Editor’s Note — DCC.
This brief covers a single new national instrument: the Measures for Network Data Security Risk Assessment (《网络数据安全风险评估办法》), jointly issued on June 18, 2026 by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) as Order No. 24, effective August 20, 2026. The full 25-article text is in DCC’s law-catalogue entry; this brief is the structural read. The framing below — the “operationalization, not duplication” thesis, the three-tier-plus-trigger model, and the four-increment comparison against the Data Security Law — is DCC’s.
The one-line thesis
The Data Security Law (DSL) and the Regulation on Network Data Security Management already told important-data handlers to run risk assessments. They did not say how, how often, to whom the result goes, or what happens when something is found. These Measures answer exactly those questions and nothing else.
The DSL is principle plus framework. These Measures are the operating system for the risk-assessment duty — executable, verifiable, and trigger-able.
The Measures add no new substantive obligation. Their entire contribution is institutional engineering: taking a one-line statutory duty and building the cadence, the reporting plumbing, the assessor-trust model, and the escalation switch that make it run.
The regulatory model: three standing tiers + one trigger layer
NATIONAL COORDINATION LAYER
CAC (lead) + telecom + public security + state security
· special working mechanism (Art. 3)
· report consolidation + cross-department sharing (Art. 16)
│
▼
INDUSTRY SUPERVISION LAYER
Sectoral competent authorities
("manage the business → manage its data security")
· annual inspection plan, filed by end-January (Art. 4)
· organise sector assessments · verify/spot-check reports (Art. 16)
│
▼
ENTERPRISE EXECUTION LAYER
Important-data handlers (mandatory) · general-data handlers (encouraged)
· annual risk assessment (Art. 5) · ad-hoc re-assessment on material change
· 3-year report retention + 20-working-day submission (Arts. 15–16)
│
▼ (triggered)
EVENT-DRIVEN ESCALATION LAYER
Security incident / high-risk finding (Art. 17)
· compelled assessment by a CERTIFIED institution
· rectification → order to cease processing important data (Art. 19)
The first three tiers are standing machinery; the fourth switches on only when an incident or a high-risk finding occurs. Read top to bottom, the document is a supervision pipeline, not a list of prohibitions.
Enterprise execution layer. The core duty is the important-data handler’s annual risk assessment (Article 5), with general-data handlers encouraged to assess at least once every three years. A material change in the security status of important data that may adversely affect security triggers a prompt, scoped re-assessment of the changed part. This is the layer that makes data-security risk periodically visible.
Industry supervision layer. Sectoral competent authorities organise assessments and inspections in their own field under the principle that “whoever runs the business runs its data security,” and file an annual inspection plan with the national cyberspace administration by the end of January (Article 4) — designed, on its face, to prevent duplicative and multi-headed enforcement.
National coordination layer. The national cyberspace administration, together with telecom, public-security and state-security departments, runs a special working mechanism (Article 3) and consolidates and cross-shares the reports (Article 16), giving the centre an aggregate picture of data-security risk.
Event-driven escalation layer. Outside the standing cadence, where a relatively high security risk that may endanger national security or the public interest appears, or a security incident leaks or steals important data or large-scale personal information (Article 17), regulators may compel the operator to retain a certified assessment institution. The result feeds disposition: rectification and, ultimately, an order to cease processing important data (Article 19).
Not duplication — an operationalization upgrade
Against the DSL, the increment is concrete and sits in four columns:
| Dimension | Data Security Law | Risk Assessment Measures |
|---|---|---|
| Legal nature | Upper-tier statute (principles) | Departmental rule (execution) |
| Risk-assessment rule | General duty, undefined | Defined process + cadence + report |
| Responsible parties | ”Data handlers,” undifferentiated | Tiered: important vs. general handlers |
| Supervision | Dispersed | CAC-coordinated, multi-department |
| Assessment method | Unspecified | Self / third-party / certified institution |
| Submission | Unspecified | 20-working-day submit, 10-working-day relay |
| Trigger | None | Incident / high-risk → compelled re-assessment |
| Sector inspection | Not systematised | Annual plans + coordination mechanism |
| Penalty linkage | Principle-level | Routes back to DSL / Network Data Regulation |
The four institutional increments
1. From “principle duty” to “annual mandatory action.” The DSL asks for risk assessment without specifying it; the Measures make it a fixed calendar event — important-data handlers must assess every year, retain the report at least three years (Article 15), and submit it within 20 working days of completion (Article 16). The essence: the obligation becomes executable.
2. From single-point to networked supervision. The Measures stitch together a sectoral layer (competent authorities), a coordination layer (CAC), and cross-department sharing with telecom, public security and state security. The same report relays from competent authority to the same-level cyberspace administration within 10 working days and onward to the national mechanism. The essence: supervision becomes a network.
3. From “self-assessment” to a three-track assessment structure. A handler may assess itself; it may retain a market third-party assessment institution; and, on trigger, it must use a certified institution (Articles 7, 8, 17). The Measures harden the assessor side too — no sub-entrustment (Article 11), and the same institution and its affiliates may not run a handler’s annual assessment more than three consecutive times (Article 12), with confidentiality and deletion duties (Article 14). The essence: a de-monocultured trust model.
Self-assessment (the standing default)
+ Third-party assessment institution (market track)
+ Certified institution (compelled on trigger)
4. From after-the-fact to event-triggered oversight. A risk that has risen, a breach of important data or large-scale personal information, or a national-security concern can each pull the escalation switch — compelled re-assessment, and the power to stop the business activity (Articles 17, 19). The essence: oversight becomes dynamic.
What changes for compliance and data-trading programs
For teams building data-trading or data-product compliance — exactly the terrain DCC tracks — the practical shift is from a documentary posture to a continuous one:
- Compliance moves from “paperwork compliance” to “continuous-assessment compliance.” A clean filing at launch is no longer the finish line; the annual assessment and the material-change re-assessment make currency the standard.
- Risk control moves from “pre-launch review” to “lifecycle monitoring.” The material-change trigger (Article 5) means any significant adjustment to purpose, method, scope, or security posture of important data is its own assessment event.
- Supervision moves from “spot-check” to “event-triggered intervention.” An incident or a high-risk finding can pull in a certified assessor and, if rectification fails, halt important-data processing.
Two operational notes for overseas counsel. First, classification is the gate: every hard obligation here keys off being an important-data handler, so the threshold question is still whether your processing touches important data under the Network Data Regulation and sectoral catalogues — the GB/T 45577 data-security risk-assessment standard is the referenced methodology. Second, this national rule sits alongside sector rules already in force, such as the MIIT Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology; where a sector authority has its own provisions, those prevail (Article 6), so a multi-sector group should expect to map its assessment program against both the national Measures and each applicable sectoral regime.
The Measures do not rewrite what data security requires. They rebuild how the risk-assessment duty runs — moving data-security governance from a statutory description of an obligation into a system you can operate, verify, and be escalated under.
— 国家互联网信息办公室、工业和信息化部、公安部, 网络数据安全风险评估办法 (Measures for Network Data Security Risk Assessment), Order No. 24, published via the 网信中国 WeChat Official Account, June 18, 2026; effective August 20, 2026. Original text (Chinese). Full English translation in DCC’s law-catalogue entry.
Not legal advice. The above is DCC’s structural analysis of a new national rule. Article numbers refer to the Measures as promulgated under Order No. 24.