---
title: "Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules"
author: "DCC Editorial"
published: 2026-05-29T03:00:00.000Z
url: https://datacompliancechina.com/posts/assessing-cii-operator-important-data-handler-status/
description: "China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors."
tags: ["critical-information-infrastructure", "important-data", "data-security", "data-classification", "cross-border-data", "cii-identification", "data-compliance-risk", "network-data-security"]
laws_cited: ["network-data-security-regulations", "cii-protection-regulations", "dsl"]
domains: ["data-security", "critical-information-infrastructure"]
account: "shenzhen-data-exchange"
original_title: "DEXC+专栏 | 新规背景下，如何评估企业是否属于关键基础设施运营者、重要数据处理者"
original_author: "古青卓 (Gu Qingzhuo)"
original_publication: "深圳数据交易所 DEXC+ 专栏 WeChat Official Account"
original_url: "https://mp.weixin.qq.com/s/BHV-ixP0mN7HoLcyCHcw4g"
source_language: "zh"
---
> *Editor's Note — DCC.*
>
> This brief summarises a DEXC+ column piece by Gu Qingzhuo (古青卓),
> Transaction Review Supervisor in the Shenzhen Data Exchange compliance
> department. The author writes from a genuinely practitioner position:
> Shenzhen Data Exchange reviews data assets before they are listed for
> trading, and the compliance team has encountered multiple counterparties
> that either did not know — or did not think to ask — whether they were
> critical information infrastructure (CII) operators (关键信息基础设施
> 运营者) or important-data handlers (重要数据处理者). The piece is one of the
> more grounded assessments of this classification problem available in
> Chinese practitioner commentary, precisely because it is written by
> someone who has had to apply the rules to real clients in a live
> regulatory setting. DCC is running it because this classification
> question is consistently under-addressed in the due-diligence work
> overseas counsel perform on China operations.
>
> Two substantive points to hold throughout: first, CII status and
> important-data handler status are legally distinct questions governed by
> different instruments and determined through different mechanisms —
> conflating them in a compliance memo is a common error. Second, the
> author's position is that neither status is safely resolved by waiting
> for the regulator to knock. The analytical burden falls on the company
> (and its advisers) to conduct an honest assessment well before any
> notification arrives.

## Why the classification matters — and why it is difficult

Under China's data compliance framework, both CII operators and
important-data handlers face obligations that go well beyond those
imposed on ordinary data processors. The [Data Security Law](/laws/dsl/)
and the Cybersecurity Law (网络安全法, CSL) introduce these categories as
the two tiers of heightened protection within the broader data governance
structure. Failure to recognise that a company falls within either
category — and therefore failure to meet the associated compliance
obligations — can result in administrative penalties or, in serious cases,
criminal liability.

The practical difficulty is that neither category comes with a simple
checklist that companies can apply to themselves. The Cybersecurity Law
first introduced the concepts of critical information infrastructure and
important data (重要数据) at the legislative level in 2016, including the
foundational data-localisation obligation for CII operators: personal
information and important data collected or generated within China must
be stored domestically. But the same law did not specify who was
responsible for identifying whether a company fell within scope, nor did
it provide detailed identification rules. That gap was the starting point
for years of practical difficulty.

The Shenzhen Data Exchange compliance team identifies this gap as a real
and recurring problem in its transaction-review work: law firms issuing
legal opinions on data assets have often treated the CII and
important-data questions superficially, and some companies have not
engaged with the question at all.

## CII operators: the "notification-and-designation" mechanism

The [CII security protection regulations](/laws/cii-protection-regulations/)
(关键信息基础设施安全保护条例), issued in 2021, adopted a
"sector enumeration plus authorised designation" approach
(范围列举+授权认定). The regulations assigned responsibility for CII
identification to the relevant protection-work departments (保护工作部门)
— the competent and supervisory authorities for each important industry
and sector. Those departments are responsible for, and organise, the
designation of CII within their respective industries and sectors in
accordance with prescribed identification rules, and they are required to
notify operators of the designation outcome in a timely manner.

The practical consequence is that, at the level of formal mechanism, an
operator only needs to fulfil the relevant compliance obligations upon
receiving a notification. This created a common shorthand in practice:
assess CII status by checking whether a notification has been received.

The author flags this shorthand as incomplete and potentially
misleading. Not having received a notification does not mean the company
is not a CII operator. The author's recommendation to third-party legal
evaluators is clear: when producing an assessment report, state the
factual position on whether a notification has been received, but also
conduct an independent evaluation against the sector-enumeration criteria
and look at the profile of entities that have previously been designated
in comparable industries. The absence of a notification is a data point,
not a conclusion.

## Important-data handlers: the harder problem

For important-data (重要数据) handler status, the identification problem
is structurally more complex. The [Data Security Law](/laws/dsl/)
establishes a data classification and grading protection system, and
mandates that the national data security coordination mechanism
coordinate with relevant departments to formulate important-data
catalogues (重要数据目录). The approach, as the author describes it, is
"data processors proactively identify, plus competent authorities
issue top-down catalogues." But prior to the March 2024 rules discussed
below, neither the 2021 draft Network Data Security Management
Regulations nor the Ministry of Industry and Information Technology's
2022 Data Security Management Measures for the Industrial and Information
Technology Sector (试行) had provided specific conditions and standards
for identifying important data in practice.

The consequence was that companies trying to fulfil their
important-data identification obligations faced a near-absence of
operationally usable guidance. Unlike CII designation — where a formal
notification mechanism exists, however imperfect — important-data
identification fell almost entirely on the company's own analysis, with
very little to guide that analysis.

## What the March 2024 rules added

In late March 2024, two significant instruments were published that
directly address the important-data identification question.

On 21 March 2024, the National Technical Committee on Cybersecurity
Standardization (全国网络安全标准化技术委员会) released the national
standard GB/T 43697-2024, Data Security Technology — Data Classification
and Grading Rules (数据安全技术 数据分类分级规则), taking effect
1 October 2024. Section 6.5 of that standard provides a principled
elaboration of the level-determination rules for important data. In
addition, Annex G of the standard provides a set of consideration
factors for identifying important data, listing eighteen items (items (a)
through (r)) as identification guidance — a significant practical
advance for companies conducting important-data self-assessments.

On 22 March 2024, the Cyberspace Administration of China (CAC) issued
the Regulations on Promoting and Regulating Cross-Border Data Flows
(促进和规范数据跨境流动规定, the cross-border data-flow regulations),
effective immediately. Article 2 of those regulations addressed important
data in the cross-border context: a data processor should identify and
report important data in accordance with applicable rules. Where the
relevant department or region has not informed the data processor that
its data constitutes important data, and has not publicly designated it
as such, the data processor does not need to declare it as important data
for the purposes of a cross-border data security assessment.

## The contested interpretive question

The cross-border data-flow regulations' Article 2 generated immediate
interpretive debate that the author addresses directly.

One view, supported by a "lighter burden inferred from heavier"
(举重以明轻) argument, held that Article 2 could be read broadly: since
cross-border data flows represent the highest-risk scenario for important
data (the probability and severity of national-security consequences are
both elevated), a rule relieving operators of the declaration obligation
in that scenario should, a fortiori, relieve them of important-data
compliance obligations generally when no notification has been received.
On this reading, the Article 2 standard extends beyond the cross-border
context to serve as a general screen for whether data constitutes
important data at all.

The author's position is firm: this extension should not be made.
Article 2 of the cross-border data-flow regulations opens by affirming
that data processors must proactively identify and declare important data
in accordance with applicable rules. The provision carves out a specific
relief from the cross-border-specific declaration requirement when no
notification has been received — it does not establish a general safe
harbour from important-data compliance obligations under the
[Data Security Law](/laws/dsl/), the Cybersecurity Law, or other
applicable rules.

The author's conclusion: the cross-border data-flow regulations give
companies a clear road to follow in one context (cross-border
declarations), but they do not resolve the practical difficulty of
important-data identification and compliance for all other contexts. The
obligation to proactively identify, classify, and manage important data
sits with the company in those other contexts regardless of whether a
notification has been received.

## Practical advice: what the author recommends

The author sets out a structured approach for third-party legal service
providers and for companies.

**For legal advisers assessing CII operator status:**

The evaluator should state as a factual matter whether the company has
received a formal CII designation notification. However, the evaluation
should not stop there. The adviser should assess whether the company's
profile — its sector, the nature of the infrastructure it operates, and
the characteristics of entities previously designated in comparable
industries — indicates a realistic risk that designation is pending or
likely. The evaluation report should reflect both the notification status
and the substantive sector analysis.

**For legal advisers assessing important-data handler status:**

The evaluator should not mechanically apply the cross-border data-flow
regulations' Article 2 standard to contexts beyond its scope. The
adviser should instead conduct an independent assessment drawing on
GB/T 43697-2024 (particularly Annex G) and any other applicable
sector-specific standards, and provide a substantive professional
opinion on whether the company's data holdings include important data
(重要数据). The output should guide the company on what compliance
obligations follow from the assessment.

The author adds a specific caution on the regulatory perimeter: under
Article 6 of the [Data Security Law](/laws/dsl/), public security
authorities and national security authorities bear data security
supervisory responsibilities within their respective mandates. Companies
should monitor compliance requirements from those authorities as well,
and actively cooperate with regulatory investigations — the CAC is not
the only enforcement body in the data security space.

**For companies generally:**

Both CII operator status and important-data handler status carry
substantial compliance obligations that take time and resources to build.
Waiting passively for a formal designation or notification carries
serious risk: if the company is eventually notified that it is a CII
operator or is required to comply with important-data obligations, the
gap between its existing compliance posture and what is required may be
large enough to attract investigation, administrative penalties, or
criminal liability. The author's recommendation is to begin CII and
important-data identification and assessment early — before any
notification arrives — with the assistance of data compliance specialists
who can help map the obligations and build the compliance infrastructure
in advance.

## Why overseas counsel should care

- **Due diligence and deal risk.** In M&A, data-asset transactions, and
  joint-venture structuring involving Chinese counterparties, the target's
  CII operator or important-data handler status determines the applicable
  data-security obligations, localisation requirements, and regulatory
  exposure. A legal opinion that treats the absence of a notification as
  resolution of the question may significantly understate the compliance
  risk being acquired or assumed.

- **Listing and transaction review.** The Shenzhen Data Exchange
  compliance team specifically identified this gap in its listing-review
  process. Companies seeking to list data assets on Chinese data exchanges
  — or whose data assets are being traded — should expect rigorous
  scrutiny of CII and important-data classification during transaction
  review. Overseas counsel advising on such transactions should build this
  assessment into their work product.

- **The [Network Data Security Management Regulations](/laws/network-data-security-regulations/)
  add another layer.** The formally enacted Network Data Security
  Management Regulations (网络数据安全管理条例) impose requirements that
  track both CII operator and important-data handler status, and their
  interaction with the CII protection regulations and the
  [Data Security Law](/laws/dsl/) reinforces the need for a clear,
  documented status assessment as a baseline compliance artefact.

- **Regulatory perimeter is wider than CAC.** As the author notes,
  enforcement jurisdiction over important-data obligations is not
  confined to the Cyberspace Administration. Public security and national
  security authorities have their own supervisory mandates under the Data
  Security Law. Overseas counsel should ensure their China data-risk
  assessments reflect the multi-regulator enforcement landscape.

## DCC sources

- Original: 古青卓 (Gu Qingzhuo), 《DEXC+专栏 | 新规背景下，如何评估企业是否属于关键基础设施运营者、重要数据处理者》,
  深圳数据交易所 DEXC+ 专栏 WeChat Official Account
  ([source](https://mp.weixin.qq.com/s/BHV-ixP0mN7HoLcyCHcw4g)).
- [Network Data Security Management Regulations](/laws/network-data-security-regulations/)
  (网络数据安全管理条例).
- [CII security protection regulations](/laws/cii-protection-regulations/)
  (关键信息基础设施安全保护条例, 2021).
- [Data Security Law](/laws/dsl/) (数据安全法, 2021), including Art. 6
  (multi-regulator mandate) and Art. 21 (data classification and grading,
  important-data catalogues).
- GB/T 43697-2024, Data Security Technology — Data Classification and
  Grading Rules (数据安全技术 数据分类分级规则), effective 1 October 2024.
- Regulations on Promoting and Regulating Cross-Border Data Flows
  (促进和规范数据跨境流动规定, CAC Order No. 16, March 2024).

> This is an editorial summary, not a translation of Gu Qingzhuo's piece.
> Conceptual framings and analytical positions are attributed to the
> author; any simplification, error of emphasis, or operational
> extrapolation is DCC's. **Not legal advice.**