Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ 066 · RISK-ASSESSMENT

From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law

On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight.

Editor’s Note — DCC.

This brief covers a single new national instrument: the Measures for Network Data Security Risk Assessment (《网络数据安全风险评估办法》), jointly issued on June 18, 2026 by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) as Order No. 24, effective August 20, 2026. The full 25-article text is in DCC’s law-catalogue entry; this brief is the structural read. The framing below — the “operationalization, not duplication” thesis, the three-tier-plus-trigger model, and the four-increment comparison against the Data Security Law — is DCC’s.

The one-line thesis

The Data Security Law (DSL) and the Regulation on Network Data Security Management already told important-data handlers to run risk assessments. They did not say how, how often, to whom the result goes, or what happens when something is found. These Measures answer exactly those questions and nothing else.

The DSL is principle plus framework. These Measures are the operating system for the risk-assessment duty — executable, verifiable, and trigger-able.

The Measures add no new substantive obligation. Their entire contribution is institutional engineering: taking a one-line statutory duty and building the cadence, the reporting plumbing, the assessor-trust model, and the escalation switch that make it run.

The regulatory model: three standing tiers + one trigger layer

NATIONAL COORDINATION LAYER
  CAC (lead) + telecom + public security + state security
  · special working mechanism (Art. 3)
  · report consolidation + cross-department sharing (Art. 16)


INDUSTRY SUPERVISION LAYER
  Sectoral competent authorities
  ("manage the business → manage its data security")
  · annual inspection plan, filed by end-January (Art. 4)
  · organise sector assessments  · verify/spot-check reports (Art. 16)


ENTERPRISE EXECUTION LAYER
  Important-data handlers (mandatory) · general-data handlers (encouraged)
  · annual risk assessment (Art. 5)  · ad-hoc re-assessment on material change
  · 3-year report retention + 20-working-day submission (Arts. 15–16)

            ▼  (triggered)
EVENT-DRIVEN ESCALATION LAYER
  Security incident / high-risk finding (Art. 17)
  · compelled assessment by a CERTIFIED institution
  · rectification → order to cease processing important data (Art. 19)

The first three tiers are standing machinery; the fourth switches on only when an incident or a high-risk finding occurs. Read top to bottom, the document is a supervision pipeline, not a list of prohibitions.

Enterprise execution layer. The core duty is the important-data handler’s annual risk assessment (Article 5), with general-data handlers encouraged to assess at least once every three years. A material change in the security status of important data that may adversely affect security triggers a prompt, scoped re-assessment of the changed part. This is the layer that makes data-security risk periodically visible.

Industry supervision layer. Sectoral competent authorities organise assessments and inspections in their own field under the principle that “whoever runs the business runs its data security,” and file an annual inspection plan with the national cyberspace administration by the end of January (Article 4) — designed, on its face, to prevent duplicative and multi-headed enforcement.

National coordination layer. The national cyberspace administration, together with telecom, public-security and state-security departments, runs a special working mechanism (Article 3) and consolidates and cross-shares the reports (Article 16), giving the centre an aggregate picture of data-security risk.

Event-driven escalation layer. Outside the standing cadence, where a relatively high security risk that may endanger national security or the public interest appears, or a security incident leaks or steals important data or large-scale personal information (Article 17), regulators may compel the operator to retain a certified assessment institution. The result feeds disposition: rectification and, ultimately, an order to cease processing important data (Article 19).

Not duplication — an operationalization upgrade

Against the DSL, the increment is concrete and sits in four columns:

DimensionData Security LawRisk Assessment Measures
Legal natureUpper-tier statute (principles)Departmental rule (execution)
Risk-assessment ruleGeneral duty, undefinedDefined process + cadence + report
Responsible parties”Data handlers,” undifferentiatedTiered: important vs. general handlers
SupervisionDispersedCAC-coordinated, multi-department
Assessment methodUnspecifiedSelf / third-party / certified institution
SubmissionUnspecified20-working-day submit, 10-working-day relay
TriggerNoneIncident / high-risk → compelled re-assessment
Sector inspectionNot systematisedAnnual plans + coordination mechanism
Penalty linkagePrinciple-levelRoutes back to DSL / Network Data Regulation

The four institutional increments

1. From “principle duty” to “annual mandatory action.” The DSL asks for risk assessment without specifying it; the Measures make it a fixed calendar event — important-data handlers must assess every year, retain the report at least three years (Article 15), and submit it within 20 working days of completion (Article 16). The essence: the obligation becomes executable.

2. From single-point to networked supervision. The Measures stitch together a sectoral layer (competent authorities), a coordination layer (CAC), and cross-department sharing with telecom, public security and state security. The same report relays from competent authority to the same-level cyberspace administration within 10 working days and onward to the national mechanism. The essence: supervision becomes a network.

3. From “self-assessment” to a three-track assessment structure. A handler may assess itself; it may retain a market third-party assessment institution; and, on trigger, it must use a certified institution (Articles 7, 8, 17). The Measures harden the assessor side too — no sub-entrustment (Article 11), and the same institution and its affiliates may not run a handler’s annual assessment more than three consecutive times (Article 12), with confidentiality and deletion duties (Article 14). The essence: a de-monocultured trust model.

Self-assessment (the standing default)
   + Third-party assessment institution (market track)
   + Certified institution (compelled on trigger)

4. From after-the-fact to event-triggered oversight. A risk that has risen, a breach of important data or large-scale personal information, or a national-security concern can each pull the escalation switch — compelled re-assessment, and the power to stop the business activity (Articles 17, 19). The essence: oversight becomes dynamic.

What changes for compliance and data-trading programs

For teams building data-trading or data-product compliance — exactly the terrain DCC tracks — the practical shift is from a documentary posture to a continuous one:

  • Compliance moves from “paperwork compliance” to “continuous-assessment compliance.” A clean filing at launch is no longer the finish line; the annual assessment and the material-change re-assessment make currency the standard.
  • Risk control moves from “pre-launch review” to “lifecycle monitoring.” The material-change trigger (Article 5) means any significant adjustment to purpose, method, scope, or security posture of important data is its own assessment event.
  • Supervision moves from “spot-check” to “event-triggered intervention.” An incident or a high-risk finding can pull in a certified assessor and, if rectification fails, halt important-data processing.

Two operational notes for overseas counsel. First, classification is the gate: every hard obligation here keys off being an important-data handler, so the threshold question is still whether your processing touches important data under the Network Data Regulation and sectoral catalogues — the GB/T 45577 data-security risk-assessment standard is the referenced methodology. Second, this national rule sits alongside sector rules already in force, such as the MIIT Implementing Rules for Data Security Risk Assessment in the Field of Industry and Information Technology; where a sector authority has its own provisions, those prevail (Article 6), so a multi-sector group should expect to map its assessment program against both the national Measures and each applicable sectoral regime.

The Measures do not rewrite what data security requires. They rebuild how the risk-assessment duty runs — moving data-security governance from a statutory description of an obligation into a system you can operate, verify, and be escalated under.


国家互联网信息办公室、工业和信息化部、公安部, 网络数据安全风险评估办法 (Measures for Network Data Security Risk Assessment), Order No. 24, published via the 网信中国 WeChat Official Account, June 18, 2026; effective August 20, 2026. Original text (Chinese). Full English translation in DCC’s law-catalogue entry.

Not legal advice. The above is DCC’s structural analysis of a new national rule. Article numbers refer to the Measures as promulgated under Order No. 24.

— Not legal advice.


§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.