China Finalizes Network Data Security Assessment Rule | TLY

AI Regulation Tracker  /  New rule

China Finalizes Network Data Security Risk Assessment Measures, Requiring Annual Assessments From August 20

Regulatory summary: The Measures for Network Data Security Risk Assessment 网络数据安全风险评估办法, jointly issued by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS), is a final, binding rule of 25 articles published on June 18, 2026 and effective August 20.

China's cyberspace, industry, and public security authorities have jointly issued a final, binding measure that requires important-data processors to run a formal data-security risk assessment every year and again on any material change. It takes effect August 20, 2026, and it reaches the data layer that feeds AI and machine-learning systems.

Primary source

China Finalizes Network Data Security Risk Assessment Measures, Requiring Annual Assessments From August 20 regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • China moved this measure from a December 2025 draft to a final binding rule and fixed the assessment cadence. Important-data processors now have a hard annual assessment duty plus an event-driven duty to assess on material change, and general processors get an encouraged three-year cadence. The result is a defined, recurring risk-assessment obligation for the data layer rather than a one-time or ad-hoc expectation.
  • Data-protection and security officers at organizations that handle important data in China; AI and machine-learning teams whose training and operational pipelines rest on large data holdings; cloud and platform operators; and legal and compliance leads coordinating data-security duties under China's Data Security Law and related rules.
  • Status: Final and issued.
  • Determine whether your organization is an important-data processor, stand up an annual data-security risk assessment method that meets the measure, and write down what counts as a material change that forces an interim assessment, so the process is ready before August 20, 2026.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09ChinaChina moved this measure from a December 2025 draft to a final binding rule and fixed the assessment cadence. Important-data processors now have a hard annual assessment duty plus an event-driven duty to assess on material change, and general processors get an encouraged three-year cadence. The result is a defined, recurring risk-assessment obligation for the data layer rather than a one-time or ad-hoc expectation.Data-protection and security officers at organizations that handle important data in China; AI and machine-learning teams whose training and operational pipelines rest on large data holdings; cloud and platform operators; and legal and compliance leads coordinating data-security duties under China's Data Security Law and related rules.Final and issued. Published June 18, 2026, effective August 20, 2026.

Frequently Asked Questions

Is this measure in force?

It is final and binding. It was published on June 18, 2026 and takes effect on August 20, 2026.

Who issued it?

It was jointly issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security.

How often must an important-data processor run an assessment?

Every year under Article 5, plus a prompt assessment of the affected part whenever a material change in the security status of important data could adversely affect data security.

What about processors of general data?

They are encouraged to conduct a risk assessment at least once every three years, which is an encouragement rather than a hard annual mandate.

How does this affect AI systems?

AI training and operation rest on data holdings, so important data used by AI systems falls within the annual assessment scope, making the measure part of AI data-layer compliance in China.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.