China’s approach to data governance, after the dense legislative sprint of the past decade, has moved into a quieter, more procedural phase. The big statutes are already on the books, and the work now is less about declaring principles than about wiring them into machinery that companies can operate and regulators can inspect.

The Measures for Network Data Security Risk Assessment, issued as Order No. 24 and effective on 20 August 2026, are a clean example of that shift. They take a single sentence buried in a 2025 administrative regulation — important data handlers must periodically assess their risks and report — and turn it into a working rulebook. The more interesting story, though, is not the obligation itself but what changed between the draft and the final text: on almost every contested point, Beijing eased the burden on business while quietly strengthening the supervisory frame behind it.

Three things make the release worth a careful read. It is the first time the Cyberspace Administration of China (CAC) has co-signed a data-security rule of this kind with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), rather than acting alone.

It is the implementing piece that finally gives operational teeth to the Regulations on Network Data Security Management, which took effect on 1 January 2025. And the redline between the December 2025 consultation draft and the June 2026 final text reads as a deliberate, consistent signal to the market.

On the day of release, the three issuing agencies put out an official Q&A, and the state cyber outlet "网信中国" published a cluster of expert commentaries from people close to the drafting — among them officials from China's national CERT and the Cyberspace Administration's own technical support center, and legal scholars from Renmin, Beihang, and the China Law Society.

From skeleton to flesh

To place the Measures correctly, it helps to recall how China built this regime. The Cybersecurity Law (2017) and the Data Security Law (2021) erected the load-bearing structure; the 2025 Regulations on Network Data Security Management, an administrative regulation one rung below statute, added that “important data handlers shall periodically conduct risk assessments and submit reports.” But that was a principle, not a procedure. It said nothing about how often to assess in practice, whom to file with, what the report should look like, or how the assessment bodies themselves would be policed. The Measures are the piece that fills in that flesh — a textbook implementing rule that converts an abstract duty into a process with deadlines, retention periods, and red lines.

Stripped to essentials, the 25-article text answers four plain questions.

Who must assess: important data handlers face a hard annual requirement, plus a duty to re-assess the affected portion whenever the security status of their important data changes materially; ordinary “general” data handlers are merely encouraged to assess at least once every three years.

How: firms may self-assess, provided they name a person in charge, or commission a third-party body under a contract that allocates responsibility, working to the Data Security Law, the 2025 Regulations, and the relevant national standards.

To whom: important data handlers must file the report within 20 working days of finishing the annual assessment, to their sector regulator or, absent one, to the provincial or national cyberspace authority, and must keep it for at least three years, subject to verification of its authenticity.

Who supervises: the CAC, with telecom and public-security authorities, will run a dedicated coordination mechanism, with agencies sharing their annual inspection plans to avoid duplication — and inspections, the text is careful to say, may not charge fees. Only where data activities carry significant risk or a major breach occurs may regulators require a firm to bring in a certified body. Those bodies, in turn, face hard limits: no sub-delegation, no more than three consecutive annual assessments for the same client, full responsibility for the truth of their findings, and strict confidentiality over the data and trade secrets they touch.

What it is — and what it is not

One conceptual point runs through every expert commentary and is easy for outsiders to miss. A network data security risk assessment is not a conformity test. It sits apart from China's well-known Multi-Level Protection Scheme (MLPS, 等级保护测评) and from cloud-service security assessment, which check compliance against a fixed checklist. This is a risk-evaluation activity, built to answer four blunt questions about an organization: is there risk, what is it, where is it, and how big is it. The orientation is dynamic — it targets data processing activities, not static data at rest, asking in what scenario data is handled, by whom, how it flows, and whether it crosses into external systems.

That framing widens the scope in ways foreign tech firms should note. The assessment is meant to cover every system holding a copy of the data; the data-leakage risks that flow from ordinary network-security weaknesses; the exposure created by aggregation analysis and open-source data leakage; the responsibility boundaries pulled in when data is entrusted to, or jointly processed with, third parties; and — explicitly — the new risks introduced by artificial intelligence, including excessive bulk collection, data poisoning, and model memorization that leaks training data or personal information. For companies deploying large models in China, the annual assessment is one of the first hard hooks tying AI data practices to a named compliance duty.

The draft-to-final pivot

The edits are where the policy intent shows. Read side by side, the December draft and the final text move in one direction: raise the instrument’s authority, lighten the load on firms, and leave room for a domestic assessment industry to grow.

First, the document gained weight. The draft was the CAC’s alone; the final version carries the joint signature of the CAC, MIIT, and MPS and the formality of a numbered ministerial order. That makes it harder to ignore and signals that network data security has been folded into cross-agency supervision rather than left to one regulator.

Second, the timeline loosened. The reporting deadline moved from 10 working days to 20, giving firms real room to route a report through internal review. The mandatory reporting template annexed to the draft was dropped entirely; companies now prepare reports according to their sector regulator’s rules or national standards, tailored to their own business.

Third, compulsion gave way to discretion. Where the draft said regulators “shall” require a certified third-party body in qualifying cases, the final text says they “may” — meaningfully lowering the odds that a company is forced to outsource. In the same spirit, the obligation on assessment bodies to report major risks to regulators was deleted; they now need only notify the client, which strips them of the quasi-whistleblower role the draft had assigned.

Fourth, the drafting got more durable and less punitive. References to specific standards by number gave way to “the relevant national standards,” so the rule tracks future updates automatically, and the draft’s detailed penalty ladder for assessment bodies was compressed to “handled in accordance with law,” sending the specifics back up to the parent statutes. Alongside these reliefs, the final text added two things the draft lacked: an explicit commitment by the CAC, telecom, and public-security authorities to cultivate the assessment-services market, and a formal, multi-agency coordination mechanism to run the whole system.

One deletion looks, at first glance, like it cuts the other way — and here the expert commentary is genuinely clarifying. The draft's Article 21 had said that where the content of a risk assessment, MLPS testing, data-security management certification, personal-information compliance audit, and commercial cryptography security assessment overlap, the results could be mutually recognized. The final Measures do not keep that clause. But as one legal scholar from the China Law Society points out, the mutual-recognition principle did not disappear — it lives one level up, in Article 52(2) of the 2025 Regulations, which calls for personal-information compliance audits, important-data risk assessments, and cross-border data export assessments to be better dovetailed, and allows results to be mutually recognized where an important-data risk assessment and MLPS testing overlap.

What is still missing is the operational layer: the recognition criteria — consistency of the assessed object, validity period, comparability of methods, traceability of evidence — that would let one assessment actually count toward another. So this is less a retreat than an unfinished bridge, and it is the single most useful thing for a multinational to watch, because it determines whether China's overlapping compliance regimes can ever be run as one workflow rather than five.

What it means for companies — and for foreign observers

For firms that handle data at scale, especially those touching important data, the Measures are simultaneously a relief and a standing obligation. The relief is concrete: a wider filing window, the option to self-assess on a flexible template, lower odds of forced outsourcing, and inspections that are free and deduplicated. The obligation is equally concrete and easy to underestimate. An annual assessment presupposes that a firm already knows which of its data qualifies as “important,” which makes data classification and grading the real prerequisite. Reports must be retained for at least three years and can be checked at any time by the cyberspace, telecom, public-security, and state-security authorities, so ledger and evidence-chain discipline has to keep pace. Vendor planning matters too, given the bar on using the same assessment body for more than three consecutive years. And where encryption protects important data, a separate commercial cryptography security assessment applies as an independent step, with core data held to stricter national rules still.

The deeper signal sits in the philosophy the commentaries articulate, which is worth taking seriously precisely because it is the official self-description. The drafters frame the rule through the "effective market plus capable government" formula from the latest Party plenum, and build it around a triangle of actors — data handlers, third-party assessors, and certification bodies (the last accredited under China's Certification and Accreditation Regulations) — meant to let market capacity drive down compliance cost.

Their pitch to industry is that risk assessment is not overhead but self-knowledge: done well, it lets a firm size its defenses to its actual risk profile, avoiding both "using anti-aircraft guns to swat mosquitoes" (over-protection) and "scarecrow-style false security" (the appearance of safety without the substance). The hoped-for shift is from treating data security as an external constraint to treating it as an internal need — and, at the macro level, from data that is "unwilling, unable, and afraid to flow" toward breaking the "data islands" that trap the value of data as an economic asset.