Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · MH/T 3038—2025

Technical Requirements for Monitoring and Warning of Data Security in Civil Aviation (MH/T 3038—2025).

民用航空数据安全监测预警技术要求(MH/T 3038—2025)

Promulgated by: Civil Aviation Administration of China.
Standard Number: MH/T 3038—2025 (Civil Aviation Industry Standard of the People’s Republic of China).
Classification: ICS 35.030; CCS L 80.
Date of Release: July 18, 2025.
Date of Implementation: August 1, 2025.


Foreword

This document is drafted in accordance with the provisions of GB/T 1.1—2020 Directives for Standardization — Part 1: Rules for the Structure and Drafting of Standardizing Documents.

Please note that some content of this document may involve patents. The issuing body of this document assumes no responsibility for identifying patents.

This document is proposed by the Department of Personnel, Science, Technology and Education of the Civil Aviation Administration of China.

This document is under the centralized management of the China Academy of Civil Aviation Science and Technology.

Drafting entities of this document: Information Center of the Civil Aviation Administration of China; Air Traffic Management Bureau of the Civil Aviation Administration of China; TravelSky Technology Limited; Air China Limited; Beijing Topsec Network Security Technology Co., Ltd.; Beijing Anhua Jinhe Technology Co., Ltd.; DBAPPSecurity Co., Ltd. (Hangzhou); NSFOCUS Technologies Group Co., Ltd. (Beijing); Civil Aviation Management Institute of China; CETC Cyberspace Security Technology Co., Ltd.; Sangfor Technologies Inc.; and Qi An Xin Technology Group Inc.

1 Scope

This document establishes the basic principles for data security monitoring and warning in civil aviation (hereinafter referred to as “civil aviation”), and specifies the technical requirements for data security monitoring and warning.

This document applies to guiding data processors in the civil-aviation field in building data security monitoring and warning capabilities.

This document does not apply to data security monitoring and warning work involving State secrets.

Note: The term “data” as used in this document means various electronic data processed and generated through networks.

2 Normative References

The contents of the following documents constitute indispensable provisions of this document through normative reference in the text. Among them, for dated references, only the version corresponding to that date applies to this document; for undated references, the latest version (including all amendments) applies to this document.

  • GB/T 25069 Information security techniques — Terminology
  • GB/T 35273 Information security technology — Personal information security specification
  • GB/T 35274 Information security technology — Security capability requirements for big data services
  • MH/T 3039 Requirements for data classification and grading in the civil aviation field

3 Terms and Definitions

The terms and definitions defined in GB/T 25069, GB/T 35273, GB/T 35274, and MH/T 3039, as well as the following terms and definitions, apply to this document.

3.1 data security monitoring
The activity of carrying out real-time and continuous monitoring and analysis of data processing activities, so as to discover data security risks and incidents at an early stage.

3.2 data security incident
An incident in which, through technical or other means, tampering with, destruction, leakage, illegal obtaining, or illegal use of data, and the like, is carried out, resulting in business loss or causing social harm.

3.3 data interface
A channel or protocol for data transmission and exchange between information systems.

Note: The relevant protocols include HTTP, HTTPS, and other protocols.

3.4 sensitive personal information
Personal information that, once leaked or illegally used, is liable to result in infringement of the personal dignity of a natural person or harm to personal or property safety.
[Source: GB/T 43697—2024, 3.6]

3.5 alert
The act of actively issuing a warning-type notification by certain technical means when a data security risk is discovered.
[Source: GB/T 28451—2023, 3.5, modified]

3.6 warning
The act of issuing a security warning in advance or in a timely manner with respect to a data security incident that is about to occur or is occurring.
[Source: GB/T 32924—2016, 3.4, modified]

4 Abbreviations

The following abbreviation applies to this document.

IP: Internet Protocol

5 Overview

Data processors in the civil-aviation field, by carrying out security monitoring of data processing activities, promptly discover data security risks such as data tampering, destruction, leakage, illegal obtaining, or illegal use, and issue warnings of data security risks and incidents, thereby reducing the impact caused by data security incidents.

The objects of data security monitoring are data processing activities, including data collection, storage, use and processing, transmission, provision, disclosure, deletion, and the like, the specific content of which is as follows:

a) Data collection: the data processing activity of acquiring data from one or more data sources through a network in accordance with a specific purpose and requirement;

b) Data storage: the data processing activity of persistently saving data in storage media such as hard disks;

c) Data use and processing: the data processing activity of carrying out operations such as retrieval, display, transformation, computation, and analysis on data;

d) Data transmission: the data processing activity of transmitting data from one responsible entity to another responsible entity through a network;

e) Data provision: the data processing activity of providing controlled data to other responsible entities within the organization or to other organizations;

f) Data disclosure: the data processing activity of disclosing controlled data to the public;

g) Data deletion: the data processing activity of erasing data, or overwriting stored data, in the information systems and data storage devices involved, so as to render it incapable of being retrieved or accessed.

Note: Because the physical destruction of storage media cannot be monitored through a network, data deletion in this document does not include the physical destruction of storage media.

The information that needs to be collected for carrying out data security monitoring includes, but is not limited to, the logs and traffic data of assets such as network devices, servers, security devices, cryptographic devices, storage devices, application systems, data interfaces, databases, big-data platforms, and cloud platforms that support data processing activities. For illustrative examples of data security monitoring under typical civil-aviation business scenarios, see Appendix A.

Data security warning is the act of analyzing and judging the abnormal alert information discovered by data security monitoring, classifying the warning levels for data security incidents that are about to occur or are occurring, and at the same time carrying out warning issuance and warning response, and promptly escalating, de-escalating, or canceling the warning according to the response situation.

6 Basic Principles for Data Security Monitoring and Warning

The basic principles to be followed by data processors in the civil-aviation field when carrying out data security monitoring and warning are as follows:

a) Security and compliance: comply with the data security-related management requirements of the State and the industry, and ensure the compliance of data security monitoring and warning work;

b) Timeliness and accuracy: promptly collect and analyze data security risk information, and accurately judge the level of data security incidents;

c) Comprehensive coverage: the scope of monitoring covers data processing activities such as data collection, storage, use, processing, transmission, provision, disclosure, and deletion;

d) Continuous optimization: dynamically update data security monitoring and warning strategies according to changes in actual business scenarios and data security monitoring and warning needs;

e) Minimal impact: fully consider the impact of monitoring activities on business continuity, and avoid affecting the normal conduct of business.

7 Data Security Monitoring Requirements

7.1 General Requirements

Data security monitoring shall meet the following requirements:

a) monitor the network traffic of the data processing environment, and issue an alert upon discovering abnormal traffic with characteristics such as malicious code or phishing emails;

b) monitor the communication objects and behavior, communication data, and interface configuration of data interfaces, and issue an alert upon discovering situations such as abnormal invocation of data interfaces, abnormal opening, abnormal exposure of data, or defects in authentication and authorization mechanisms;

c) monitor the logs of data security components such as data encryption, data de-identification, data leakage prevention, and database auditing, and issue an alert upon discovering situations such as their strategies not being effectively executed.

7.2 Data Collection

Data collection monitoring shall meet the following requirements:

a) monitor the working status of data collection tools or service components, and issue an alert upon discovering abnormal situations such as service anomalies or traffic overload;

b) monitor the time, quantity, frequency, scope, and other information of the collection of core data, important data, and sensitive personal information using automated tools, and issue an alert upon discovering abnormal situations of data collection such as exceeding the agreed frequency or exceeding the scope required by the business;

c) monitor the reliability of the data sources of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal situations such as failure of identity authentication or non-authentication;

d) monitor the authenticity and integrity verification results of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal verification results.

7.3 Data Storage

Data storage monitoring shall meet the following requirements:

a) monitor the execution results and frequency of local data backup and off-site data backup, and issue an alert upon discovering anomalies such as backup job execution failure or excessively low backup frequency;

b) monitor the behavior of accessing the data storage system, and issue an alert upon discovering anomalies such as abnormal IP access or unauthorized access;

c) monitor the performance indicators, used space, and health status of the data storage system, and issue an alert upon discovering anomalies such as system overload, insufficient storage space, or hardware failure;

d) monitor the storage encryption status of core data, important data, and sensitive personal information, and issue an alert upon discovering plaintext storage;

e) monitor the access of mobile storage media, and issue an alert upon discovering anomalies such as non-compliant access or the carrying of malicious code.

7.4 Data Use and Processing

Data use and processing monitoring shall meet the following requirements:

a) monitor the behavior of accessing data, and issue an alert upon discovering anomalies such as ultra vires access, high-frequency access, abnormal IP access, or access during abnormal time periods;

b) monitor the behavior of operating on data, and issue an alert upon discovering anomalies such as non-compliant downloading, non-compliant exporting, or malicious deletion.

7.5 Data Transmission

Data transmission monitoring shall meet the following requirements:

a) monitor the availability of data transmission devices and communication lines, and issue an alert upon discovering device or line failures;

b) monitor the identity authentication result information of data transmission entities, and issue an alert upon discovering unauthorized connections;

c) monitor the behavior of transmitting core data, important data, and sensitive personal information across responsible entities, and issue an alert upon discovering anomalies such as plaintext transmission, transmission exceeding the authorized scope, or failure to use a secure transmission protocol;

d) monitor the data transmission integrity verification results of core data, important data, and sensitive personal information, and issue an alert upon discovering abnormal verification results.

7.6 Data Provision

Data provision monitoring shall meet the requirements of 7.5 c), and shall also meet the following requirements:

a) monitor the exchange, sharing, and transfer activities involving core data, important data, and sensitive personal information, and issue an alert upon discovering that the data has not adopted measures such as encryption or de-identification;

b) monitor the cross-border flow involving important data and sensitive personal information, and issue an alert upon discovering non-compliant outbound conduct such as inconsistency between the actual outbound data and the declared content.

7.7 Data Deletion

The deletion method, type of deleted data, magnitude of deleted data, operation behavior results, and the like, of core data, important data, and sensitive personal information shall be monitored, and an alert shall be issued upon discovering conduct such as erroneous deletion of data, unauthorized deletion, or ineffective deletion.

8 Data Security Warning Requirements

8.1 Warning Classification

The warning levels for data security incidents are, from high to low according to the level and magnitude of the data, divided into four levels: red warning (Level I warning), orange warning (Level II warning), yellow warning (Level III warning), and blue warning (Level IV warning).

The different levels shall meet the following warning requirements:

a) Red warning (Level I warning): when a data security incident involving core data is about to occur or is occurring, a red warning shall be issued.

b) Orange warning (Level II warning): when a data security incident involving any of the following situations is about to occur or is occurring, an orange warning shall be issued:

  1. important data;

  2. general data that causes minor harm to social order and the public interest, or serious harm to the rights and interests of organizations;

  3. sensitive personal information that causes particularly serious harm to the rights and interests of individuals.

c) Yellow warning (Level III warning): when a data security incident involving any of the following situations is about to occur or is occurring, a yellow warning shall be issued:

  1. general data that causes general harm to the rights and interests of organizations;

  2. sensitive personal information that causes serious harm to the rights and interests of individuals.

d) Blue warning (Level IV warning): when a data security incident other than the situations mentioned above is about to occur or is occurring, a blue warning shall be issued.

8.2 Warning Issuance

Data processors in the civil-aviation field carrying out warning issuance work shall meet the following requirements:

a) analyze and judge the abnormal data security situations monitored, and issue internal warning information for the data security risks or incidents discovered in accordance with the warning level;

b) ensure the security and reliability of the warning issuance channels, and avoid data security incidents caused by the leakage or spread of warning information;

c) the warning information shall include the warning level, the nature of the incident, the quantity and type of data involved, the scope and degree of impact, preventive countermeasures, and the like;

d) when a data security incident reaching the yellow-warning, orange-warning, or red-warning level is about to occur or is occurring, promptly report to the industry data security supervision and administration authority.

8.3 Warning Response

While issuing warning information, data processors in the civil-aviation field shall actively respond to data security incidents. The response measures include, but are not limited to, the following:

a) activate, according to the actual situation, an emergency plan matching the warning level;

b) for data security incidents that have been reported, report the handling process and results to the industry data security supervision and administration authority;

c) for data security incidents that may harm the lawful rights and interests of individuals, promptly inform the affected personal-information subjects by means of email, letter, telephone, push notification, and the like. Where it is difficult to inform the personal-information subjects one by one, adopt a reasonable and effective method to release warning information relevant to the public, and take remedial measures.

8.4 Warning Escalation, De-escalation, or Cancellation

Data processors in the civil-aviation field shall, according to the dynamic changes of data security incidents, promptly issue warning escalation, de-escalation, or cancellation information. The specific information to be issued is as follows:

a) when the scope of harm caused by a data security incident expands and the degree of impact intensifies, issue warning escalation information;

b) when a data security incident is brought under control and the scope of harm shrinks and the degree of impact decreases, issue warning de-escalation information;

c) when a data security incident is eliminated, or it is found upon assessment that it does not reach the blue-warning level, issue warning cancellation information.

Appendix A (Informative) Examples of Data Security Monitoring Under Typical Civil-Aviation Business Scenarios

Examples of data security monitoring under typical civil-aviation business scenarios are shown in Table A.1.

Table A.1 Examples of Data Security Monitoring Under Typical Civil-Aviation Business Scenarios

ScenarioData generated and processedData processors involvedData processing activities involvedData security risks involvedApplicable clauses
Passenger ticketingPassenger flight information, member information, payment information, and other dataAirlines; airports; reservation system information service providers; ticket sales agentsCollection, storage, use and processing, transmission, provision, deletionData leakage risk; data tampering risk; data misuse risk; illegal sale of data7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8
Passenger security screeningPassenger flight information, passenger identity-document information, passenger portrait photographs, passenger security-screening information, passenger status information, passenger boarding status, passenger whereabouts information, and other dataAirports; security-screening system information service providersCollection, storage, use and processing, transmission, provision, deletionData leakage risk; data tampering risk; data misuse risk; data forgery risk7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8
Baggage check-inBaggage check-in information and other dataAirports; airlines; check-in system information service providersCollection, storage, use and processing, transmission, provision, deletionData leakage risk7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8
Passenger check-inPassenger information, flight information, seat-assignment information, baggage information, and other dataAirlines; airports; departure-control system information service providersCollection, storage, use and processing, transmission, provision, deletionData leakage risk; data tampering risk; data loss risk7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8
Air traffic managementCommunication, navigation and surveillance, meteorological services, aeronautical information, flow management, operation monitoring, and other dataAir Traffic Management Bureau; air traffic management sub-bureaus (stations)Collection, storage, use and processing, transmission, provision, deletionData leakage risk; data tampering risk; data loss risk7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.8
Safety supervisionAdministrative licensing information, administrative inspection information, practitioner physical-examination information, aircraft filing information, maintenance organization information, flight information, cargo and mail information, real-name registration information of unmanned aircraft, and other dataCivil aviation safety supervision and administration bodies; entities engaged in the construction and operation and maintenance of civil aviation safety supervision systemsCollection, storage, use and processing, transmission, provision, disclosure, deletionData leakage risk; data tampering risk; data forgery risk; data loss risk7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8

Bibliography

  • [1] GB/T 20986—2023 Information security technology — Guidelines for the categorization and classification of cybersecurity incidents
  • [2] GB/T 28451—2023 Information security technology — Technical specification for network intrusion prevention products
  • [3] GB/T 32924—2016 Information security technology — Guidelines for cybersecurity warning
  • [4] GB/T 41479—2022 Information security technology — Security requirements for network data processing
  • [5] GB/T 43697—2024 Data security technology — Rules for data classification and grading
§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →