June 18 — The Cyberspace Administration of China, the Ministry of Industry and
Information Technology and the Ministry of Public Security jointly issued the
Measures for Network Data Security Risk Assessment, effective August 20, 2026.
The measures set out assessment requirements, legal basis and formats. Important
data processors must conduct annual risk assessments; if an important data
security status undergoes material change that could harm data security, they
must promptly assess the changed elements and their impact. Network data
processors handling general data are encouraged to carry out risk assessments at
least once every three years. Assessments must comply with laws, regulations and
relevant national standards. Network data processors may conduct assessments
internally or commission third-party assessment agencies.
