New measures to enhance data security governance

China's digital economy has entered a stage in which data have become a key factor of production, an important strategic resource and a vital driver of innovation. Against this backdrop the release of measures to assess network data security risks marks a key step in strengthening the country's data security governance framework.

The measures, released on Thursday, will come into force on Aug 20. They aim to provide a systematic framework for identifying, analyzing and evaluating risks associated with network data and data-processing activities. The regulations require handlers of important data to conduct annual risk assessments while encouraging processors of general data to carry out assessments at least once every three years. They also establish clearer responsibilities for regulators, enterprises and third-party assessment institutions.

Since the enactment of the Data Security Law in 2021 and the issuance of regulations on network data security management, China has steadily built a comprehensive system for governing data resources. Yet a key question remained: how can enterprises effectively identify risks before incidents occur? The new measures answer that question by institutionalizing risk assessment as a routine and preventive mechanism. They transform data security governance from a reactive model focused on incident response into a proactive model centered on risk prevention and early warning.

The rapid expansion of artificial intelligence, cloud computing, industrial internet platforms and cross-border data flows has increased the complexity of data governance. As digital technologies penetrate every sector of the economy, data-related risks can quickly evolve into broader economic and social risks if left unchecked. The new measures therefore serve as an institutional safeguard for the healthy high-quality development of the sectors concerned.

For industries and enterprises, the effect will be both immediate and long term.

For sectors that process large volumes of important data — including telecommunications, finance, energy, transportation, healthcare and industrial manufacturing — the measures will accelerate the establishment of more mature data governance systems. Enterprises will need to strengthen internal controls, improve data inventories, clarify data classification mechanisms and enhance monitoring of the entire data lifecycle. While compliance costs may rise in the short term, the long-term benefits will include stronger resilience against cyberattacks, data leaks and operational disruptions.

The regulations are also expected to create new opportunities for China's cybersecurity and compliance service industries. By permitting enterprises to engage qualified third-party institutions to conduct assessments, the measures are likely to stimulate demand for professional services in risk evaluation, auditing, consulting, certification and security technology solutions. The development of a more standardized assessment ecosystem will further support the growth of specialized service providers and encourage technological innovation in data protection.

Importantly, the measures do not signal tighter restrictions on data utilization. Rather, they embody China's longstanding approach of balancing development and security. The objective is not to impede data circulation, but to create a more predictable and trustworthy environment in which data can be developed, shared and utilized safely. By clarifying assessment requirements and reducing uncertainty, the measures can help lower compliance burdens for many enterprises while enhancing confidence in data-driven innovation.

In an era when data security has become closely linked with economic security, social stability and national competitiveness, building robust risk management mechanisms is a must. The newly released measures represent important progress in China's effort to modernize data governance. By placing risk assessment at the forefront of security management, the country can lay a stronger foundation for the healthy growth of its digital economy.