China’s Cyberspace Administration has unveiled comprehensive draft regulations establishing a systematic framework for network data security risk assessments. The proposed measures, announced on December 7, 2025, aim to strengthen the lawful and effective utilization of data while addressing evolving cybersecurity challenges.
The draft defines data security risk assessment as a comprehensive process involving identification, analysis, and evaluation of risks associated with data and data-processing activities. Under the new framework, processors handling ‘important data’ would be required to conduct mandatory annual security assessments. The regulations stipulate that immediate targeted assessments must be performed whenever significant changes occur that could adversely impact overall data security.
For processors of ‘general data,’ the administration encourages voluntary risk assessments at minimum three-year intervals. Organizations may conduct these evaluations internally or engage certified third-party institutions. However, assessment agencies detecting major security risks must promptly notify both the data processor and provincial-level cyberspace authorities in accordance with regulatory requirements.
The draft specifies circumstances requiring mandatory third-party assessments, including: when data-processing activities present relatively high security risks; following security incidents resulting in leakage or theft of important data or large-scale personal information; and when operations potentially threaten national security or public interest.
Data processors face specific obligations during assessments, including providing assessors with access to necessary data facilities, systems, and operational logs. Companies must address identified vulnerabilities and submit rectification reports within 15 working days after assessment completion. Regulatory authorities retain power to order corrections when data-processing activities endanger national security or public interest, with non-compliant entities potentially facing suspension of important data processing operations.
Wang Zhicheng, an official from the Office of the Central Cyberspace Affairs Commission, characterized the measures as establishing a ‘full life cycle and multi-element evaluation system’ designed to address emerging security challenges posed by artificial intelligence, big data, and blockchain technologies. The framework embeds risk assessment throughout the entire data life cycle—from collection and storage to processing, transmission, and deletion—while evaluating multiple dimensions including technological protections, management implementation, personnel responsibilities, and institutional mechanisms.
The Cyberspace Administration has opened the draft for public consultation until January 5, 2026, seeking stakeholder feedback before final implementation.