CAC Seeks Comments on the Measures for Network Data Security Risk Assessment

The Cyberspace Administration of China (CAC) recently published the Measures for Network Data Security Risk Assessment (Draft for Comment) (the "Draft") for public consultation by January 5, 2026.

According to the Draft, network data processors who process important data shall carry out a risk assessment of their network data processing activities annually. Where any significant change in the security status of important data may cause adverse impact on data security, a risk assessment shall be promptly conducted on the changed aspects and their potential impact. The Draft specifies that, where an assessment institution discovers any major data security risks during risk assessment, it shall promptly notify the network data processor and report to the cyberspace administrations at the provincial level or above and other competent authorities in accordance with relevant provisions. The Draft further requires that, where any contents of risk assessment overlaps with those of graded cybersecurity protection assessment, among others, the relevant results may be mutually recognized to avoid duplicate assessments, audits, and certifications.



(Source: https://www.cac.gov.cn/2025-12/06/c_1766578179367262.htm)

Note: The link to the Chinese official website of the document is for your reference.