Promulgated by: Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security.
Document No.: Order No. 24.
Reviewed and adopted at the 12th office affairs meeting of the Cyberspace Administration of China in 2026 on June 1, 2026, and promulgated with the consent of the Ministry of Industry and Information Technology and the Ministry of Public Security. Promulgated June 18, 2026. Effective August 20, 2026.
Zhuang Rongwen, Director of the Cyberspace Administration of China.
Li Lecheng, Minister of Industry and Information Technology.
Wang Xiaohong, Minister of Public Security.
Article 1. These Measures are formulated in accordance with the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Regulation on Network Data Security Management and other laws and regulations, in order to regulate network data security risk assessment activities, safeguard network data security, and promote the lawful, reasonable and effective use of network data.
Article 2. These Measures shall be observed in carrying out network data security risk assessment within the territory of the People’s Republic of China.
For the purposes of these Measures, “network data security risk assessment” (hereinafter “risk assessment”) refers to activities such as risk identification, risk analysis and risk evaluation conducted with respect to the security of network data and network data handling activities.
Article 3. Under the guidance of the national data security work coordination mechanism, the national cyberspace administration, together with the telecommunications, public security and other relevant departments of the State Council, shall establish a special working mechanism for network data security risk assessment to guide and supervise risk assessment work.
Article 4. The relevant competent authorities shall, in accordance with the principle of “whoever is in charge of the business is in charge of the business data and is in charge of data security,” regularly organize risk assessments in their respective industries and fields; shall, as needed for their work, inspect the conduct of risk assessment by network data handlers that handle important data in their respective industries and fields (hereinafter “important data handlers”); and shall, by the end of January each year, submit their annual risk-assessment inspection plans to the national cyberspace administration. The national cyberspace administration shall, through the national data security work coordination mechanism, share and coordinate the plans with the telecommunications, public security, national security and other relevant departments of the State Council, so as to avoid unnecessary inspections and overlapping or duplicative inspections.
The relevant competent authorities shall not charge fees to the important data handlers they inspect.
Article 5. Important data handlers shall carry out a risk assessment each year.
Where a material change in the security status of important data may adversely affect data security, a risk assessment shall be promptly carried out of the part that has changed and its impact.
Network data handlers that handle general data (hereinafter “general data handlers”) are encouraged to carry out a risk assessment at least once every three years.
Article 6. Risk assessment work shall be carried out in accordance with the relevant requirements of the Data Security Law of the People’s Republic of China and the Regulation on Network Data Security Management, and with reference to the relevant national standards for data security risk assessment. Where the relevant competent authority has other provisions on risk assessment work in its industry or field, those provisions shall prevail.
Article 7. A network data handler may carry out a risk assessment on its own or by entrusting a third-party assessment institution (hereinafter “assessment institution”).
Where a network data handler carries out a risk assessment on its own, it shall designate a dedicated person to be responsible for it. Where a network data handler entrusts an assessment institution to carry out a risk assessment, it shall, by concluding a contract or other legally effective document, clarify the rights and obligations of both parties.
Article 8. Relevant assessment institutions are encouraged to obtain certification. The certification of assessment institutions shall be carried out in accordance with the relevant provisions of the Regulations of the People’s Republic of China on Certification and Accreditation.
Article 9. Under the guidance of the national data security work coordination mechanism, the national cyberspace administration and the telecommunications, public security and other relevant departments of the State Council shall actively promote the development of network data security risk assessment services and cultivate assessment institutions.
Article 10. In carrying out a risk assessment, an assessment institution shall comply with laws and regulations, make risk judgments in a fair and objective manner, and be responsible for the authenticity, validity and completeness of the risk assessment report it issues.
Article 11. An assessment institution shall not sub-entrust the risk assessment to another institution.
Article 12. The same assessment institution and its affiliated institutions shall not carry out the annual risk assessment for the same network data handler for more than three consecutive times.
Article 13. Where, in the course of a risk assessment, an assessment institution discovers that a network data handling activity presents a major data security risk, it shall promptly notify the network data handler.
Article 14. An assessment institution and its staff shall, in accordance with the law, keep confidential the data, trade secrets, confidential business information and the like obtained in the course of a risk assessment, and shall not divulge or unlawfully provide the same to others; and shall, after the conclusion of the risk assessment, promptly delete the relevant information or properly dispose of it as agreed in the contract.
Article 15. An important data handler carrying out an annual risk assessment shall prepare a risk assessment report in accordance with the law and the provisions of the relevant competent authority. Where the relevant competent authority has no provisions on the risk assessment report, the report may be prepared with reference to the relevant national standards for data security risk assessment. The risk assessment report shall be retained for at least three years.
A general data handler may prepare a risk assessment report with reference to the requirements of the preceding paragraph.
Article 16. An important data handler shall, within 20 working days after completing its annual risk assessment, submit the risk assessment report to the relevant competent authority as required. Where the competent authority is not clear, it shall submit the report to the provincial-level cyberspace administration or the national cyberspace administration.
The relevant competent authority shall make public the channels and contact information for submitting risk assessment reports, promptly receive the risk assessment reports submitted by important data handlers, and, within 10 working days from the date of receipt of a risk assessment report, notify the cyberspace administration at the same level. The national cyberspace administration shall consolidate the relevant reports and share them with the telecommunications, public security, national security and other relevant departments of the State Council.
The cyberspace administrations, telecommunications authorities, public security organs, national security organs and other relevant departments at or above the provincial level may inspect and verify the authenticity and accuracy of the risk assessment reports of important data handlers, and the important data handlers shall cooperate with such inspection and verification.
Article 17. Where, in the course of verifying risk assessment reports, conducting supervision and inspection, or other work, the cyberspace administrations, telecommunications authorities, public security organs and other relevant departments at or above the provincial level discover that a network data handler falls under any of the following circumstances, they may require it to entrust a certified assessment institution to carry out a risk assessment:
(1) the network data handling activity presents a relatively high security risk that may endanger national security or the public interest;
(2) a network data security incident has occurred, resulting in the leakage or theft of important data or large-scale personal information;
(3) other circumstances prescribed by the relevant department.
With respect to the same network data security incident or risk, a network data handler shall not be repeatedly required to entrust an assessment institution to carry out a risk assessment.
Article 18. Where a network data handler entrusts an assessment institution to carry out a risk assessment as required by the relevant department, it shall perform the following obligations:
(1) provide the assessment institution with the necessary support for carrying out the risk assessment, including providing the risk assessment personnel with the necessary rights to access network data facilities, network data, systems and operation logs;
(2) complete the risk assessment within the prescribed time; where the circumstances are complex, the time may be appropriately extended upon approval by the relevant department;
(3) after completing the risk assessment, submit the risk assessment report issued by the assessment institution to the relevant department; the risk assessment report shall be signed by the principal person in charge of the assessment institution and the person in charge of the risk assessment, and shall bear the official seal of the institution;
(4) rectify the problems discovered in the risk assessment as required by the relevant department, and, within 15 working days after completing the rectification, submit a rectification report to the relevant department.
A network data handler shall not, by any means, require or suggest that an assessment institution issue a false or improper risk assessment report.
Article 19. Where, in organizing a risk assessment, the relevant department discovers that the important data handling activities of an important data handler may endanger national security or the public interest, it shall, in accordance with its duties, order the important data handler to rectify; with respect to an important data handler that refuses to rectify or fails to meet the rectification requirements, the department may take measures such as requiring it to cease handling important data.
Article 20. The relevant competent authorities shall strengthen risk information sharing and coordinated disposal, promptly dispose of the security risks and problems discovered in risk assessments, and promptly report in accordance with relevant provisions.
Article 21. Any organization or individual has the right to complain to, or report to, the relevant department any illegal activity in a risk assessment, and the department receiving the complaint or report shall promptly handle it in accordance with the law.
Article 22. Where the cyberspace administrations, telecommunications authorities, public security organs, national security organs or other relevant departments at or above the provincial level discover that a network data handler has failed to carry out a risk assessment as required, they shall handle the matter in accordance with the Data Security Law of the People’s Republic of China, the Regulation on Network Data Security Management and other relevant laws and administrative regulations.
Where an assessment institution is found to have carried out a risk assessment in violation of these Measures, the relevant department shall handle the matter in accordance with the law.
Article 23. The risk assessment of a network data handler that handles core data shall be carried out in accordance with relevant national provisions.
Where technical measures such as the encryption of important data are involved, a commercial cryptography application security assessment shall be carried out in accordance with the requirements of the national laws and administrative regulations on cryptography.
Article 24. Risk assessment activities involving state secrets or work secrets shall be carried out in accordance with the Law of the People’s Republic of China on Guarding State Secrets and other laws and administrative regulations as well as national secrecy provisions.
Article 25. These Measures shall come into force on August 20, 2026.