---
title_en: "Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022)"
title_zh: "信息安全技术 网络数据处理安全要求 (GB/T 41479-2022)"
abbreviation: "GB/T 41479"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
effective_date: 2022-11-01
status: "effective"
related_laws: ["dsl", "network-data-security-regulations"]
domains: ["data-security"]
url: https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security/
summary: "GB/T 41479-2022 is the recommended national standard specifying security requirements for the processing of network data — data collected, stored, transmitted, used, provided, disclosed and deleted through networks. It sets lifecycle security requirements for network data processing activities by network operators, organized by processing stage, and serves as a baseline reference for implementing the data-security duties of the Cybersecurity Law and Data Security Law. It applies across general network operations and informs the Network Data Security Management Regulations."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Information Security Technology — Security Requirements for Network Data Processing (GB/T 41479-2022)", https://datacompliancechina.com/laws/gbt-41479-network-data-processing-security/
> *DCC summary, not a translation.* GB/T 41479-2022 is a copyrighted national standard. The structured summary below is DCC's own paraphrase of the standard's structure, for overseas compliance teams.

## Scope

GB/T 41479-2022 specifies **security requirements for network data processing activities** — the collection, storage, transmission, use, provision, public disclosure and deletion of data carried out through networks. It applies to network operators conducting such activities, and is a reference for regulators and assessors supervising network-data security.

It is a **recommended** standard that provides a baseline of good practice for the network-data-security duties imposed by the **Cybersecurity Law (CSL)** and the **Data Security Law (DSL)**.

## Key contents

The standard organizes its requirements around the **network-data processing lifecycle**, with general requirements layered on top.

**General security requirements.** Cross-cutting expectations — data-security management responsibilities, classification-and-grading-aware handling, security of the processing environment and systems, access control, logging and audit, and personnel and supply-chain security.

**Lifecycle-stage requirements.** Security requirements stage by stage:

- **Collection** — lawful and minimal collection, source verification, and protection of data in transit at the point of collection.
- **Storage** — protections appropriate to data classification, including access control, encryption where warranted, backup/recovery, and retention discipline.
- **Transmission** — confidentiality and integrity protection for data in transit, including encryption and integrity verification.
- **Use / processing** — controls over internal use, display and aggregation; protections during development, testing and analytics.
- **Provision / sharing** — security due diligence and controls when providing data to third parties or entrusting processing.
- **Public disclosure** — controls and review before any public release of data.
- **Deletion / destruction** — secure deletion and destruction at end of lifecycle, including handling on cessation of service.

**Special-category handling.** Requirements that reflect the heightened treatment of important data and personal information, cross-referencing the personal-information and classification-and-grading standards rather than restating them.

The annexes provide reference material supporting the lifecycle requirements.

## How it fits the regime

GB/T 41479 is one of the baseline technical standards underpinning China's **network-data-security** layer. The **CSL** imposes general network-operation security duties and the **DSL** establishes the data-security and classification-grading framework; this standard translates those duties into concrete, lifecycle-organized requirements for the network data that operators handle day to day.

It sits directly upstream of the **Network Data Security Management Regulations** (effective 1 January 2025), which give the network-data-security regime its binding administrative force — covering general processors, important-data processors, large platforms and cross-border transfers. Where those Regulations state obligations, GB/T 41479 (alongside the classification-grading rules and risk-assessment standards) supplies the implementation detail. For overseas compliance teams, it is a reference for designing data-security controls across the processing lifecycle in a way Chinese regulators will recognize as conformant.
