---
title: "From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law"
author: "DCC Editorial"
published: 2026-06-18T06:00:00.000Z
url: https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/
description: "On June 18, 2026 the CAC, MIIT and the Ministry of Public Security jointly issued the Measures for Network Data Security Risk Assessment as Order No. 24, effective August 20, 2026. The 25-article rule adds no new substantive duty; it turns the Data Security Law's open-ended 'conduct risk assessment' obligation into an executable, verifiable, trigger-able governance system. DCC reads it as a three-tier standing model plus an event-driven escalation layer: important-data handlers must assess every year (general-data handlers are encouraged to every three), retain the report for three years and submit it within 20 working days; sectoral competent authorities run annual inspection plans filed by end-January; the national cyberspace administration consolidates and cross-shares reports with telecom, public-security and state-security departments; and where a high-risk finding or a breach of important data or large-scale personal information appears, regulators can compel assessment by a certified institution and order the operator to cease processing important data. The four institutional increments over the DSL: an annual mandatory action, networked multi-department supervision, a three-track assessment structure, and dynamic event-triggered oversight."
tags: ["risk-assessment", "network-data", "data-security", "important-data", "cac", "miit", "mps", "order-no-24", "dsl", "compliance"]
laws_cited: ["network-data-security-risk-assessment-measures", "dsl", "csl", "network-data-security-regulations", "industrial-data-security-risk-assessment-rules", "gbt-45577-data-security-risk-assessment"]
domains: ["data-security", "enforcement"]
account: "wangxin-china"
original_title: "网络数据安全风险评估办法"
original_author: "国家互联网信息办公室、工业和信息化部、公安部 (CAC, MIIT, MPS) — Order No. 24"
original_publication: "网信中国 WeChat Official Account"
original_url: "https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "From Principle to Running System: How the Network Data Security Risk Assessment Measures Operationalize the Data Security Law", https://datacompliancechina.com/posts/network-data-risk-assessment-measures-operationalizing-the-dsl/
> *Editor's Note — DCC.*
>
> This brief covers a single new national instrument: the **Measures for
> Network Data Security Risk Assessment** (《网络数据安全风险评估办法》),
> jointly issued on **June 18, 2026** by the **Cyberspace Administration of
> China (CAC)**, the **Ministry of Industry and Information Technology
> (MIIT)** and the **Ministry of Public Security (MPS)** as **Order No.
> 24**, effective **August 20, 2026**. The full 25-article text is in DCC's
> [law-catalogue entry](/laws/network-data-security-risk-assessment-measures/);
> this brief is the structural read. The framing below — the "operationalization,
> not duplication" thesis, the three-tier-plus-trigger model, and the
> four-increment comparison against the Data Security Law — is DCC's.

## The one-line thesis

The [Data Security Law](/laws/dsl/) (DSL) and the [Regulation on Network
Data Security Management](/laws/network-data-security-regulations/) already
*told* important-data handlers to run risk assessments. They did not say
how, how often, to whom the result goes, or what happens when something is
found. These Measures answer exactly those questions and nothing else.

> The DSL is principle plus framework. These Measures are the **operating
> system** for the risk-assessment duty — executable, verifiable, and
> trigger-able.

The Measures add **no new substantive obligation**. Their entire contribution
is **institutional engineering**: taking a one-line statutory duty and
building the cadence, the reporting plumbing, the assessor-trust model, and
the escalation switch that make it run.

## The regulatory model: three standing tiers + one trigger layer

```
NATIONAL COORDINATION LAYER
  CAC (lead) + telecom + public security + state security
  · special working mechanism (Art. 3)
  · report consolidation + cross-department sharing (Art. 16)
            │
            ▼
INDUSTRY SUPERVISION LAYER
  Sectoral competent authorities
  ("manage the business → manage its data security")
  · annual inspection plan, filed by end-January (Art. 4)
  · organise sector assessments  · verify/spot-check reports (Art. 16)
            │
            ▼
ENTERPRISE EXECUTION LAYER
  Important-data handlers (mandatory) · general-data handlers (encouraged)
  · annual risk assessment (Art. 5)  · ad-hoc re-assessment on material change
  · 3-year report retention + 20-working-day submission (Arts. 15–16)
            │
            ▼  (triggered)
EVENT-DRIVEN ESCALATION LAYER
  Security incident / high-risk finding (Art. 17)
  · compelled assessment by a CERTIFIED institution
  · rectification → order to cease processing important data (Art. 19)
```

The first three tiers are **standing machinery**; the fourth switches on
only when an incident or a high-risk finding occurs. Read top to bottom,
the document is a supervision pipeline, not a list of prohibitions.

**Enterprise execution layer.** The core duty is the **important-data
handler's annual risk assessment** (Article 5), with general-data handlers
encouraged to assess at least once every three years. A **material change**
in the security status of important data that may adversely affect security
triggers a prompt, scoped re-assessment of the changed part. This is the
layer that makes data-security risk **periodically visible**.

**Industry supervision layer.** Sectoral **competent authorities** organise
assessments and inspections in their own field under the principle that
"whoever runs the business runs its data security," and file an **annual
inspection plan with the national cyberspace administration by the end of
January** (Article 4) — designed, on its face, to prevent duplicative and
multi-headed enforcement.

**National coordination layer.** The national cyberspace administration,
together with telecom, public-security and state-security departments,
runs a **special working mechanism** (Article 3) and **consolidates and
cross-shares** the reports (Article 16), giving the centre an aggregate
picture of data-security risk.

**Event-driven escalation layer.** Outside the standing cadence, where a
**relatively high security risk** that may endanger national security or
the public interest appears, or a **security incident leaks or steals
important data or large-scale personal information** (Article 17),
regulators may compel the operator to retain a **certified** assessment
institution. The result feeds disposition: rectification and, ultimately,
an order to **cease processing important data** (Article 19).

## Not duplication — an operationalization upgrade

Against the DSL, the increment is concrete and sits in four columns:

| Dimension | Data Security Law | Risk Assessment Measures |
|---|---|---|
| Legal nature | Upper-tier statute (principles) | Departmental rule (execution) |
| Risk-assessment rule | General duty, undefined | Defined process + cadence + report |
| Responsible parties | "Data handlers," undifferentiated | Tiered: important vs. general handlers |
| Supervision | Dispersed | CAC-coordinated, multi-department |
| Assessment method | Unspecified | Self / third-party / certified institution |
| Submission | Unspecified | 20-working-day submit, 10-working-day relay |
| Trigger | None | Incident / high-risk → compelled re-assessment |
| Sector inspection | Not systematised | Annual plans + coordination mechanism |
| Penalty linkage | Principle-level | Routes back to DSL / Network Data Regulation |

## The four institutional increments

**1. From "principle duty" to "annual mandatory action."** The DSL asks for
risk assessment without specifying it; the Measures make it a fixed
calendar event — important-data handlers **must assess every year**, retain
the report **at least three years** (Article 15), and submit it within **20
working days** of completion (Article 16). The essence: the obligation
becomes **executable**.

**2. From single-point to networked supervision.** The Measures stitch
together a sectoral layer (competent authorities), a coordination layer
(CAC), and cross-department sharing with telecom, public security and state
security. The same report relays from competent authority to the same-level
cyberspace administration within **10 working days** and onward to the
national mechanism. The essence: supervision becomes a **network**.

**3. From "self-assessment" to a three-track assessment structure.** A
handler may assess itself; it may retain a market **third-party assessment
institution**; and, on trigger, it must use a **certified** institution
(Articles 7, 8, 17). The Measures harden the assessor side too — **no
sub-entrustment** (Article 11), and the same institution and its affiliates
may not run a handler's annual assessment **more than three consecutive
times** (Article 12), with confidentiality and deletion duties (Article 14).
The essence: a **de-monocultured trust model**.

```
Self-assessment (the standing default)
   + Third-party assessment institution (market track)
   + Certified institution (compelled on trigger)
```

**4. From after-the-fact to event-triggered oversight.** A risk that has
risen, a breach of important data or large-scale personal information, or a
national-security concern can each pull the escalation switch — compelled
re-assessment, and the power to **stop the business activity** (Articles
17, 19). The essence: oversight becomes **dynamic**.

## What changes for compliance and data-trading programs

For teams building data-trading or data-product compliance — exactly the
terrain DCC tracks — the practical shift is from a documentary posture to a
continuous one:

- **Compliance moves from "paperwork compliance" to "continuous-assessment
  compliance."** A clean filing at launch is no longer the finish line; the
  annual assessment and the material-change re-assessment make currency the
  standard.
- **Risk control moves from "pre-launch review" to "lifecycle monitoring."**
  The material-change trigger (Article 5) means any significant adjustment
  to purpose, method, scope, or security posture of important data is its
  own assessment event.
- **Supervision moves from "spot-check" to "event-triggered intervention."**
  An incident or a high-risk finding can pull in a certified assessor and,
  if rectification fails, halt important-data processing.

Two operational notes for overseas counsel. First, **classification is the
gate**: every hard obligation here keys off being an *important-data
handler*, so the threshold question is still whether your processing touches
important data under the [Network Data Regulation](/laws/network-data-security-regulations/)
and sectoral catalogues — the [GB/T 45577 data-security risk-assessment
standard](/laws/gbt-45577-data-security-risk-assessment/) is the referenced
methodology. Second, this national rule sits **alongside** sector rules
already in force, such as the MIIT [Implementing Rules for Data Security
Risk Assessment in the Field of Industry and Information Technology](/laws/industrial-data-security-risk-assessment-rules/);
where a sector authority has its own provisions, those prevail (Article 6),
so a multi-sector group should expect to map its assessment program against
both the national Measures and each applicable sectoral regime.

The Measures do not rewrite what data security *requires*. They rebuild how
the risk-assessment duty *runs* — moving data-security governance from a
statutory description of an obligation into a system you can operate,
verify, and be escalated under.

---

— *国家互联网信息办公室、工业和信息化部、公安部, 网络数据安全风险评估办法
(Measures for Network Data Security Risk Assessment), Order No. 24, published
via the 网信中国 WeChat Official Account, June 18, 2026; effective August 20,
2026. [Original text (Chinese).](https://mp.weixin.qq.com/s/ypoiNq_5IxGtLw8o9pg9xQ)
Full English translation in DCC's [law-catalogue entry](/laws/network-data-security-risk-assessment-measures/).*

*Not legal advice. The above is DCC's structural analysis of a new national
rule. Article numbers refer to the Measures as promulgated under Order No. 24.*
