---
title: "NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter"
author: "DCC Editorial"
published: 2026-07-13T01:00:00.000Z
url: https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft/
description: "The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026."
tags: ["cybersecurity", "financial-sector", "critical-information-infrastructure", "incident-reporting", "mlps", "draft-for-comment"]
laws_cited: ["banking-insurance-cybersecurity-measures-draft", "csl", "dsl", "pipl", "cii-protection-regulations", "financial-sector-cybersecurity-management-measures-draft", "nfra-banking-insurance-data-security-measures"]
domains: ["data-security", "critical-information-infrastructure", "finance"]
account: "data-he-gui"
original_title: "《银行业保险业网络安全管理办法》征求意见"
original_publication: "数据何规 (WeChat)"
original_url: "https://mp.weixin.qq.com/s/wS0qA7MgGkYsaZfLMAgylg"
source_language: "zh"
---

> **Source: Data Compliance China** — https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft/ · China data law, translated and annotated for overseas counsel. Cite as: Data Compliance China, "NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter", https://datacompliancechina.com/posts/nfra-banking-insurance-cybersecurity-measures-draft/
> *Editor's Note — DCC.*
>
> On July 10, 2026 the National Financial Regulatory Administration (国家金融监督管理总局, NFRA)
> opened public consultation on the **Measures for the Administration of
> Cybersecurity in the Banking and Insurance Sectors (Draft for Public
> Consultation)** (《银行业保险业网络安全管理办法（征求意见稿）》). This brief is a
> DCC structured summary of the announcement and the full draft text, which
> circulated via the tracked account 数据何规; the official consultation notice is
> on the [NFRA website](https://www.nfra.gov.cn/cn/view/pages/ItemDetail.html?docId=1264207&itemId=951).
> **Comments close August 10, 2026** (email kjszxc@nfra.gov.cn, post, or fax).
>
> The draft is the sectoral companion to the
> [financial-sector cybersecurity measures](/laws/financial-sector-cybersecurity-management-measures-draft/)
> that went out for comment on July 3 — the NFRA text states expressly that the
> two are designed to interlock. Read alongside the NFRA's existing
> [banking and insurance data security measures](/laws/nfra-banking-insurance-data-security-measures/),
> the sector now has parallel rulebooks for data security and for cybersecurity proper.

## What the draft is

An eight-chapter, 72-article departmental rule that would consolidate the
NFRA's cybersecurity supervision of **banking financial institutions, insurance
financial institutions, and financial holding companies** under the
Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information
Protection Law (PIPL), and the Security Protection Regulations for Critical
Information Infrastructure. The NFRA describes the drafting logic in four
strokes: implement the higher-level laws with a concrete sectoral path; convert
recent supervisory practice into standing rules; fit the requirements to how
banking and insurance groups actually run (group-wide unified management,
technology–business coordination, "three lines of defense"); and manage by
classification and grading, with a distinctly higher bar for critical
information infrastructure (CII).

**Scope is wide.** Article 2 enumerates policy banks, commercial banks, rural
cooperative institutions, asset-management companies, group finance companies,
leasing, auto-finance and consumer-finance companies, trust companies, wealth
management companies, insurers of every stripe, reinsurers, and mutual insurance
organizations. Foreign bank branches, foreign insurers' branches, insurance
agencies and brokers, and other NFRA-supervised institutions apply the rule *by
reference*. Overseas branches and subsidiaries must be folded into the
institution's group-wide cybersecurity management system.

## Governance: responsibility lands at the top

- The Party committee and the board bear **primary responsibility** for
  cybersecurity; the institution's principal officer is the **first person
  responsible**, and the senior executive in charge of cybersecurity is the
  directly responsible person (Article 7).
- Institutions must designate a cybersecurity department with enumerated
  duties, keep an **independent cybersecurity risk-management function**, and
  put cybersecurity within the scope of internal audit — with external audit
  reports filed to the NFRA where third parties are engaged (Articles 8–10).
- Annual all-staff training and inclusion of cybersecurity performance in the
  institution's annual appraisal system round out the governance chapter.

## Build-and-run obligations worth flagging

The middle chapters read as a consolidated baseline of obligations most large
institutions will recognize, now stated as enforceable sectoral rules:

- **Network segmentation** into security domains, isolating production from the
  internet and headquarters from domestic and overseas branches, with
  cross-domain access controlled on a **minimum-necessary** basis
  (Articles 17–20).
- **Log retention of no less than six months**, with logs adequate to support
  monitoring, early warning, and incident analysis (Article 22).
- **Vulnerability management** on a closed-loop basis, quarterly analysis of
  disposition, and immediate reporting to the NFRA of vulnerabilities that
  could affect the industry (Article 23).
- **Change control**: internet-facing systems, MLPS Level 3-and-above networks,
  and important information systems must pass security testing before launch or
  major change; no major go-lives in peak business periods or sensitive windows
  (Article 26).
- **Supply chain security**: a product inventory, service-level agreements with
  important outsourcing providers, supply-interruption contingency plans and
  drills, and industry-impact reporting to the NFRA (Article 30).
- **MLPS and commercial cryptography**: Level 3-and-above networks tested
  annually; commercial-cryptography application security assessments required
  (Articles 33–34).
- **Data security and personal information**: the draft cross-references the
  institutions' existing duties — classification and grading, a designated
  lead department, PIPL protections — and *encourages* connection to the
  national network identity authentication public service for real-name
  verification (Articles 35–36).
- **Annual testing**: at least one cybersecurity risk assessment and one
  internet penetration test per year covering the institution and its domestic
  and overseas branches; a cybersecurity audit at least every three years
  (Article 41).

## The incident regime: a four-tier scale with a two-hour clock

The draft attaches a **grading annex** that sorts cybersecurity incidents into
four tiers — extraordinarily major (Level 1), major (Level 2), relatively major
(Level 3), and ordinary (Level 4) — keyed to data-security impact, outage
duration and geographic spread, and harm to national security, social order, or
the public interest. Illustratively: a business outage across two or more
provinces for three hours or more, or one province for six hours or more, is a
Level 1 incident; sensitive-grade-or-above data compromise constituting an
extraordinarily major data security incident also lands at Level 1.

The reporting mechanics (Article 45):

- **Level 3 and above**: report to the NFRA or its local office **within 2
  hours**, with a formal written report within 24 hours.
- **Level 1**: immediate disposal measures, user notification per regulations,
  and **progress reports every 2 hours** until the incident is closed.
- After closure, a disposition summary is due **within five working days** for
  Level 3 and above (Article 48); Level 2 and above trigger a special audit
  (Article 49); and concealment, omission, false reporting, or intentional
  delay of Level 3-plus incidents must itself be pursued for accountability
  (Article 50).

## The CII chapter sets the high bar

Chapter 6 is a self-contained regime for financial-sector CII operators, and
several requirements go beyond the generic CII Regulations:

- CII must be **operated and maintained within China**, with same-city and
  remote disaster-recovery centers capable of *fully taking over production*
  and running long-term, exercised annually against high-risk scenarios
  (Article 57).
- CII protection is graded **no lower than MLPS Level 3**; the operator's
  principal officer bears overall responsibility (Article 52).
- Procurement of network products and services requires a **security
  confidentiality agreement**; purchases that may affect national security go
  through the national **cybersecurity review**; secure and trusted products
  and services get procurement priority; and operators must file an **annual
  procurement list** of network products, services, and cloud services with
  the NFRA (Article 56).
- Operators must run a **24/7 cybersecurity monitoring and command center**
  (Article 59), maintain a supplier directory (Article 62), and conduct annual
  CII testing and risk assessment covering MLPS evaluation, cryptography
  assessment, data security, and personal information protection (Article 63).
- **Level 3-and-above incidents on CII must be reported to the NFRA and public
  security authorities within 1 hour at the latest** — a tighter clock than the
  general two-hour rule (Article 61).
- Article 55 requires CII operators to possess **independent research and
  development capability** for CII systems, with key technologies "mastered
  in-house" (自主掌握) — language overseas counsel will recognize from the
  broader secure-and-controllable policy line.

## Supervision and what happens next

The NFRA supervises through ratings, risk alerts, supervisory notifications and
interviews, on-site inspection, and — notably — may itself run **attack-defense
exercises and internet penetration tests** against institutions, or commission
professional bodies to inspect (Article 66). Institutions must fold a
cybersecurity annual report into their annual IT report to the NFRA by
**January 15** each year. Violations draw correction orders, supervisory
measures, and administrative penalties under the underlying laws.

For overseas counsel, three practical takeaways. First, if a client's China
operation is an NFRA-supervised institution — including a foreign bank branch
or insurance brokerage applying the rule by reference — the incident-reporting
clocks (2 hours generally, 1 hour for CII) and the annex's grading standard are
the operational items to wire into group incident-response playbooks now, ahead
of finalization. Second, the CII chapter's domestic-operation, procurement-review,
and in-house-capability language continues the localization trajectory familiar
from the CII Regulations, applied with sectoral teeth. Third, the draft is
expressly designed to interlock with the July 3 financial-sector measures — the
two consultations should be read, and commented on, together.

— Not legal advice.
