In June 2025, the Cyberspace Administration of China (CAC) issued the Guidelines for Application for Security Assessment of Cross-border Data Transfer (the third edition) for implementation (hereinafter referred to as “the Guideline”). It aims to guide data processors on how to apply for a security assessment for cross-border data transfer. The legal basis is the Measures for Security Assessment of Cross-border Data Transfer (Issued by CAC and has come into force on September 1, 2022) and the Regulations on Promoting and Regulating Cross-border Data Flow (Issued by CAC and has come into force on March 22, 2024).
The Guideline clarifies which situations must be declared for assessment, mainly including when critical information infrastructure operators (CIIOs) provide personal information or important data to overseas, and when other data processors provide important data to overseas, or when they cumulatively provide more than 1 million ordinary personal information or 10,000 sensitive personal information overseas. It defines which behaviors are considered as data cross-border transfer, including data transmission to overseas, overseas access to data stored in the domestic territory, and processing of domestic personal information overseas, etc.
It provides detailed regulations on the declaration methods and procedures, emphasizing that the main approach is through the online Data Cross-border Declaration System (website: https://sjcj.cac.gov.cn). Special entities may submit their applications offline through the regional cyberspace administrations, and the administrations will verify the completeness of the materials within 5 working days. If the verification is passed, the materials will be transferred to CAC, which will decide whether to accept the application within 7 working days. During the assessment process, additional materials may be required. The data processor can check the progress online and will eventually receive a notification of the assessment result.
In addition, the Guideline puts forward that under specific conditions (such as the scope of the purpose of data transfer abroad remaining unchanged, the recipient not changing, and the increase in data volume not exceeding 20%, etc.), data processors may apply for an extension of the validity period 60 days before its expiration. The application is also mainly made through the online system.
Moreover, contact information for consultation and reporting (phone number and email address), and lists of multiple important attachments (such as requirements for application materials, various templates, etc.) are provided in the Guideline as specific references and norms for the application. The document emphasizes that data processors are responsible for the authenticity of the materials submitted, and false materials will result in the assessment not being passed and legal liability being borne.
For foreign stakeholders, it is worth noting that the Guideline is advised frequently by CAC to keep up with the latest progress (original version issued in 2022 and then the first revision took place in 2024). Comparing with the second edition, following changes are made in the Guideline:
- The relevant materials that data processors need to submit for applying for a security assessment have been optimized and simplified.
- The conditions, procedures, and materials for data processors to apply for extending the validity period of the security assessment results have been clearly defined.
BESTAO presents free monthly report on China compliance. It offers a comprehensive solution on observing various standards and regulatory activities in China. Sample of the monthly report please refer to:
https://www.bestao-consulting.com/detail?id=1740&status=bestao_library
Subscribe the free monthly report by register as a BESTAO website member at: https://www.bestao-consulting.com/login, or write an email to assistant@bestao-consulting.com.