Editor’s Note — DCC.
This brief summarises a DEXC+ column piece by Gu Qingzhuo (古青卓), Transaction Review Supervisor in the Shenzhen Data Exchange compliance department. The author writes from a genuinely practitioner position: Shenzhen Data Exchange reviews data assets before they are listed for trading, and the compliance team has encountered multiple counterparties that either did not know — or did not think to ask — whether they were critical information infrastructure (CII) operators (关键信息基础设施 运营者) or important-data handlers (重要数据处理者). The piece is one of the more grounded assessments of this classification problem available in Chinese practitioner commentary, precisely because it is written by someone who has had to apply the rules to real clients in a live regulatory setting. DCC is running it because this classification question is consistently under-addressed in the due-diligence work overseas counsel perform on China operations.
Two substantive points to hold throughout: first, CII status and important-data handler status are legally distinct questions governed by different instruments and determined through different mechanisms — conflating them in a compliance memo is a common error. Second, the author’s position is that neither status is safely resolved by waiting for the regulator to knock. The analytical burden falls on the company (and its advisers) to conduct an honest assessment well before any notification arrives.
Why the classification matters — and why it is difficult
Under China’s data compliance framework, both CII operators and important-data handlers face obligations that go well beyond those imposed on ordinary data processors. The Data Security Law and the Cybersecurity Law (网络安全法, CSL) introduce these categories as the two tiers of heightened protection within the broader data governance structure. Failure to recognise that a company falls within either category — and therefore failure to meet the associated compliance obligations — can result in administrative penalties or, in serious cases, criminal liability.
The practical difficulty is that neither category comes with a simple checklist that companies can apply to themselves. The Cybersecurity Law first introduced the concepts of critical information infrastructure and important data (重要数据) at the legislative level in 2016, including the foundational data-localisation obligation for CII operators: personal information and important data collected or generated within China must be stored domestically. But the same law did not specify who was responsible for identifying whether a company fell within scope, nor did it provide detailed identification rules. That gap was the starting point for years of practical difficulty.
The Shenzhen Data Exchange compliance team identifies this gap as a real and recurring problem in its transaction-review work: law firms issuing legal opinions on data assets have often treated the CII and important-data questions superficially, and some companies have not engaged with the question at all.
CII operators: the “notification-and-designation” mechanism
The CII security protection regulations (关键信息基础设施安全保护条例), issued in 2021, adopted a “sector enumeration plus authorised designation” approach (范围列举+授权认定). The regulations assigned responsibility for CII identification to the relevant protection-work departments (保护工作部门) — the competent and supervisory authorities for each important industry and sector. Those departments are responsible for, and organise, the designation of CII within their respective industries and sectors in accordance with prescribed identification rules, and they are required to notify operators of the designation outcome in a timely manner.
The practical consequence is that, at the level of formal mechanism, an operator only needs to fulfil the relevant compliance obligations upon receiving a notification. This created a common shorthand in practice: assess CII status by checking whether a notification has been received.
The author flags this shorthand as incomplete and potentially misleading. Not having received a notification does not mean the company is not a CII operator. The author’s recommendation to third-party legal evaluators is clear: when producing an assessment report, state the factual position on whether a notification has been received, but also conduct an independent evaluation against the sector-enumeration criteria and look at the profile of entities that have previously been designated in comparable industries. The absence of a notification is a data point, not a conclusion.
Important-data handlers: the harder problem
For important-data (重要数据) handler status, the identification problem is structurally more complex. The Data Security Law establishes a data classification and grading protection system, and mandates that the national data security coordination mechanism coordinate with relevant departments to formulate important-data catalogues (重要数据目录). The approach, as the author describes it, is “data processors proactively identify, plus competent authorities issue top-down catalogues.” But prior to the March 2024 rules discussed below, neither the 2021 draft Network Data Security Management Regulations nor the Ministry of Industry and Information Technology’s 2022 Data Security Management Measures for the Industrial and Information Technology Sector (试行) had provided specific conditions and standards for identifying important data in practice.
The consequence was that companies trying to fulfil their important-data identification obligations faced a near-absence of operationally usable guidance. Unlike CII designation — where a formal notification mechanism exists, however imperfect — important-data identification fell almost entirely on the company’s own analysis, with very little to guide that analysis.
What the March 2024 rules added
In late March 2024, two significant instruments were published that directly address the important-data identification question.
On 21 March 2024, the National Technical Committee on Cybersecurity Standardization (全国网络安全标准化技术委员会) released the national standard GB/T 43697-2024, Data Security Technology — Data Classification and Grading Rules (数据安全技术 数据分类分级规则), taking effect 1 October 2024. Section 6.5 of that standard provides a principled elaboration of the level-determination rules for important data. In addition, Annex G of the standard provides a set of consideration factors for identifying important data, listing eighteen items (items (a) through (r)) as identification guidance — a significant practical advance for companies conducting important-data self-assessments.
On 22 March 2024, the Cyberspace Administration of China (CAC) issued the Regulations on Promoting and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, the cross-border data-flow regulations), effective immediately. Article 2 of those regulations addressed important data in the cross-border context: a data processor should identify and report important data in accordance with applicable rules. Where the relevant department or region has not informed the data processor that its data constitutes important data, and has not publicly designated it as such, the data processor does not need to declare it as important data for the purposes of a cross-border data security assessment.
The contested interpretive question
The cross-border data-flow regulations’ Article 2 generated immediate interpretive debate that the author addresses directly.
One view, supported by a “lighter burden inferred from heavier” (举重以明轻) argument, held that Article 2 could be read broadly: since cross-border data flows represent the highest-risk scenario for important data (the probability and severity of national-security consequences are both elevated), a rule relieving operators of the declaration obligation in that scenario should, a fortiori, relieve them of important-data compliance obligations generally when no notification has been received. On this reading, the Article 2 standard extends beyond the cross-border context to serve as a general screen for whether data constitutes important data at all.
The author’s position is firm: this extension should not be made. Article 2 of the cross-border data-flow regulations opens by affirming that data processors must proactively identify and declare important data in accordance with applicable rules. The provision carves out a specific relief from the cross-border-specific declaration requirement when no notification has been received — it does not establish a general safe harbour from important-data compliance obligations under the Data Security Law, the Cybersecurity Law, or other applicable rules.
The author’s conclusion: the cross-border data-flow regulations give companies a clear road to follow in one context (cross-border declarations), but they do not resolve the practical difficulty of important-data identification and compliance for all other contexts. The obligation to proactively identify, classify, and manage important data sits with the company in those other contexts regardless of whether a notification has been received.
Practical advice: what the author recommends
The author sets out a structured approach for third-party legal service providers and for companies.
For legal advisers assessing CII operator status:
The evaluator should state as a factual matter whether the company has received a formal CII designation notification. However, the evaluation should not stop there. The adviser should assess whether the company’s profile — its sector, the nature of the infrastructure it operates, and the characteristics of entities previously designated in comparable industries — indicates a realistic risk that designation is pending or likely. The evaluation report should reflect both the notification status and the substantive sector analysis.
For legal advisers assessing important-data handler status:
The evaluator should not mechanically apply the cross-border data-flow regulations’ Article 2 standard to contexts beyond its scope. The adviser should instead conduct an independent assessment drawing on GB/T 43697-2024 (particularly Annex G) and any other applicable sector-specific standards, and provide a substantive professional opinion on whether the company’s data holdings include important data (重要数据). The output should guide the company on what compliance obligations follow from the assessment.
The author adds a specific caution on the regulatory perimeter: under Article 6 of the Data Security Law, public security authorities and national security authorities bear data security supervisory responsibilities within their respective mandates. Companies should monitor compliance requirements from those authorities as well, and actively cooperate with regulatory investigations — the CAC is not the only enforcement body in the data security space.
For companies generally:
Both CII operator status and important-data handler status carry substantial compliance obligations that take time and resources to build. Waiting passively for a formal designation or notification carries serious risk: if the company is eventually notified that it is a CII operator or is required to comply with important-data obligations, the gap between its existing compliance posture and what is required may be large enough to attract investigation, administrative penalties, or criminal liability. The author’s recommendation is to begin CII and important-data identification and assessment early — before any notification arrives — with the assistance of data compliance specialists who can help map the obligations and build the compliance infrastructure in advance.
Why overseas counsel should care
-
Due diligence and deal risk. In M&A, data-asset transactions, and joint-venture structuring involving Chinese counterparties, the target’s CII operator or important-data handler status determines the applicable data-security obligations, localisation requirements, and regulatory exposure. A legal opinion that treats the absence of a notification as resolution of the question may significantly understate the compliance risk being acquired or assumed.
-
Listing and transaction review. The Shenzhen Data Exchange compliance team specifically identified this gap in its listing-review process. Companies seeking to list data assets on Chinese data exchanges — or whose data assets are being traded — should expect rigorous scrutiny of CII and important-data classification during transaction review. Overseas counsel advising on such transactions should build this assessment into their work product.
-
The Network Data Security Management Regulations add another layer. The formally enacted Network Data Security Management Regulations (网络数据安全管理条例) impose requirements that track both CII operator and important-data handler status, and their interaction with the CII protection regulations and the Data Security Law reinforces the need for a clear, documented status assessment as a baseline compliance artefact.
-
Regulatory perimeter is wider than CAC. As the author notes, enforcement jurisdiction over important-data obligations is not confined to the Cyberspace Administration. Public security and national security authorities have their own supervisory mandates under the Data Security Law. Overseas counsel should ensure their China data-risk assessments reflect the multi-regulator enforcement landscape.
DCC sources
- Original: 古青卓 (Gu Qingzhuo), 《DEXC+专栏 | 新规背景下,如何评估企业是否属于关键基础设施运营者、重要数据处理者》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account (source).
- Network Data Security Management Regulations (网络数据安全管理条例).
- CII security protection regulations (关键信息基础设施安全保护条例, 2021).
- Data Security Law (数据安全法, 2021), including Art. 6 (multi-regulator mandate) and Art. 21 (data classification and grading, important-data catalogues).
- GB/T 43697-2024, Data Security Technology — Data Classification and Grading Rules (数据安全技术 数据分类分级规则), effective 1 October 2024.
- Regulations on Promoting and Regulating Cross-Border Data Flows (促进和规范数据跨境流动规定, CAC Order No. 16, March 2024).
This is an editorial summary, not a translation of Gu Qingzhuo’s piece. Conceptual framings and analytical positions are attributed to the author; any simplification, error of emphasis, or operational extrapolation is DCC’s. Not legal advice.