China Data Protection and Cybersecurity: Annual Review of 2024 and Outlook for 2025 (II)

In 2024, China continued to deepen its practices in cybersecurity and data compliance governance. Regulators in various industries have successively introduced a large number of new laws and regulations, further refining the obligations of businesses in areas such as personal information protection, data security, and cybersecurity. Notably, as restrictions on cross-border data flow gradually ease, China is accelerating the exploration of updated pathways to ensure the safe and orderly flow of data across borders. At the same time, pilot programmes for personal information protection compliance audits have been gradually launched, with the aim of accumulating valuable experience to support the promotion and application of relevant national standards. Furthermore, under the coordination of the National Data Bureau, the establishment of basic systems for data is advancing steadily. Through local pilot initiatives, efforts are being made to fully harness and activate the market value of data elements, thus promoting the development of the digital economy.

As we head into 2025, the implementation of the Regulations on Network Data Security Management will introduce new requirements for businesses in terms of cybersecurity and data compliance governance. In addition to these, what new challenges will businesses face? In the following two-part series, we will further explore the progress of data protection and cybersecurity developments for China in 2024, and how it is likely to shape the landscape in 2025.

In this second article, we set out highlights of the year and 2025 predictions in terms of data security, cyber security, and data exchange and transactions. Click here if you would like to read our first article where we gave an overview of the highlights in China, and developments in personal information protection.

Part Three: Data Security

I. Regulatory Development

In 2024, China continued to strengthen the establishment of regulations and standards system in the field of data security, aiming to comprehensively enhance governance and regulatory capabilities and deepen the practice of data security governance. 

1) Issuance of the Regulations on Network Data Security Management (“Network Data Regulations”)

On 30 September 2024, the Network Data Regulations (Click here to read our comments on the Network Data Regulations) were official released and came into effect on 1 January 2025. Positioned within China’s legal framework, the Network Data Regulations serve as implementing administrative rules for three overarching laws: the Personal Information Protection Law (“PIPL”), the Data Security Law (“DSL”), and the Cybersecurity Law (“CSL”). Building on evolving data security risks and practical insights from regulatory-industry interactions in recent years, the Network Data Regulations refine principles under these laws and clarify long-term regulatory approaches.

Notably, the Network Data Regulations emphasise the principle-based provision in Article 21 of the DSL, which requires relevant authorities to formulate catalogues of important data. It provided that for data identified as important, relevant regions or departments shall promptly notify or publicly release the information to network data processors. This requirement further lays the foundation for delegating the task of identifying important data to various ministries and local governments. Additionally, the Network Data Regulations dedicate a specific chapter to the obligations of important data processors, including the specification of the person in charge of network data security and the management body for network data security, as well as the annual risk assessment of network data processing activities. This is conducive to further promoting enterprises’ implementation of important data security protection responsibilities.

Additionally, the Network Data Regulations imposes cross-cutting obligations on network data processors spanning personal information protection, data security, and cybersecurity, with tiered compliance requirements for different entities. Apart from the general compliance obligations that apply to all network data processors, the Network Data Regulations also imposes additional compliance requirements on entities such as those processing personal information of more than 10 million individuals, network platform service providers, and enterprises offering generative artificial intelligence (“AI”) services. For instance, the Network Data Regulations requires enterprises providing generative AI services to strengthen the security management of training data and the activities related to data processing, and to take effective measures to prevent and handle network data security risks. 

2) Data Classification, Grading, and Important Data Identification 

In 2024, authorities including the National Cybersecurity Standardisation Technical Committee (“TC260”), the Ministry of Industry and Information Technology (“MIIT”), the Shanghai Municipal Administration for Market Regulation (“Shanghai SAMR”), and the Tianjin Pilot Free Trade Zone (“FTZ”) released standards and guidelines to further advance data classification and grading regimes and carry out the identification of important data across industries and sectors. 

At the national level, TC260 released the national standard Data Security Technology – Data Classification and Grading Rules (“Data Classification and Grading Rules”) in March 2024, providing reference for industrial and sectoral authorities in developing data classification and grading normative documents, as well as guiding businesses in classifying and grading the data they hold. The Data Classification and Grading Rules classifies data into three tiers: core data, important data, and general data, with definitions for each category. For important data, the Data Classification and Grading Rules includes an appendix titled “Guidelines for the Identification of Important Data (Normative)”, which provides guidance for industrial and sectoral authorities and data processors in identifying important data.

At the local and sectoral level, in February 2024, the Tianjin FTZ issued the Standards and Specifications of China (Tianjin) Pilot Free Trade Zone for Enterprise Data Classification and Grading, clarifying the implementation requirements for data classification and grading. In September, the Shanghai SAMR released Guidelines for Classifying and Grading Vehicle Networking Data, detailing requirements to ensure security and compliance across application scenarios. In September, the Shanghai SAMR issued the Guidelines for the Classification and Grading of Internet of Vehicles Data, which further details the requirements for the classification and grading of Internet of Vehicle (“IoV”) data to ensure its security and compliance across different application scenarios. Additionally, in November, the MIIT held a second public consultation on the industry standard -- Guidelines for Identifying Important Data in the Industrial Sector, which clarifies the fundamental principles and identification processes for identifying important data in the industrial sector, aiming to provide a reference for industry regulatory bodies in formulating a catalogue of important data in the industrial field. 

3) Increasing Legislative Activity in the Industry

In 2024, legislative activities in the data security sector continued to be highly active across various industries. In addition to the ongoing development of legal regulations in sectors such as industry and information technology, automotive, and finance, the field of AI has also accelerated the formulation of data security standards:

• Industry and information technology: In February 2024, the MIIT issued the Implementation Plan for Enhancing Data Security Capabilities in the Industrial Sector (2024 - 2026), outlining detailed plans and goals for establishing a data security protection system in the industrial field. For instance, in May, MIIT released the Implementation Rules for Data Security Risk Assessment in the Industrial and Information Technology Sector (Trial) (the “Implementation Rules”) (Click here to read our comments on the Implementation Rules), which guides enterprises in conducting data security risk assessments. The rules stipulate that key data and core data processors must conduct at least one data security risk assessment per year. Additionally, at the end of October, MIIT issued the Emergency Response Plan for Data Security Incidents in the Industrial and Information Technology Sector (Trial), requiring enterprises to proactively prevent data security risks and regularly conduct drills to ensure a rapid response to data security incidents. These measures enhance the data security protection capabilities in the industrial and information sectors, providing clearer guidance and support for enterprises in managing increasingly complex data security risks.
• Automotive industry: In 2024, China further strengthened data compliance supervision for intelligent connected vehicles (“ICVs”), covering specific application scenarios such as spatial-temporal data processing, cessation of external vehicles data collection, and vehicle data sharing. Specifically, in May, the Ministry of Natural Resources released two drafts for public comment: Basic Requirements for the Security Processing of Spatial-Temporal Data of Intelligent Connected Vehicles and Basic Requirements for the Security of Spatial-Temporal Data Sensing Systems of Intelligent Connected Vehicles, stipulating a series of security requirements for ICVs when processing spatial-temporal data. Subsequently, on 24 June, the TC260 sought public comments on the national standard Cybersecurity Standards Practice Guidelines – One-Click Stop for Collecting External Vehicle Data, which aims to guide enterprises in promptly stopping data collection via a convenient button when vehicles enter sensitive areas, thereby enhancing data security management. Furthermore, in July, Shanghai released a draft local standard, Guidelines for Intelligent Connected Vehicle Data Sharing Systems, to provide recommendations for secure and standardised data sharing in ICVs.
• Financial industry: The National Financial Regulatory Administration continued to strengthen data supervision in the financial sector, imposing data security management requirements on different types of financial institutions. First, the Administrative Measures for Consumer Finance Companies issued in March 2024 introduced numerous requirements for consumer finance companies regarding data security obligations, such as establishing a debt collection management system to manage and record the collection process, and retaining relevant data for at least five years. Second, the Measures for Data Security Management of Banking and Insurance Institutions, released in December 2024, establishes a governance framework for financial data security within banking and insurance institutions. It clarifies the classification and grading standards for financial data, requiring organisations to implement stricter protection measures for data categorised as sensitive or higher. Additionally, these measures further elaborate on the response requirements for financial data security incidents, stipulating that enterprises must report particularly significant incidents to the relevant authorities within two hours and continuously follow up on the incident’s resolution.
• AI field：Compared to 2023, the development of data security standards in the AI field became more robust in 2024. TC260 released three draft national standards for public consultation in April and May: Cybersecurity Technology – Security Specifications for Data Annotation in Generative AI, Cybersecurity Technology – Security Specifications for Pre-training and Optimisation Training Data in Generative AI, and Cybersecurity Technology – Basic Security Requirements for Generative AI Services. These standards aim to provide comprehensive protection for data processing in the AI field, covering aspects such as data annotation security, training data security, and data source security.

II. Enforcement Development

III. Outlook for 2025

China’s data security governance accelerated in 2024, transitioning from foundational establishment to systematic structuring. Looking ahead to 2025, we anticipate developments in the following areas:

• Deepening data classification and grading, accelerating important data identification: While 2024 was a pivotal year for the development of the data classification and grading systems, in general, many regional, industrial, or sectoral authorities have yet to formulate or publish catalogues of important data, and the process of standard formulation has been relatively slow. With the implementation of the Network Data Regulations, the responsibilities of relevant industrial and sectoral authorities will be further clarified. The Data Classification and Grading Rules will also provide specific guidance for these authorities to develop important data catalogues. In 2025, it is expected that more industries will participate in the identification of important data, with the release of industry-specific lists to assist enterprises in carrying out data classification and grading activities. This will further promote the development of data security governance towards a more refined and precise approach.
• Network Data Regulations take effect, increasing enterprise compliance obligations: The Network Data Regulations will take effect on 1 January 2025, marking a new phase in China’s network data security governance. The Regulations imposes tiered obligations on different types of enterprises, requiring them to continuously adjust their current compliance practices to meet the new requirements under the Network Data Regulations. Entities responsible for data security will need to cooperate more closely with one another, forming a more comprehensive network data security protection system.
• Gradual improvement of industry data security protection systems, with more sectors involved: In 2024, industries such as industry and information technology, finance, automotive, and AI made progress in formulating data security standards and regulations. Draft standards are expected to be finalised and implemented in 2025; meanwhile, more industries are likely to engage in data security governance in 2025 to fulfil their responsibilities in data security protection.
• Continued intensification of data security enforcement, with broader scope of coverage: In 2024, China’s data security law enforcement activities continued to maintain a high-pressure stance, with more diverse enforcement bodies, a broader range of enforcement targets, and a more prominent focus on key areas. We expect that in 2025, the intensity of data security law enforcement will continue to rise. With the involvement of bodies such as the CAC and public security authorities, law enforcement activities will extend to cover more small and medium-sized enterprises across various industries and sectors.

Part Four: Cybersecurity

In 2024, China continued to deepen cybersecurity legislation and law enforcement activities. Building upon the detailed elaboration of the principles outlined in the CSL, numerous compliance guidelines have been provided to assist businesses in carrying out cybersecurity protection activities.

I. Regulatory Development

1) The Network Data Regulations Deepen Enterprises’ Cybersecurity Protection Responsibilities

The Network Data Regulations refines several provisions of the CSL and enhance the coordination of various laws in the field of cybersecurity. Specifically, the Network Data Regulations imposes stringent network operation security requirements on enterprises in areas such as the multi-level cybersecurity protection, security vulnerability notification and reporting, and emergency response to security incidents:

• The multi-level cybersecurity protection: The Network Data Regulations reaffirm the provisions of Article 21 of the CSL, which requires enterprises to implement the multi-level cybersecurity protection system. In addition, the Network Data Regulations mandate that enterprises, based on the multi-level cybersecurity protection, adopt technical measures such as encryption, backup, and access control, as well as other necessary measures to ensure the security of network data.
• Security vulnerability notification and reporting obligations: Article 22 of the CSL requires enterprises to notify users and report to relevant authorities when they discover risks, such as security flaws or vulnerabilities in network products or services. In this regard, the MIIT released the Cybersecurity Vulnerability Management Regulations in September 2021, which further detailed these requirements, specifying the timelines, reporting platforms, and content for vulnerability reporting. The Network Data Regulations builds upon this framework by introducing a new requirement for enterprises to report any security flaws or vulnerabilities that may pose a threat to national security or public interests to the competent authorities within 24 hours.
• Emergency response to network data security incidents: The Network Data Regulations carries forward the provisions of the CSL, the DSL, and the PIPL concerning the handling, reporting, and notification of security incidents. It clearly outlines the actions enterprises must take when a network data security incident occurs. With regard to handling requirements, enterprises are required to promptly activate their emergency response plans and take remedial measures to prevent further harm. As for reporting obligations, enterprises must report the incident to the relevant authorities in accordance with the regulations. Additionally, if a network data security incident causes harm to the legal rights and interests of individuals or organisations, enterprises must also notify the affected parties in a timely manner in accordance with the Network Data Regulations and other applicable laws.

2) Local and Industrial Authorities Continue to Release Regulatory Requirements to Implement Enterprises’ Network Security Responsibilities

In 2024, relevant departments or regulatory authorities in various regions and industries consecutively released numerous legal requirements to strictly enforce the enterprises’ primary responsibility for network security. For example:

• TC260: TC260 has released a series of guidelines, including the Cybersecurity Standards Practice Guidelines – Interoperability of Cybersecurity Products Asset Information Format, the Cybersecurity Technology – Implementation Guidelines of Cybersecurity Operation and Maintenance (Draft Exposures), and the Cybersecurity Standards Practice Guidelines – Network Security Assessment Guide for Large Internet Platforms. These guidelines are aimed at helping enterprises improve their network security governance and effectively manage cybersecurity risks, based on different entities and scenarios. 
• MIIT: In January, the MIIT released the Guidelines for the Cybersecurity Protection of Industrial Control Systems, focusing on weak points and common cybersecurity risks in industrial enterprises’ network security protection. The guidelines emphasise technical response strategies and aim to enhance the industrial enterprises’ industrial control security protection and operational capabilities.
• National Energy Administration: In May, the National Energy Administration released the Emergency Plan for Cybersecurity Incidents in the Electric Power Industry, which provides specific requirements for electric power enterprises to improve their response mechanisms to cybersecurity incidents, covering aspects such as monitoring and early warning, emergency response, and post-incident handling. 
• Shanghai CAC: Article 13 of the CSL requires the development of network products and services that benefit the healthy growth of minors, providing a safe and healthy online environment for them. In response, in November, the Shanghai CAC released the Compliance Guidelines for Local Network Platforms to Fulfil Their Obligations for the Protection of Minors (Trial). The guidelines require enterprises to implement measures such as providing a “minor mode”, conducting impact assessments for minors’ network protection, and establishing and improving compliance systems, to strengthen the protection of minors in cyberspace.

II. Enforcement Development

III. Outlook for 2025

The implementation of the Network Data Regulations in 2025 means that enterprises might need to adjust their existing cybersecurity compliance and governance models and content. For example, when enterprises develop cybersecurity management systems or emergency response plans for cybersecurity incidents, they will need to incorporate the new timeline introduced by the Network Data Regulations. Specifically, when security flaws or vulnerabilities are suspected to threaten national security or public interests, enterprises must report them to the relevant authorities within 24 hours. This requirement should be integrated into the relevant system standards or emergency response plans. Furthermore, we believe the implementation of the Network Data Regulations’ obligations for reporting cybersecurity incidents may promote the formal release and implementation of the Management Measures for the Reporting of Network Security Incidents (“Management Measures”). This would provide clearer guidelines for enterprises on how to carry out cybersecurity incident reporting. (Click here to read our comments on the Management Measures.)

Regarding enforcement activities, in 2025, enforcement authorities are expected to continue the trends of regularised and grassroots-level enforcement that emerged in 2024, gradually expanding the scope of enforcement to ensure proper compliance with the provisions of the CSL and safeguard enterprise cybersecurity. 

Moreover, cybersecurity remains a key focus in current enterprise data protection governance practices, playing an essential role in safeguarding the personal rights of citizens, social interests, and national security. Therefore, we anticipate that, in 2025, more regulatory authorities will introduce new requirements for enterprises to fulfil their network security obligations, taking into account the characteristics of specific industries.

Finally, following the legislative plan for the amended CSL, which was proposed during the 2023 National People’s Congress, the National People’s Congress Standing Committee released the annual legislative work plan in May 2024, confirming that the revision of the CSL has been placed on the agenda for its first review. We continue to look forward to the enactment of the revised CSL, which will provide an updated compliance governance framework for China’s cybersecurity regulation.

Part Five: Data Exchange and Transactions

I. Regulatory Development

In 2024, the marketisation process of data elements in China significantly accelerated, with a surge in the introduction of basic systems for data. Under the coordination of the National Data Bureau and guided by key top-level designs such as the Opinions on Building a Data Basic System to Better Utilise Data Element, local authorities have taken the lead in pilot initiatives, actively making progress in areas such as data intellectual property registration, the authorised operation of public data, and the inclusion of data assets in balance sheets. These efforts have significantly promoted the development and utilisation of data resources.

1) Top-Level Design: Strengthening the Basic Systems for data and Unleashing the Market Value of Data Elements

The National Data Bureau has fully leveraged its coordination capabilities in the marketisation reform of data elements. In 2024, it formulated a series of overarching plans and implementation schemes to guide local authorities in actively exploring and accelerating the development and utilisation of data resources.

At the overall planning level, in early 2024, the National Data Bureau and other departments jointly issued the Three-Year Action Plan (2024-2026) for “Data Element ×” (the “Action Plan”), encouraging regions to conduct pilot program first, promptly summarise practical experience that may be replicated and promoted, and encourage enterprises to conduct accounting processing of data resources in accordance with the unified national accounting system. The Action Plan requires actions in 12 key industries, including industrial manufacturing, modern agriculture, financial services, and healthcare, aiming to increase data supply, optimise the data circulation environment, and enhance security governance, all with the goal of stimulating the market value of data elements.

At the implementation scheme level, the National Data Bureau and relevant departments have issued several plans aimed at promoting the development and utilisation of data resources. For example, in October, the General Office of the CPC Central Committee and the General Office of the State Council issued the Opinions on Accelerating the Development and Utilisation of Public Data Resources, calling for the deepening of data element allocation reforms. This includes expanding the supply of public data resources through measures such as government data sharing, public data openness, and authorised operations. In December, the National Data Bureau released the Opinions on Promoting the Development and Utilisation of Enterprise Data Resources, which emphasises the need to enhance the mechanisms for the establishment, protection, and distribution of enterprise data rights and interests, as well as improve enterprise data governance capabilities.

2) Regions to Conduct Pilot Program First: Implementing Data Asset Management and Data Resource Development and Utilisation Requirements

In 2024, local governments actively implemented the central government’s strategic deployment. Building on detailed policy requirements, they explored key areas such as data intellectual property management, public data authorised operations, and data asset inclusion in balance sheets, achieving initial results:

• Data intellectual property management: In 2024, regions such as Shanghai, Jiangsu, Hunan, Guangdong, and Changchun issued their respective regional data intellectual property registration management measures, which provided detailed provisions regarding the data intellectual property registration processes. Establishing data intellectual property rights is crucial for enhancing the protection of rights holders, facilitating the orderly circulation of data elements, and ensuring the full realisation of data value.
• Public data authorised operations: Public data is characterised by its vast volume and high economic value potential. Therefore, effectively managing public data authorised operations is of great importance to China’s digital economic development. Currently, cities such as Tianjin, Nanjing, Shanghai, and Shandong have progressively issued trial measures or drafts for public data authorised operations in 2024, aiming to promote compliant management of public data and unlock its economic value.
• Data asset inclusion in balance sheets: With the official implementation of the Interim Provisions on the Accounting Treatment Relating to Enterprises’ Data Resources on 1 January 2024, the year 2024 became the “first year of data resources inclusion in balance sheets.” More and more market entities are participating in the marketisation of data elements, with a growing number of typical cases emerging for the inclusion of data assets in balance sheets. For example, in February 2024, Suzhou completed China’s first IoV data asset inclusion case, with over 3 billion smart transportation roadside sensing data resources being included in the balance sheet.

II. Enforcement Development

The issue of how to compliantly realise the value of public data and government data became a subject of widespread public attention in 2024.

In December 2024, the first batch of digital asset public bidding transfer projects in Fuling District, Chongqing, was urgently suspended. The root cause lies in the fact that these assets involved the transaction of “public data,” while the current legal framework still presents several significant barriers, primarily the following three: first, there is a lack of clear legal guidance on public data transfers; second, there are systemic challenges such as unclear data ownership rules, a lack of value assessment systems, and undefined privacy protection boundaries; third, there are hidden compliance risks related to government data transactions. This exploration is not without prior lessons— in November 2023, Hengyang City in Hunan Province was halted due to the auction of government data and smart city franchise rights. In December 2024, the National Audit Office reported a batch of cases of “profit-making through government data” violations. Local governments are advised to learn from these cases and ensure a safe and orderly exploration of public data authorised operations before clarifying the transaction pathways for public and government data.

Additionally, the first case in China concerning the validity of the “Data Intellectual Property Registration Certificate” was upheld in the second instance in 2024. The Beijing Internet Court ruled that data intellectual property registration can serve as preliminary evidence for the plaintiff’s data property rights and as initial evidence for the legality of data collection or the source of the data. The ruling in this case holds significant importance for the ongoing trials of data intellectual property registration across various regions. This case clarifies the legal effectiveness of data intellectual property registration from a judicial perspective, providing strong judicial support for the practice of data intellectual property registration in China and offering valuable insights into converting data products into data assets.

III. Outlook for 2025

1) Strengthening the Standardised Operation of Public Data

In 2024, multiple regions released trial measures to explore effective models for the authorised operation of public data. Currently, the main challenges in public data authorised operations include unclear data ownership, difficulties in asset value definition, and the balance between data openness and privacy protection. We believe, that with continuous and deeper exploration of effective operational models for public data authorised operations across regions, the regulatory system for such operations will become more refined by 2025. Moreover, the actual operational models will be more standardised. In the coming year, we expect more provinces and cities to release trial measures or drafts for public data authorised operations, further promoting the compliant operation of public data and facilitating the rational flow of public data resources, thereby enhancing the economic and social value of data.

2) Local Experience Feeding into the Development of Higher-Level Legal Systems

In 2024, we observed that local regions have already begun building systems and implementing valuable practices in areas such as data intellectual property registration, public data authorised operations, and the inclusion of data assets in balance sheets. By 2025, we expect local governments to continue to explore these areas and strive to summarise experiences from practice, testing better operational models and solutions. As the exchange and accumulation of local experiences continue, we hope these valuable local practices will contribute to the development of higher-level legal systems. This will ideally lead to the creation of a unified system for the circulation and transaction of data elements, maximising the market value of data elements.

3) Promoting the Development and Utilisation of Enterprise Data Resources and the Inclusion of Data Assets in Balance Sheets

The report released at the Data Elements and the 2nd Data Asset Value Conference in December 2024 revealed that the demand for including enterprise data assets in balance sheets continues to grow, but the process remains in its early stages. There are still notable issues, such as the low number of enterprises including data assets in their balance sheets and the low proportion of total assets represented by data assets. With the ongoing exploration of various inclusion methods, we look forward to seeing effective ways to include data assets in balance sheets emerge in 2025. This will help more enterprises unlock the value of their data resources, thereby increasing the number of companies participating in this process and the value of data assets included in balance sheets.

If you’d like to speak with us about how to align your business, or subscribe to our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].