separate drafting explanation
> is linked below but not translated on this page.*

## Source documents

- **Official consultation page:** [NFRA](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1263328&itemId=951)
- **Draft text (Chinese PDF):** [金融业网络安全管理办法（征求意见稿）](https://www.nfra.gov.cn/chinese/docfile/2026/9074df3eceb04d27bbd38e25169b72cc.pdf)
- **Drafting explanation (Chinese PDF):** [《金融业网络安全管理办法（征求意见稿）》起草说明](https://www.nfra.gov.cn/chinese/docfile/2026/b3bdb763e6804029a8a49c1d9dac2338.pdf)

## Measures for Cybersecurity Management in the Financial Sector

(Draft for Comment)

## Chapter I General Provisions

**Article 1 (Purpose and basis).** These Measures are formulated in accordance
with the *Cybersecurity Law of the People's Republic of China*, the *Data
Security Law of the People's Republic of China*, the *Personal Information
Protection Law of the People's Republic of China*, the *Regulations on the
Security Protection of Critical Information Infrastructure*, the *Regulation on
Network Data Security Management*, and other laws and administrative
regulations, in order to comprehensively regulate cybersecurity management in
the financial sector, safeguard financial services, and maintain financial
security.

**Article 2 (Scope of application).** These Measures apply to financial-sector
entities that build, operate, maintain and use networks within the territory of
the People's Republic of China, and to the supervision and administration of
cybersecurity in the financial sector. Where other relevant competent
departments have provisions, those provisions shall also be complied with in
accordance with the law. Where the State has provisions on cybersecurity
management for networks that store or process information involving state
secrets, those provisions shall prevail.

**Article 3 (General requirements for cybersecurity protection).**
Financial-sector entities shall, in accordance with laws, administrative
regulations, and relevant provisions of the State and the State Council
financial management departments, perform cybersecurity-protection obligations
and bear primary responsibility for their own cybersecurity. Financial-sector
entities shall give equal weight to cybersecurity and informatization
development, provide necessary resources for cybersecurity work, establish and
improve a cybersecurity assurance system suited to the entity, improve
cybersecurity-protection capabilities, effectively control cybersecurity risks,
and prevent cyber-related unlawful and criminal activities.

Financial-sector entities shall actively provide technical support and
assistance to public security organs and state security organs in their lawful
activities to safeguard national security and investigate crimes.

**Article 4 (Industry self-regulation).** Industry associations in the financial
sector shall strengthen self-regulation, formulate cybersecurity codes of
conduct and association standards in accordance with the law, and guide members
in strengthening cybersecurity protection.

## Chapter II Cybersecurity-Protection Obligations

**Article 5 (Cybersecurity work responsibility system).** Financial-sector
entities shall establish and implement a cybersecurity responsibility system in
accordance with relevant State provisions, and determine the person responsible
for cybersecurity.

**Article 6 (Cybersecurity governance).** Financial-sector entities shall
establish a cybersecurity-management organizational structure and deliberation
and decision-making mechanism, designate a lead cybersecurity management
department, ensure funding and staffing for the entity's cybersecurity, develop
internal cybersecurity management systems and operating procedures, clarify the
cybersecurity-protection duties of the entity, its branches, its subordinate
legal-person entities and others, and urge implementation of
cybersecurity-protection responsibilities.

**Article 7 (Network operation security).** Financial-sector entities shall, in
accordance with laws, administrative regulations, and relevant provisions of the
State and the State Council financial management departments, carry out network
operation monitoring, cybersecurity risk and incident handling and reporting,
and other work; establish and improve cybersecurity incident emergency plans;
and adopt corresponding technical and management measures to safeguard network
operation security.

**Article 8 (Multi-Level Protection Scheme).** Financial-sector entities shall,
in accordance with the requirements of the State's Multi-Level Protection Scheme
for cybersecurity, reasonably determine the security-protection level of their
networks, perform classification and filing obligations, carry out cybersecurity
MLPS assessments on schedule, and promptly rectify risks discovered in such
assessments.

**Article 9 (Use of commercial cryptography).** Financial-sector entities shall
use commercial cryptography to protect cybersecurity in accordance with the
requirements of the State's Multi-Level Protection Scheme for cybersecurity.
Where the State Council financial management departments have further
provisions on the use of commercial cryptography, financial-sector entities
shall comply with those provisions.

**Article 10 (Network data protection).** Financial-sector entities shall, in
accordance with laws, administrative regulations, and relevant provisions of the
State and the State Council financial management departments, strengthen the
classification and grading management of network data, and adopt corresponding
technical and management measures to prevent network data from being tampered
with, destroyed, leaked, or unlawfully obtained or unlawfully used.

**Article 11 (Protection of personal information on networks).**
Financial-sector entities shall, in accordance with laws, administrative
regulations, and relevant provisions of the State and the State Council
financial management departments, regulate personal information processing
activities and safeguard personal information security.

Financial-sector entities are encouraged to use the national network identity
authentication public service to carry out user identity verification.

**Article 12 (Application of technological innovation).** Financial-sector
entities shall, in accordance with laws, administrative regulations, and relevant
provisions of the State and the State Council financial management departments,
properly conduct risk management for innovative applications of information
technology.

**Article 13 (Prevention of unlawful and non-compliant information).**
Financial-sector entities shall take measures and, in accordance with laws,
administrative regulations, and relevant provisions of the State and the State
Council financial management departments, strengthen management of information
published on networks. Where they discover information whose publication or
transmission is prohibited by laws or administrative regulations, they shall
immediately stop transmitting the information, take disposal measures such as
elimination, prevent the information from spreading, preserve relevant records,
and report to the relevant competent department.

**Article 14 (Security management of information services).** Financial-sector
entities that provide application software download services to the public shall
take measures and, in accordance with laws, administrative regulations and
relevant State provisions, perform security-management obligations such as
detecting malicious programs and unlawful or non-compliant information. Where an
application software is found to contain a malicious program, or to contain
information whose publication or transmission is prohibited by laws or
administrative regulations, the financial-sector entity shall immediately cease
providing download services, preserve relevant records, and report to the
relevant competent department.

**Article 15 (Identification of financial-sector critical information
infrastructure).** The State Council financial management departments shall
organize identification of financial-sector critical information infrastructure
in accordance with the rules for identifying critical information infrastructure
in the financial sector, determine the identification results, promptly notify
the operators of financial-sector critical information infrastructure
(hereinafter, "operators"), notify the public security department under the
State Council, and copy the national cyberspace administration.

Where an operator undergoes merger, division, dissolution or other such
circumstances, or where a relatively major change occurs to critical information
infrastructure that may affect the identification result, the operator shall
promptly report the relevant circumstances in accordance with relevant
provisions of the State Council financial management departments.

**Article 16 (Operator organizational structure and support for duty
performance).** The principal person in charge of an operator shall bear overall
responsibility for the security protection of financial-sector critical
information infrastructure. The operator shall designate a member of its
leadership team in charge of cybersecurity to serve as chief cybersecurity
officer, in charge of security-protection work for critical information
infrastructure, and shall designate, for each item of critical information
infrastructure, one security-management responsible person to organize
implementation of security-protection work for that critical information
infrastructure.

An operator shall establish a dedicated security-management body and conduct
security background checks on the head of the dedicated security-management body
and on personnel in key positions.

The dedicated security-management body shall, in accordance with relevant
provisions of the State Council financial management departments, submit plans
for the security protection of critical information infrastructure and summaries
of cybersecurity work.

**Article 17 (Supply-chain security).** Operators shall declare cybersecurity
review in accordance with the State cybersecurity review provisions and the
financial-industry pre-judgment guide, and shall submit annual lists of network
products and services and cloud computing services procured in accordance with
relevant provisions of the State Council financial management departments.

Operators shall regulate the use of commercial cryptography in accordance with
the relevant management provisions on the use of commercial cryptography for
critical information infrastructure.

**Article 18 (Risk assessment).** Operators shall, by themselves or by
entrusting cybersecurity service institutions, conduct cybersecurity testing and
risk assessment of critical information infrastructure at least once each year.
The content shall include at least cybersecurity MLPS assessment, commercial
cryptography application security assessment, implementation of systems and
national standards related to the security protection of critical information
infrastructure, protection of data and personal information processed by the
critical information infrastructure, monitoring and handling of cybersecurity
risks related to the critical information infrastructure, and implementation of
improvements after emergency handling of cybersecurity incidents. Operators
shall promptly rectify security problems discovered through testing and
assessment, and shall annually submit testing, assessment and rectification
information in accordance with relevant provisions of the State Council
financial management departments.

**Article 19 (Cybersecurity incident emergency plans).** Operators shall, in
accordance with the national cybersecurity incident emergency plan and the
financial-sector critical information infrastructure cybersecurity incident
emergency plan, formulate their own emergency plans for critical information
infrastructure, conduct regular drills, and regulate the reporting and handling
procedures for cybersecurity incidents and major cybersecurity threats related
to critical information infrastructure.

## Chapter III Coordination in Supervision and Administration

**Article 20 (Principles for coordination in supervision and administration).**
The State Council financial management departments shall, in accordance with
laws, administrative regulations, and the decisions and arrangements of the CPC
Central Committee and the State Council, and in accordance with the division of
regulatory duties, be responsible within the scope of their duties for work
related to cybersecurity management of financial-sector entities.

The State Council financial management departments shall support and cooperate
with the national cyberspace administration, the public security department
under the State Council, the national cryptography administration, and other
relevant competent departments in carrying out cybersecurity protection and
supervision and administration work involving the financial sector in accordance
with their duties.

Branches and dispatched offices of the State Council financial management
departments shall carry out cybersecurity supervision and administration within
their jurisdictions in accordance with the division of duties of the State
Council financial management departments.

**Article 21 (Coordinated implementation of special cybersecurity tasks).**
Where the CPC Central Committee, the State Council, or a relevant
decision-making, deliberation and coordination body has already specified the
division of work, the State Council financial management departments shall be
responsible in accordance with that division. For matters where a particular
State Council financial management department has been specified as the lead
responsible department, the lead responsible department shall, on the basis of
authorization and provisions in laws and regulations, further refine the
division of duties among the relevant State Council financial management
departments within the established framework of duties. Where neither of the
foregoing circumstances applies, the State Council financial management
departments shall communicate and consult, and then clarify their respective
division of duties.

**Article 22 (Information sharing).** The State Council financial management
departments and their same-level branches and dispatched offices shall
strengthen sharing of information on cybersecurity incidents, risks, situations,
intelligence and the like, and, as circumstances require, consult and judge the
overall risk situation involving the financial sector.

**Article 23 (Cooperation with supervision and administration).**
Financial-sector entities shall conscientiously accept and cooperate with all
cybersecurity supervision and administration work carried out by relevant
competent departments and by the State Council financial management departments
and their branches and dispatched offices; provide true and complete information
and materials on time; and shall not refuse or obstruct supervision and
inspection lawfully implemented by relevant competent departments and by the
State Council financial management departments and their branches and dispatched
offices.

## Chapter IV Legal Liability

**Article 24 (Handling of transmission of unlawful or non-compliant
information).** Where a financial-sector entity fails, with respect to malicious
programs and information whose publication or transmission is prohibited by laws
or administrative regulations, to promptly stop transmission, take disposal
measures such as elimination, or preserve relevant records, the State Council
financial management departments and their branches and dispatched offices shall
transfer the relevant case information to the relevant competent department at
the same level, and cooperate with that department in handling the matter in
accordance with laws and regulations.

**Article 25 (Handling of failure to use commercial cryptography as required).**
Where a financial-sector entity fails to use commercial cryptography to protect
cybersecurity as required by the State's Multi-Level Protection Scheme for
cybersecurity, or where an operator violates management provisions on the use of
commercial cryptography for critical information infrastructure, the State
Council financial management departments and their branches and dispatched
offices shall transfer the relevant case information to the cryptography
administration at the same level, and cooperate with that department in handling
the matter in accordance with laws and regulations.

**Article 26 (Penalties for non-cooperation with supervision and inspection).**
Where a financial-sector entity refuses or obstructs cybersecurity supervision
and inspection carried out by the State Council financial management departments
and their branches and dispatched offices, the State Council financial
management departments and their branches and dispatched offices shall impose
penalties in accordance with relevant provisions of the *Law of the People's
Republic of China on the People's Bank of China*, the *Commercial Bank Law of
the People's Republic of China*, the *Banking Supervision Law of the People's
Republic of China*, the *Insurance Law of the People's Republic of China*, the
*Securities Law of the People's Republic of China*, the *Securities Investment
Fund Law of the People's Republic of China*, the *Futures and Derivatives Law of
the People's Republic of China*, the *Cybersecurity Law of the People's
Republic of China*, the *Regulation on the Supervision and Administration of
Private Investment Funds*, the *Regulations of the People's Republic of China
on Foreign Exchange Administration*, and other relevant provisions.

**Article 27 (Penalties for violation of other cybersecurity-protection
obligations).** Where a financial-sector entity fails to perform the
cybersecurity-protection obligations provided in these Measures, and the
*Cybersecurity Law of the People's Republic of China*, the *Data Security Law of
the People's Republic of China*, the *Personal Information Protection Law of the
People's Republic of China*, the *Regulations on the Security Protection of
Critical Information Infrastructure*, or the *Regulation on Network Data
Security Management* already provide penalties, the State Council financial
management departments and their branches and dispatched offices shall impose
penalties in accordance with the provisions of those laws and administrative
regulations and according to the division of regulatory duties. Where those laws
and administrative regulations do not provide penalties, but other laws or
administrative regulations provide penalties, penalties shall be imposed in
accordance with those provisions.

**Article 28 (Other legal liability).** Where a financial-sector entity fails
to perform the cybersecurity-protection obligations provided in these Measures
and is suspected of constituting an act violating public security
administration, the matter shall be transferred to the public security organ for
handling. Where a crime is constituted, the matter shall be transferred to a
judicial organ for criminal liability to be pursued in accordance with the law.

**Article 29 (Handling of violations by management personnel).** Where staff of
the State Council financial management departments and their branches and
dispatched offices neglect duties, abuse powers, or engage in favoritism or
malpractice, sanctions shall be imposed in accordance with laws and regulations.
Where a crime is constituted, the matter shall be transferred to a judicial
organ for criminal liability to be pursued in accordance with the law.

## Chapter V Supplementary Provisions

**Article 30 (Definitions).** The following terms used in these Measures have
the following meanings:

(1) "Financial-sector entities" refers to financial institutions and other
institutions approved for establishment or recognized by the State Council
financial management departments.

(2) "State Council financial management departments" refers to the People's Bank
of China, the National Financial Regulatory Administration, the China Securities
Regulatory Commission, and the State Administration of Foreign Exchange.

(3) "Key positions" refers to planning and construction, development and
testing, security operation, and daily operation and maintenance positions that
are directly related to the security protection of critical information
infrastructure and that possess relatively comprehensive information.

**Article 31 (Cybersecurity management of local financial organizations).**
Local financial management institutions shall take the lead in supervising and
administering the performance of cybersecurity-protection obligations by local
financial organizations, and may formulate corresponding management systems
with reference to these Measures and to the cybersecurity-related provisions of
the State Council financial management departments.

**Article 32 (Authority to interpret).** These Measures shall be interpreted by
the State Council financial management departments.

**Article 33 (Effective date).** These Measures shall come into force on
[month] [day], 2026.
