Financial · 金融.
6 entries. The financial-sector layer built by the PBOC and the National Financial Regulatory Administration — data classification keyed to financial-information sensitivity, full-lifecycle security baselines, and regulator-facing incident reporting for banks, insurers, and payment institutions.
Departmental Rules .
部门规章 · CAC, MIIT, MPS and others
- § 01 · PBOC Data Security Measures
Measures for the Administration of Data Security in the Business Fields of the People's Bank of China
中国人民银行业务领域数据安全管理办法
Promulgated as PBOC Order [2025] No. 3 and effective June 30, 2025, these Measures are the People's Bank of China's departmental rule on data security across the business fields it supervises. They build a full-lifecycle security regime for business data — covering classification and grading (general / important / core data and a sensitivity dimension), management and technical requirements for collection, storage, use, processing, transmission, provision, cross-border transfer, public disclosure and deletion, and risk and incident management. Data processors (financial institutions and other PBOC-approved institutions) must inventory their data, designate security officers for important data, conduct annual risk assessments, and report security incidents, with penalties keyed to Article 45 of the Data Security Law.
- § 02 · NFRA Banking & Insurance Data Security Measures
Measures for the Administration of Data Security of Banking and Insurance Institutions
银行保险机构数据安全管理办法
Issued by the National Financial Regulatory Administration (NFRA) as Jin Gui [2024] No. 24 and effective December 27, 2024, these Measures are the comprehensive data security rule for banking and insurance institutions. Across nine chapters they establish a data security governance structure (board, senior management, a centralized administration department and an IT technical-protection department), a four-tier classification (core / important / sensitive / other general data), and full-lifecycle management and technical-protection requirements. They also contain a dedicated chapter on personal information protection, prescribe risk monitoring and a two-hour incident reporting timeline, set out supervisory and penalty provisions under the Banking Regulation Law and Insurance Law, and append a detailed data-security incident grading scheme. They supersede the 2022 trial measures (Yin Bao Jian Ban Fa [2022] No. 118).
- § 03
Measures for the Administration of the Security of Regulatory Data of the China Banking and Insurance Regulatory Commission (Trial)
中国银保监会监管数据安全管理办法(试行)
Issued by the China Banking and Insurance Regulatory Commission (CBIRC) on September 23, 2020, these trial measures govern the security of regulatory data — the figures, indicators, reports and other information that the CBIRC lawfully collects and that is recorded, generated and stored by regulatory information systems. They establish centralized (归口) administration, prescribe rules for the collection, storage, processing, use and cross-border sharing of regulatory data, and set out requirements for entrusted service providers, supervision, and reporting of major data security incidents within 48 hours.
- § 04 · Accounting Firms Data Security Measures
Interim Measures for the Data Security Management of Accounting Firms
会计师事务所数据安全管理暂行办法
Departmental normative document (Cai Kuai [2024] No. 6) issued by the Ministry of Finance and the Cyberspace Administration of China governing data-processing activities by accounting firms in audit engagements. It applies to firms auditing listed companies, state-owned financial institutions and central enterprises, CII operators and large online-platform operators (over one million users), and overseas-listing engagements, as well as any engagement involving important or core data. It requires full-life-cycle data security management, data classification and grading, least-privilege access controls, domestic storage of audit working papers (with domestic encryption equipment and key storage), prohibitions on clauses providing domestic project data to overseas regulators, and compliance with cross-border data transfer rules. The chief partner is designated as the firm's data security officer. Effective October 1, 2024.
Drafts in Consultation .
征求意见稿
- § 01 · Financial Sector Cybersecurity Measures (Draft) · DRAFT
Measures for Cybersecurity Management in the Financial Sector (Draft for Comment)
金融业网络安全管理办法(征求意见稿)
A July 3, 2026 public-consultation draft that would create a cross-financial-sector cybersecurity rulebook for financial institutions and other entities approved or recognized by China's State Council financial management departments. The draft sits on top of the Cybersecurity Law, Data Security Law, PIPL, the CII Regulations and the Network Data Security Regulation, and translates them into a financial-sector baseline: cybersecurity responsibility systems, governance structures, network operation security, MLPS, commercial cryptography, network-data and personal-information protection, emerging-technology risk management, illegal-information response, app-download security duties, and a dedicated CII layer for financial critical information infrastructure. For financial CIIOs, the draft adds identification by the State Council financial management departments, a chief cybersecurity officer, a dedicated security body and background checks, cybersecurity-review pre-judgment for network-product and service procurement, annual reporting of network products, services and cloud procurement, annual testing and risk assessment, and sector-specific incident plans and drills. It also creates a coordination frame among the PBOC, NFRA, CSRC, SAFE and the CAC/public security/cryptography authorities, with legal liability routed through the existing financial, cybersecurity, data, personal-information, CII and cryptography statutes. Public comments are due August 3, 2026.
- § 02 · Banking & Insurance Cybersecurity Measures (Draft) · DRAFT
Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation)
银行业保险业网络安全管理办法(征求意见稿)
A July 10, 2026 public-consultation draft in which the National Financial Regulatory Administration (NFRA) would consolidate cybersecurity supervision of banking financial institutions, insurance financial institutions, and financial holding companies into a single 72-article sectoral rulebook under the CSL, DSL, PIPL, and CII Regulations, expressly interlocking with the cross-sector financial-industry cybersecurity measures released for comment on July 3. The draft fixes board and Party-committee primary responsibility with the institution's principal officer as first person responsible; requires an independent cybersecurity risk-management function, network security domains with minimum-necessary cross-domain access, a six-month log-retention floor, closed-loop vulnerability management with industry-impact reporting, pre-launch security testing for MLPS Level 3-and-above and internet-facing systems, supply-chain product inventories, and annual penetration testing plus a triennial cybersecurity audit. A four-tier incident scale keyed to data compromise and outage duration drives reporting clocks: two hours to the NFRA for Level 3 and above, with two-hourly progress reports for Level 1 incidents. A dedicated CII chapter requires domestic operation and maintenance, disaster-recovery centers capable of fully taking over production, MLPS grading no lower than Level 3, cybersecurity review of procurement that may affect national security, annual procurement-list filing, a 24/7 security operations center, in-house mastery of key technologies, and a one-hour incident-reporting deadline to the NFRA and public security authorities. Comments close August 10, 2026.