China: Implemented Administrative Measures on Data Security in the Industry and Information Technology Sectors (for Trial Implementation) including cybersecurity measures

On 1 January 2023, the Regulation "Administrative Measures on Data Security in the Industry and Information Technology Sectors (for Trial Implementation)" came into effect. The measures aim to regulate data processing activities and outline security measures that entities from the industrial and telecom sectors have to follow. The Regulation outlines different requirements depending on the type of data, classifying it as "general data", "core data", and "important data". Data on Chinese politics, military, economy, nuclear security, and artificial intelligence, among others, is considered to be related to national security and is classified as "important data". In particular, the Regulation requires entities to implement preventive, detective and responsive security systems and implement hierarchical protection measures depending on the type of data they store and process. The entities processing "important data" and "core data" are required to conduct a risk assessment at least once a year to identify and rectify security risks. Furthermore, the entities are required to submit reports on their risk assessments and notify the competent authorities within three months if there are 30% or more changes with regard to the category of "important data". Additionally, the Regulation introduces the obligation to destroy data when it is necessary to protect national security and social and public interests.