Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 45577

Data Security Technology — Data Security Risk Assessment Method (GB/T 45577-2025).

数据安全技术 数据安全风险评估方法 (GB/T 45577-2025)

FILED UNDER · Data Security

DCC summary, not a translation. GB/T 45577-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.

Scope

GB/T 45577-2025 specifies a method for data security risk assessment — the principles, framework, process and content for identifying, analyzing and evaluating risks to data security across the data lifecycle. It applies to organizations assessing the data-security risk of their own data and processing activities, and is a reference for regulators and third-party assessors.

It is a recommended standard in the “Data Security Technology” (数据安全技术) series.

Key contents

At a structural level the standard is expected to cover:

  • Assessment principles and framework — an objective, lifecycle-oriented model relating data assets, threats, vulnerabilities, existing security measures, and potential impact.
  • Assessment process — preparation and scoping; identification of data assets (informed by data classification and grading); identification of threats and vulnerabilities; analysis of existing safeguards; analysis of likelihood and impact; and overall risk determination.
  • Assessment content — the dimensions to evaluate across the lifecycle (collection, storage, transmission, use, provision, disclosure, deletion), including management and technical safeguards.
  • Risk rating and treatment — combining likelihood and impact into a risk level and informing risk-treatment recommendations.
  • Reporting — documentation of the assessment, findings and conclusions.

Editor: verify specific clauses against the published standard.

How it fits the regime

GB/T 45577 is the data-security analogue of the personal-information impact-assessment standard. The Data Security Law (DSL) establishes the data-security management system, the classification-and-grading regime, and risk-monitoring and assessment duties (including, for important data, periodic risk assessments and reporting). This standard supplies a consistent method for performing such assessments.

It works alongside GB/T 43697 (classification and grading — which identifies which data is important or core) and the Network Data Security Management Regulations (which require risk assessments for important-data processing and other activities). The companion TC260 Network Data Security Risk Assessment Implementation Guide gives a practice-oriented, step-by-step procedure that aligns with this method. For overseas compliance teams, GB/T 45577 is the reference method for conducting and documenting a defensible data-security risk assessment in China.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

2 briefs reference this law.

  • § 01 · IMPORTANT-DATA

    Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'

    With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.

    important-data · risk-assessment · network-data
  • § 02 · RISK-ASSESSMENT

    From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law

    On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.

    risk-assessment · network-data · data-security
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.