On December 6, 2025, the Cyberspace Administration of China (CAC) has issued the Measures for the Risk Assessment of Network Data Security (Draft for Comments) (hereinafter referred to as “the Draft”) to call for public comments until January 6, 2026. The drafting of the Draft intends to regulate the activities of network data security risk assessment, ensure network data security, and promote the legal, reasonable and effective utilization of network data.

The Draft is based on laws and regulations such as the Data Security Law of China (come into force on September 1, 2021) and the Regulation on Network Data Security Management (come into force on January 1, 2025). It clarifies the definition of network data security risk assessment, the responsibilities of all parties, the work process and the application of the results. This is an important progress in the construction of China's network data security system. The formulation of this Draft is based on the fact that the current increase in data reliance has led to a rise in systemic risks, and the national data security bottom line is facing complex challenges. It aims to implement the country’s strategy on strengthening national security capabilities in emerging fields such as the internet and data, and to transform the principle-based provisions in laws and regulations such as the Data Security Law regarding the establishment of a data

security risk assessment mechanism into specific, operational and supervisable systems, promoting the formation of a four-in-one implementation path of "laws - administrative regulations - departmental rules - national standards".

CAC and its counterparts at all levels will be the management authorities. They will, in accordance with the principle of "whoever manages the business, manages the business data and data security", regularly organize risk assessments in their respective industries and fields. They can, as needed, inspect the risk assessment situations of important data processors in their industries and fields, and submit their annual risk assessment and inspection plans to the national cyberspace administration by the end of January each year. Enterprises handling important data are required to conduct risk assessments annually and report in a timely manner. Enterprises dealing with general data are also encouraged to carry out such assessments at least once every three years. Enterprises can conduct the work themselves or entrust certified third-party assessment institutions. However, in specific risk scenarios, regulatory authorities may require them to entrust certified institutions for assessment. The Draft also clearly stated that “all relevant regulators shall not charge fees from the network data processors being inspected when conducting inspections”.

The implementation of this approach relies on the support of relevant national standards. Among them, GB/T 45577-2025 Data security technology—Risk assessment method for data security serves as the primary technical basis for conducting risk assessment work, standardizing the assessment process, content and methods, while GB/T 45389-2025 Data security technology—Capacity requirements for assessment organization of data security acting as the fundamental basis for the certification of assessment institutions, ensuring their professionalism and standardization.

In China's network and data security system, this regulation, along with the cybersecurity level protection assessment, data security management certification, personal information protection compliance audit, and commercial cryptography application security evaluation systems, collectively form a complete compliance framework. It focuses on risk identification and prediction throughout the data lifecycle, serving as the core basis for security decision-making. It also clearly stipulates that when the contents of relevant systems overlap, the results can be mutually recognized, avoiding duplicate evaluations and strengthening the synergy and complementary interaction among the systems.

The significance of implementing the regulations lies in that it enhances the national data security governance capacity through bottom-line thinking, systematic thinking and innovative thinking. By establishing a working mechanism featuring national coordination, industry supervision, local coordination and the main responsibility of data processors, it has solidified the responsibilities of all parties and promoted the transformation of risk governance from post-event handling to pre-event warning and in-event control. The measures have achieved the restraint and supervision of assessment power through a logical closed loop of "precise authorization, standardized power use and effective power control", as well as a combination of "internal self-control and external supervision", thereby improving governance efficiency.

For relevant enterprises, this measure clarifies their primary responsibilities and specific obligations. Enterprises must prepare and keep assessment reports in accordance with the template, cooperate with spot checks and verifications, and rectify any identified issues. These regulations prompt enterprises to establish and improve internal data security risk management systems, incorporate them into regular operations, and thereby promote the rational utilization of data under compliance.