Promulgated by: Ministry of Industry and Information Technology.
Document No.: MIIT Cyber Security [2024] No. 82.
Issued May 10, 2024. Effective June 1, 2024.
Article 1. These Implementing Rules are formulated in accordance with the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China and other laws, and in line with the relevant requirements of the Administrative Measures for Data Security in the Field of Industry and Information Technology (Trial), in order to guide data processors in the field of industry and information technology to carry out data security risk assessment in a standardized manner, improve the level of data security management, and safeguard national security and development interests.
Article 2. These Implementing Rules apply to data security risk assessments conducted on the data processing activities of processors of important data and core data in the field of industry and information technology within the territory of the People’s Republic of China.
Article 3. The Ministry of Industry and Information Technology shall uniformly manage, supervise and guide data security risk assessment work in the field of industry and information technology, and organize the formulation, revision, promotion and application of relevant assessment standards.
The industry and information technology authorities of the provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps, as well as the communications administrations and radio regulatory agencies of the provinces, autonomous regions and municipalities directly under the Central Government (hereinafter collectively referred to as the local industry regulatory authorities), shall, in accordance with their respective duties, be respectively responsible for supervising and administering the data security risk assessment work carried out by processors of important industrial, telecommunications and radio data and core data in their respective regions.
The Ministry of Industry and Information Technology and the local industry regulatory authorities are collectively referred to as the industry regulatory authorities.
Article 4. Processors of important data and core data shall carry out data security risk assessments in accordance with the principles of timeliness, objectivity and effectiveness, form true, complete and accurate assessment reports, and be responsible for the assessment results.
Article 5. Processors of important data and core data shall, in accordance with national laws and regulations, the relevant provisions of the industry regulatory authorities and the assessment standards, carry out data security risk assessment of the purpose and method, business scenarios, security safeguard measures, risk impact and other elements of their data processing activities, with the following content as the focus:
(I) whether the purpose, method and scope of data processing are legal, legitimate and necessary;
(II) the formulation and implementation of data security management systems, processes and strategies;
(III) the data security organizational structure, position staffing and performance of duties;
(IV) the development and application of data security technical protection capabilities;
(V) whether the personnel involved in data processing activities are familiar with data-security-related policies and regulations, whether they possess data security knowledge and skills, and whether they have received data-security-related education and training;
(VI) the scope and degree of impact on national security and the public interest in the event of a security incident in which data is tampered with, destroyed, leaked, lost, or illegally obtained or used;
(VII) where data provision, entrusted processing or transfer is involved, the security safeguard capabilities, responsibilities and obligations, and performance thereof, of the data recipient or entrusted party;
(VIII) where circumstances requiring the declaration of a data export security assessment as prescribed by national laws and regulations are involved, the fulfillment of the data export security assessment requirements.
Article 6. Processors of important data and core data shall carry out a data security risk assessment at least once a year. The validity period of the assessment results is one year, calculated from the date on which the assessment report is first issued. The assessment report shall include the basic information of the data processor, the basic information of the assessment team, the categories and quantities of important data, the conduct of data processing activities, the data security risk assessment environment, as well as the analysis of data processing activities, the compliance assessment, the security risk analysis, and the assessment conclusions and response measures.
Where any of the following circumstances occurs within the validity period, the processor of important data and core data shall promptly carry out a risk assessment of the part that has changed and its impact:
(I) newly providing, entrusting the processing of, or transferring core data across entities;
(II) a change in the security status of important data or core data that adversely affects data security, including but not limited to major adjustments to the purpose, method, scope of application and security system strategy of data processing;
(III) the occurrence of a security incident involving important data or core data;
(IV) a major change in the filing content of the catalogue of important data and core data;
(V) other circumstances in which the industry regulatory authority requires an assessment.
Article 7. Processors of important data and core data may carry out the assessment on their own or by entrusting a third-party assessment institution that has the capability for data security work in industry and information technology. The assessment process shall establish a professional assessment team including at least personnel for organizational management, business operation, technical assurance and security compliance, formulate a complete assessment work plan, and equip itself with effective technical testing tools.
Article 8. Where a processor of important data and core data entrusts a third-party assessment institution to carry out a data security risk assessment, it may, by concluding a contract or other legally effective document, clarify the rights and responsibilities of both parties, provide the third-party assessment institution with the necessary materials and conditions, ensure the authenticity and completeness of the relevant materials, and confirm the assessment results.
Article 9. For data security risks and hidden dangers discovered in the assessment, processors of important data and core data shall promptly take appropriate measures to eliminate or reduce the risks and hidden dangers.
Article 10. Processors of important data and core data shall, within 10 working days after the completion of the assessment work, submit the assessment report to the industry regulatory authority of their region.
Central enterprises shall supervise and guide their subordinate enterprises in fulfilling the territorial data security risk assessment and assessment-report submission requirements, and shall submit the consolidated assessment reports of the enterprise group headquarters and subordinate companies to the Ministry of Industry and Information Technology.
The local industry regulatory authorities shall submit the assessment results of processors of important data and core data in their respective regions and fields to the Ministry of Industry and Information Technology.
Article 11. Where a local industry regulatory authority discovers non-compliance with laws, regulations and relevant provisions, it shall promptly notify the processor of important data and core data to make corrections in accordance with the law. The local industry regulatory authorities shall, by December 25, submit to the Ministry of Industry and Information Technology the status of receipt and review of the assessment reports for the current year in their respective regions. The Ministry of Industry and Information Technology shall organize spot-check reviews of the assessment reports as appropriate.
Where the provision, transfer or entrusted processing of core data across entities is involved, the local industry regulatory authority shall complete the review within 20 working days after the data processor submits the assessment report, and report it to the Ministry of Industry and Information Technology for re-examination in accordance with relevant State provisions.
Article 12. Certification institutions that are familiar with data security work in the field of industry and information technology and meet the qualification requirements are encouraged to carry out capability certification of third-party assessment institutions.
The relevant certification institutions shall be equipped with corresponding personnel and technical assurance capabilities, establish a capability certification system for third-party assessment institutions, clarify the standardized requirements for third-party assessment institutions in terms of management systems, personnel capabilities, tools and facilities, and assessment fields, track and manage the service quality of third-party assessment institutions, and supervise third-party assessment institutions in carrying out data security risk assessment work independently, impartially, objectively and scientifically.
Article 13. Third-party assessment institutions shall perform the following obligations:
(I) strictly keep confidential the State secrets, the catalogues and content of important data and core data, commercial secrets, personal privacy that they become aware of in the assessment work, as well as the confidential information agreed in the confidentiality agreement signed with the data processor;
(II) carry out the assessment impartially and independently and issue the assessment report in strict accordance with national laws and regulations, the relevant provisions of the industry regulatory authorities and the assessment standards, comprehensively, accurately and objectively reflect the data security risk status of the processor of important data and core data, and provide practical and effective risk rectification suggestions and measures;
(III) except with the written consent of the processor of important data and core data or as otherwise provided by laws and administrative regulations, not provide other organizations or individuals with the relevant information collected and obtained in the assessment.
Article 14. The Ministry of Industry and Information Technology shall, according to technical capability, personnel staffing, reputation and qualifications, and other factors, select on a merit basis third-party assessment institutions that have passed capability certification, and establish a pool of data security risk assessment support institutions in the field of industry and information technology.
The local industry regulatory authorities may, with reference thereto, establish pools of data security risk assessment support institutions for their respective regions.
The industry regulatory authorities may, as needed for their work, on their own or by organizing institutions from the pool of data security risk assessment support institutions, carry out special risk assessments of the data processing activities of processors of important data and core data, or supervise and inspect the implementation of risk assessment work by processors of important data and core data.
Processors of important data and core data shall cooperate with the special risk assessments and supervision and inspection initiated by the industry regulatory authorities, and promptly correct the relevant problems discovered in the assessment.
Article 15. With respect to certification institutions that violate relevant State provisions on certification and accreditation, the industry regulatory authorities shall transfer the relevant leads to the market regulation authorities for handling.
The industry regulatory authorities shall supervise and administer the assessment activities of third-party assessment institutions, and, with respect to third-party assessment institutions that violate laws and regulations, fail to carry out assessment activities in accordance with industry provisions and standards, or fail to perform their confidentiality obligations, conduct interviews and notifications as appropriate in accordance with the prescribed authority and procedures; the certification institutions shall, based on the notified information, suspend or even revoke the corresponding certification certificates of third-party assessment institutions that do not meet the certification requirements in accordance with the law.
Article 16. Where there is conduct in violation of these Implementing Rules, the industry regulatory authorities shall impose administrative penalties in accordance with relevant laws and regulations and according to the degree of seriousness of the circumstances; where a crime is constituted, criminal liability shall be pursued in accordance with the law.
Article 17. Staff of the industry regulatory authorities and the entrusted support institutions have an obligation of confidentiality with respect to the State secrets, commercial secrets, personal information, assessment work information, and the like, that they become aware of in the performance of their duties.
Article 18. Data security risk assessments conducted on the data processing activities of processors of general data may be implemented with reference to these Implementing Rules. Data processing activities involving military affairs, State secrets, and the like, shall be carried out in accordance with relevant State provisions.
Article 19. These Implementing Rules shall come into force on June 1, 2024.