China: People's Bank of China adopted Measures for the Administration of Data Security in the Business Field including cybersecurity regulation

On 1 May 2025, the People's Bank of China adopted the Measures for the Administration of Data Security in the Business Field, formalising data security obligations for financial institutions and other authorised entities operating under its jurisdiction. The Measures outline data security obligations for entities processing personal data within the business domain of the PBC, limited to operations conducted exclusively within China. The PBC would be required to adopt data classification and grading standards. The Measures specifically address data that doesn't include state secrets and outline security measures that have to be implemented based on the degree of impact on national security, classifying them into general, important and core. Furthermore, the entities would be required to implement security measures based on data sensitivity grading, which includes 5 levels based on the harm that could pose to individuals' rights in case of breaches. The Measures specify that entities are required to assign responsibilities, allocate personnel, and consolidate accountability for data security management with specific designations for those handling important data and establish emergency response procedures.