China: Cyberspace Administration of China opened consultation on draft measures for network data security risk assessments

On 6 December 2025, the Cyberspace Administration of China (CAC) opened a consultation on the draft measures for network data security risk assessments until 5 January 2026. The draft regulation defines the scope and procedures for conducting network data security risk assessments under the Data Security Law and related instruments. Risk assessment covers the identification, analysis, and evaluation of risks associated with network data and data processing activities. Data processors handling important data must conduct risk assessments annually and when changes in security conditions may affect data security, while processors handling general data are encouraged to assess at least once every three years. Assessments must follow national standards and relevant industry provisions, and may be conducted internally or by certified third-party assessment agencies, subject to requirements on qualification, confidentiality, and oversight. Important data processors must prepare assessment reports using the required template, retain them for at least three years, and submit them to the competent authority within the specified time. Authorities must provide reporting channels, review submissions, and may conduct verification checks. In defined circumstances, authorities may require processors to engage certified assessment agencies, with restrictions on repeated commissioning for the same incident or risk. When commissioning assessments, data processors must provide access and support, bear associated costs, implement required rectifications, and refrain from influencing assessment outcomes improperly. The regulation also establishes mechanisms for risk information sharing, complaint handling, and enforcement, including penalties and corrective measures. It allows acceptance of overlapping results from other security assessments and introduces additional requirements for important data processors, core data processors, and assessments involving state or work secrets.