Privacy & Cybersecurity Law Blog

On June 18, 2026, China issued the new "Measures for Network Data Security Risk Assessment" (the “Measures”). Effective August 20, 2026, the Measures establish a formal framework for conducting, supervising, and reporting network data security risk assessments in China. Below is a summary of certain of the key requirements of the Measures.

The Measures define a “network data security risk assessment” as activities such as risk identification, risk analysis, and risk evaluation conducted to ensure the security of network data and network data processing activities. The Measures distinguish between two categories of regulated entities: important data handlers and general data handlers. Important data handlers (those handling data designated as "important data" under applicable laws of China) must conduct a comprehensive risk assessment at least once a year. They must also carry out additional targeted assessments without delay whenever significant changes to the security of their data may have adverse effects. General data handlers, by contrast, are encouraged, rather than required, to conduct assessments, with a recommended cycle of at least once every three years. Important data handlers must submit their completed assessment reports to the relevant authority within 20 working days of completion.

Assessments may be conducted either internally by the data handler or the data handler may engage a third-party assessment institution. If internal assessment is chosen, a responsible person must be designated. If a third-party institution is appointed, the parties must define their respective rights and obligations through a contract or other legally binding instrument. Sub-delegation by a third-party institution to another institution is prohibited, and the same institution (or its affiliates) is not permitted to perform the annual assessment for the same data handler more than three times in a row.

Authorities at the provincial level or higher may require a data handler to engage a certified assessment institution if data processing activities pose a significant risk to national security or public interest, or if a security incident results in the leakage or theft of important data or personal information on a large scale. When a data handler commissions such an assessment, it is obliged to, amongst other things, provide the necessary support to the assessment institution to conduct the risk assessment, submit the risk assessment to the competent authorities, and rectify any issues identified in the risk assessment.  If an assessment reveals an unacceptable risk, the relevant authorities may order rectification and if such order is not complied with or proves inadequate, the authorities may suspend the relevant data processing activities.