Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · IMPLEMENTING GUIDELINES FOR THE PROTECTION OF CUSTOMER DATA SECURITY IN INTERNET DATA CENTERS

Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers.

互联网数据中心客户数据安全保护实施指引

Promulgated by: General Office of the Ministry of Industry and Information Technology.
Document No.: MIIT General Office Cyber Security [2025] No. 5.
Issued and effective January 13, 2025.


Notice on Strengthening the Protection of Customer Data Security in Internet Data Centers

To the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; China Telecom Corporation Limited, China Mobile Communications Group Co., Ltd., and China United Network Communications Group Co., Ltd.; and the relevant Internet data center enterprises:

The Internet Data Center (hereinafter referred to as IDC), as a new-generation information infrastructure, carries the massive customer data of thousands of industries and is an important strategic resource bearing on the lifeline of the national economy. Enhancing the capability to safeguard IDC customer data security is of vital importance to maintaining economic and social stability and even national security. In order to guide IDC business operators in strengthening the protection of customer data security, the relevant matters are hereby notified as follows:

I. Basic Requirements

(I) Overall principle. In accordance with the Data Security Law, the Cybersecurity Law, the Network Data Security Management Regulation, the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) and other laws, regulations and policy requirements, and following the principle of “consistent rights and responsibilities, classified strategy, combined management and technology, and ensured security,” strengthen the development of the capability to safeguard customer data security and enhance the level of customer data security protection (see the annex for specific implementing guidelines).

(II) Clarify the security responsibility boundary. In the contracts and agreements signed with customers, third-party service providers and the like, clarify the data security protection responsibilities and obligations of all parties according to the cooperation model, content, and the like.

(III) Strengthen system development and organizational assurance. Establish and improve a customer data security management system, clarify the person responsible for data security and the management department, and strengthen customer data security management and assurance measures.

(IV) Strengthen customer management. Establish a customer management mechanism, and provide differentiated security protection measures for customers to select according to customer category and data protection needs.

(V) Strengthen customer data security assurance. In line with the data processing flow, clarify the security strategies and process mechanisms for key stages such as data access, operation and destruction, and ensure protective measures such as data isolation. Before implementing high-risk operations that may affect customer data security and before providing customer data externally, inform the customer and obtain authorization. According to the actual business situation, improve business continuity and stability through redundant design and the like.

(VI) Carry out incident emergency response. Establish a contingency plan for customer data security incidents, and regularly conduct emergency drills. Where a customer data security incident is caused by the IDC business operator, immediately activate emergency disposal measures, promptly inform the customer, and report to the telecommunications authority in accordance with relevant requirements.

(VII) Provide security protection service capabilities. According to the actual business situation, provide data security technical capabilities and cybersecurity protection products or services for customers to select.

II. Strengthening Safeguard Capabilities for the Server-Hosting Business Scenario

(VIII) Ensure the security of equipment-room facilities. Standardize equipment-room security management, equip physical security safeguard measures, strengthen the security assurance of equipment-room authority, personnel attendance, fire-protection systems, and the like, promptly discover and eliminate security hazards, and prevent the destruction and loss of customer data.

(IX) Carry out equipment supply-chain management. Where the sale or lease of servers, network equipment and the like is involved, strengthen equipment procurement security management, establish equipment ledgers, and carry out security inspection before equipment is put on the rack and regular maintenance and updates, so as to prevent customer data from being tampered with or stolen.

III. Strengthening Safeguard Capabilities for the Data-Storage-and-Computing Business Scenario

(X) Ensure data storage and computing security. Provide data security protection capabilities such as disaster-recovery backup, verification technology and cryptographic technology, equip the technical capability for storage and computing resource monitoring, promptly discover and give early warning of abnormal use of storage and computing resources, and carry out dynamic adjustment and allocation of resources, so as to ensure the security and availability of the relevant resources.

(XI) Ensure data transmission security. Provide protective measures such as data encryption, interface authentication and security auditing, strengthen data security risk monitoring and early warning, provide the capability to discover, warn of and dispose of security risks such as abnormal data flow and non-compliant export, and assist customers in safeguarding the security of data transmission links and interfaces.

(XII) Strengthen the security management of key services. Where the function of managing artificial-intelligence training data sets is provided, provide the capability to safeguard the security of customers’ own training data sets, so as to prevent the relevant data sets from being leaked or contaminated. Where computing-power scheduling and computing-power services are provided, carry out the security management of computing-power scheduling strategies, equip the capability for monitoring, early warning and emergency disposal of abnormal use of computing power, and ensure the security of computing-power scheduling.

IV. Strengthening Data Security Supply Support

(XIII) Advance the development of data security standards. The Ministry of Industry and Information Technology organizes the formulation of standards related to IDC customer data security protection and capability evaluation, clarifies the general and typical-scenario security protection rules and responsibility-division models for IDC customer data, and establishes a graded evaluation system for customer data security protection capabilities, so as to guide IDC business operators in enhancing the level of customer data security protection.

(XIV) Explore the conduct of data security protection capability evaluation. IDC business operators may, on their own or by entrusting third-party professional institutions, regularly carry out customer data security protection capability evaluation. Industry organizations and professional institutions are encouraged to carry out grading of customer data security protection capabilities based on the capability evaluation results, so as to guide IDC business customers in selecting IDC services as needed according to business scenario, data importance, and the like.

V. Work Implementation

(XV) Consolidate customer data security protection responsibility. IDC business operators shall attach great importance to customer data security protection, strengthen their sense of responsibility, actively increase resource investment in line with their own actual situation, carry out customer data security protection work well, and effectively enhance the level of IDC business service.

(XVI) Strengthen supervision and guidance. The Ministry of Industry and Information Technology and the local communications administrations shall strengthen the supervision and guidance of IDC business customer data security protection work, and implement the primary responsibility of the relevant enterprises.

This Notice is hereby issued.

General Office of the Ministry of Industry and Information Technology

January 13, 2025


Annex: Implementing Guidelines for the Protection of Customer Data Security in Internet Data Centers

I. Basic Situation of the Internet Data Center Business and Data Security Risk Challenges

(I) Basic situation and classification of the Internet Data Center. The Internet Data Center business (hereinafter referred to as the IDC business; see the Catalogue of Telecommunications Business Classification) mainly includes the traditional data center business and the Internet resource collaboration business. In light of business product functions, it is subdivided into three business scenarios: first, the server-hosting business scenario, referring to the business model in which the IDC business operator provides customers with services such as equipment rooms, cabinets and equipment leasing, as well as equipment maintenance; second, the data-storage business scenario, referring to the business model in which the IDC business operator provides customers with data storage services, as well as related data upload, download and access services; third, the data-computing business scenario, referring to the business model in which the IDC business operator provides customers with services such as data cleansing, integration, analysis, processing, presentation, model training, and computing-power scheduling.

(II) Customer data security risk challenges faced by the IDC business.

  1. General security risks. On the one hand, the IDC business operator, the customer, and even third-party suppliers and other parties that may access and process customer data have not clearly divided the boundaries of data security responsibility, resulting in unclear data security protection rights and responsibilities among the parties and inadequate implementation of responsibilities and obligations. On the other hand, the IDC business operator’s customer data security management systems and mechanisms are not sound and its security protection measures are not fully equipped, increasing the security risk of customer data being stolen, leaked, and the like.

  2. Security risks of typical business scenarios. First, in the server-hosting business scenario, the IDC business operator is mainly responsible for safeguarding the security of equipment-room infrastructure, and the possible customer data security risk situations mainly include: natural-environment disasters (earthquakes, floods), physical-facility failures (such as power outages, temperature and humidity imbalance, etc.) and the like causing servers and other equipment to crash, be damaged or be stolen, resulting in the destruction and loss of customer data; where network equipment, servers and the like are provided by the business operator, the need to prevent risks such as equipment being attacked and intruded due to inadequate equipment security management and the existence of equipment vulnerabilities and backdoors, thereby causing customer data to be stolen or destroyed. Second, in the data-storage and computing business scenario, the IDC business operator mainly provides secure and reliable computing and storage platforms, and the possible customer data security risk situations mainly include: in the stages of data storage and transmission, as well as computing-power scheduling and artificial-intelligence training, risks of data being stolen, leaked, lost, and the like, due to insufficient data security safeguard measures and imperfect management and technical means such as risk monitoring, resource monitoring and load balancing.

II. Enhancing Customer Data Security Safeguard Capabilities

(III) General safeguard capabilities.

  1. Customer data processing requirements. The IDC business operator shall, in accordance with the Data Security Law, the Cybersecurity Law, the Network Data Security Management Regulation, the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial) and other laws, regulations and policy requirements, perform its customer data security protection responsibilities, and shall not, without the customer’s authorization, collect, store, use, process, transmit, provide, disclose or destroy customer data in any form, except as otherwise provided by laws and regulations.

  2. Clarify the responsibility interface. In the contracts and agreements signed with customers, with reference to relevant industry standards and according to the business model and service content, clarify the data security protection responsibilities and obligations of both parties. Where customer data is processed through the procurement of third-party service-provider equipment, services and the like, clarify the data security protection responsibilities and obligations of all parties.

  3. Management-system development. Establish a customer data security management system, clarifying the division of work responsibilities, supporting mechanisms, and management and technical safeguard measures.

  4. Institution and personnel arrangement. Clarify the person responsible for data security and the management department, and, in light of the business model, establish data security management positions and clarify position responsibilities, equip corresponding personnel, and take overall responsibility for the security management of customer data processing activities.

  5. Customer management. Establish a customer management mechanism, strengthen data security risk reminders to key customers such as Party and government organs, provide differentiated security protection capabilities according to customer category and data protection needs, and cooperate in taking corresponding protective measures, so as to enhance the security protection capability of the information systems and data carried by the IDC.

  6. Data classification and grading protection. Before providing services, by means of contracts and agreements and the like, remind customers to identify important data in accordance with relevant national and industry laws, regulations, policy requirements, and standards and specifications, strengthen personal information protection, and perform data classification and grading protection responsibilities and obligations. According to the data category and grade, possess differentiated security protection capabilities, and, in accordance with the customer’s data classification and grading protection requirements, cooperate in carrying out corresponding data security protection.

  7. Data access security. Standardize the access process for customer data, cooperate with customers in establishing access control strategies, and equip technical measures to prevent security risks such as unauthorized access to customer data.

  8. Data operation security. Improve mechanisms such as customer data operation registration, authority approval, and dynamic account verification. Where customer data processing activities are carried out with the customer’s authorization, reasonably allocate operating authority in accordance with the principle of minimum necessity, carry out authority monitoring, retain relevant log records of authority application, approval, data operation, and the like, and promptly reclaim expired authority; where bulk download, bulk access, or the operation and processing of customer important data or personal information is carried out, separately perform internal approval procedures.

  9. Data destruction security. Clarify the security strategies and operating procedures for customer data destruction, and provide differentiated data destruction measures for different types of storage media. Do not arbitrarily destroy customer data without authorization. Where data is destroyed at the customer’s request, keep destruction records, and do not recover it for any reason or in any manner.

  10. Data isolation security. Equip data isolation security strategies, and provide physical, logical and other data isolation methods, so as to ensure the independence of customer data in the processing of each stage.

  11. High-risk operation security. Establish a ledger of high-risk operations that may cause major customer data security risks, covering network and equipment replacement, operation and maintenance, upgrades, and data migration, and form high-risk operation security specifications. Before carrying out a high-risk operation, inform the relevant customer of the system scope involved, the operation behavior, the time, the reason, the possible major risks, and the like, and obtain the customer’s authorization.

  12. External provision of data. Where the external provision of customer data is involved, inform the customer in advance of the purpose, method, scope, safeguard measures, and the like, of providing the data, and obtain the customer’s authorization.

  13. Business availability assurance. According to the actual business situation, improve business continuity and stability through redundant design and the like.

  14. Security-incident emergency disposal. Establish a contingency plan for customer data security incidents, covering security-incident scenarios such as customer data loss, destruction and leakage, clarify the graded incident disposal methods, processes, and the like, regularly organize and conduct emergency drills, and enhance the emergency disposal capability for customer data security incidents. Where a customer data security incident is caused by the IDC business operator, immediately activate emergency disposal, promptly inform the customer, and, in light of the degree of impact of the incident, report to the telecommunications authority in accordance with relevant laws, regulations and standards. At the same time, according to the type and grade of the incident and the like, promptly cooperate with the customer in carrying out incident emergency disposal and reporting.

  15. Provision of security protection capabilities. According to the actual business situation, provide data security technical capabilities such as data encryption, desensitization, access control, authentication and verification, log recording and auditing, and data backup and recovery, as well as cybersecurity protection products or services such as firewalls, bastion hosts, illegal-intrusion detection, tamper-proofing, vulnerability scanning, virus prevention, and security upgrades, for customers to select.

(IV) Safeguard capabilities for the server-hosting business scenario.

  1. Equipment-room management requirements. Standardize equipment-room security management, and clarify the security management requirements for equipment-room facilities, customer equipment, and personnel entry and exit.

  2. Equipment-room physical security. Equip equipment-room physical security safeguard measures, implement 7×24-hour monitoring of key areas, and possess the capability to identify, alarm, intercept and dispose of abnormal entry and exit behavior.

  3. Equipment-room authority management. Set an equipment-room entry and exit authority list, clarifying the authority scope, validity period, approver, and other information. Implement strict approval for the entry and exit of personnel not on the list; where the customer authorizes entry into the equipment room to carry out equipment and data operation and maintenance management, equip corresponding management and technical measures, retain equipment-room entry and exit records, and strictly restrict the entry of unauthorized personnel.

  4. Equipment-room attendance management. Arrange 7×24-hour personnel attendance, establish infrastructure inspection and risk-disposal procedures, implement normalized patrols and inspections, and promptly discover and eliminate risks and hidden dangers.

  5. Fire-protection system security. Equip fire-protection power-supply facilities, an automatic fire-alarm system, an emergency lighting system, dual water and power systems, and the like, so as to ensure the rapid recovery and operation of the equipment room under extreme circumstances.

  6. Equipment supply management. Where the sale or lease of servers, network equipment and the like is involved, carry out equipment security management well, establish equipment ledgers, and record the equipment brand, model, key performance parameters, procurement time, source, and security application status, and the like. Carry out security inspection before equipment is put on the rack, conduct regular maintenance and updates, and strengthen the security management of security vulnerabilities, equipment and system configuration, and the like. Where services are provided to key customers such as Party and government organs, IDC business operators are encouraged to use independently controllable network and data security equipment.

(V) Safeguard capabilities for the data-storage-and-computing business scenario.

  1. Data storage security. Strengthen customer data storage security management, and provide data security protection capabilities such as disaster-recovery backup, verification technology and cryptographic technology, so as to meet customers’ different data storage security needs.

  2. Data security risk monitoring. Strengthen data security risk monitoring and early warning, sort out and grasp traffic nodes, equip technical means such as traffic analysis and filtering, possess the capability to discover data security risks, and promptly investigate and rectify data security problems and hidden dangers.

  3. Resource monitoring and load balancing. Equip the technical capability for storage and computing resource monitoring, monitor in real time and conduct statistical analysis of resource usage, and promptly give early warning of and discover abnormal-use situations. Equip the technical capability for storage and computing resource load balancing, dynamically adjust resource allocation in real time according to the resource load situation, and ensure the security and availability of resources.

  4. Data transmission security. Strengthen customer data transmission security management, and, according to the grade and application scenario of the customer data transmitted, cooperate with customers in formulating secure transmission strategies, and provide protective measures such as data encryption, interface authentication and security auditing. Meet customers’ data transmission security needs and the need for regular interface security auditing, promptly adjust the interface status, and reclaim and close abandoned interfaces.

  5. Artificial-intelligence training-data security. Where the function of managing artificial-intelligence training data sets is provided, provide the capability to safeguard the security of customers’ own training data sets, so as to prevent customers’ own training data sets from being leaked or contaminated.

  6. Computing-power scheduling security. Where computing-power scheduling services are provided, equip secure and reliable computing-power scheduling strategies, carry out strategy configuration management and change approval, and ensure that computing power is reasonably allocated as needed. Where computing-power services are provided, possess the capability to monitor computing-power usage in real time, discover and give early warning of abnormal-use situations of computing-power resources, and promptly take measures such as strategy adjustment and resource deactivation.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.