---
title_en: "Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment"
title_zh: "网络安全标准实践指南 — 网络数据安全风险评估实施指引"
abbreviation: "TC260 Data Risk Assessment Guide"
hierarchy: "standard"
issuing_body: "National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["network-data-security-regulations"]
domains: ["data-security"]
url: https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide/
summary: "This TC260 practice guide gives step-by-step implementation guidelines for conducting a network data security risk assessment. It walks organizations through preparing for, executing and reporting an assessment of data-security risks across the data lifecycle — identifying assets, threats, vulnerabilities and impacts and rating overall risk — in support of the assessment duties created by the Network Data Security Management Regulations. It is the practice-oriented companion to the GB/T 45577 risk-assessment method, and is advisory rather than mandatory."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment", https://datacompliancechina.com/laws/tc260-data-security-risk-assessment-guide/
> *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide.

## Scope

This practice guide provides **implementation guidelines for carrying out a network data security risk assessment** — a procedural, hands-on walkthrough of how to plan, perform, and report an assessment of the security risks to network data across its lifecycle. It applies to data processors conducting such assessments (including those required to assess important-data processing) and to bodies assisting them.

It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard, and is designed to be the procedural complement to the formal risk-assessment method standard.

## Key contents

At a structural level the guide is expected to cover:

- **Assessment preparation** — scoping, team and work-plan setup, and gathering of data inventories (informed by classification and grading).
- **Asset and risk identification** — identifying data assets, threats, vulnerabilities, and the existing security measures across collection, storage, transmission, use, provision, disclosure and deletion.
- **Risk analysis and rating** — analyzing likelihood and potential impact (to national security, public interest, organizations and individuals) and determining an overall risk level.
- **Treatment and reporting** — recommending risk-treatment measures and producing the assessment report, including any matters to be reported to regulators.
- **Templates and worked steps** — practical checklists and report formats to standardize execution.

> *Editor: verify specific clauses against the published guide.*

## How it fits the regime

The guide operationalizes the **risk-assessment duties of the Network Data Security Management Regulations** (effective 1 January 2025), which require processors of **important data** to conduct periodic data-security risk assessments and report the results, and which expect risk assessment around other significant processing activities. It gives organizations a concrete procedure to satisfy those duties.

It is the practice-oriented companion to **GB/T 45577** (*Data Security Risk Assessment Method*), which supplies the formal method, and it relies on **GB/T 43697** (classification and grading) to identify which data is important or core. For overseas compliance teams whose Chinese operations process important data or operate at scale, it is the step-by-step reference for running and documenting a network-data-security risk assessment that regulators will recognize.
