Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · FINANCIAL SECTOR CYBERSECURITY MEASURES (DRAFT)

Measures for Cybersecurity Management in the Financial Sector (Draft for Comment).

金融业网络安全管理办法(征求意见稿)

Released for public comment: July 3, 2026.
Public-comment deadline: August 3, 2026.

DCC translation. No official English translation exists. The original Chinese PDF released through the National Financial Regulatory Administration controls. This is a translation of the draft text only; the separate drafting explanation is linked below but not translated on this page.

Source documents

Measures for Cybersecurity Management in the Financial Sector

(Draft for Comment)

Chapter I General Provisions

Article 1 (Purpose and basis). These Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Security Protection of Critical Information Infrastructure, the Regulation on Network Data Security Management, and other laws and administrative regulations, in order to comprehensively regulate cybersecurity management in the financial sector, safeguard financial services, and maintain financial security.

Article 2 (Scope of application). These Measures apply to financial-sector entities that build, operate, maintain and use networks within the territory of the People’s Republic of China, and to the supervision and administration of cybersecurity in the financial sector. Where other relevant competent departments have provisions, those provisions shall also be complied with in accordance with the law. Where the State has provisions on cybersecurity management for networks that store or process information involving state secrets, those provisions shall prevail.

Article 3 (General requirements for cybersecurity protection). Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, perform cybersecurity-protection obligations and bear primary responsibility for their own cybersecurity. Financial-sector entities shall give equal weight to cybersecurity and informatization development, provide necessary resources for cybersecurity work, establish and improve a cybersecurity assurance system suited to the entity, improve cybersecurity-protection capabilities, effectively control cybersecurity risks, and prevent cyber-related unlawful and criminal activities.

Financial-sector entities shall actively provide technical support and assistance to public security organs and state security organs in their lawful activities to safeguard national security and investigate crimes.

Article 4 (Industry self-regulation). Industry associations in the financial sector shall strengthen self-regulation, formulate cybersecurity codes of conduct and association standards in accordance with the law, and guide members in strengthening cybersecurity protection.

Chapter II Cybersecurity-Protection Obligations

Article 5 (Cybersecurity work responsibility system). Financial-sector entities shall establish and implement a cybersecurity responsibility system in accordance with relevant State provisions, and determine the person responsible for cybersecurity.

Article 6 (Cybersecurity governance). Financial-sector entities shall establish a cybersecurity-management organizational structure and deliberation and decision-making mechanism, designate a lead cybersecurity management department, ensure funding and staffing for the entity’s cybersecurity, develop internal cybersecurity management systems and operating procedures, clarify the cybersecurity-protection duties of the entity, its branches, its subordinate legal-person entities and others, and urge implementation of cybersecurity-protection responsibilities.

Article 7 (Network operation security). Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, carry out network operation monitoring, cybersecurity risk and incident handling and reporting, and other work; establish and improve cybersecurity incident emergency plans; and adopt corresponding technical and management measures to safeguard network operation security.

Article 8 (Multi-Level Protection Scheme). Financial-sector entities shall, in accordance with the requirements of the State’s Multi-Level Protection Scheme for cybersecurity, reasonably determine the security-protection level of their networks, perform classification and filing obligations, carry out cybersecurity MLPS assessments on schedule, and promptly rectify risks discovered in such assessments.

Article 9 (Use of commercial cryptography). Financial-sector entities shall use commercial cryptography to protect cybersecurity in accordance with the requirements of the State’s Multi-Level Protection Scheme for cybersecurity. Where the State Council financial management departments have further provisions on the use of commercial cryptography, financial-sector entities shall comply with those provisions.

Article 10 (Network data protection). Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, strengthen the classification and grading management of network data, and adopt corresponding technical and management measures to prevent network data from being tampered with, destroyed, leaked, or unlawfully obtained or unlawfully used.

Article 11 (Protection of personal information on networks). Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, regulate personal information processing activities and safeguard personal information security.

Financial-sector entities are encouraged to use the national network identity authentication public service to carry out user identity verification.

Article 12 (Application of technological innovation). Financial-sector entities shall, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, properly conduct risk management for innovative applications of information technology.

Article 13 (Prevention of unlawful and non-compliant information). Financial-sector entities shall take measures and, in accordance with laws, administrative regulations, and relevant provisions of the State and the State Council financial management departments, strengthen management of information published on networks. Where they discover information whose publication or transmission is prohibited by laws or administrative regulations, they shall immediately stop transmitting the information, take disposal measures such as elimination, prevent the information from spreading, preserve relevant records, and report to the relevant competent department.

Article 14 (Security management of information services). Financial-sector entities that provide application software download services to the public shall take measures and, in accordance with laws, administrative regulations and relevant State provisions, perform security-management obligations such as detecting malicious programs and unlawful or non-compliant information. Where an application software is found to contain a malicious program, or to contain information whose publication or transmission is prohibited by laws or administrative regulations, the financial-sector entity shall immediately cease providing download services, preserve relevant records, and report to the relevant competent department.

Article 15 (Identification of financial-sector critical information infrastructure). The State Council financial management departments shall organize identification of financial-sector critical information infrastructure in accordance with the rules for identifying critical information infrastructure in the financial sector, determine the identification results, promptly notify the operators of financial-sector critical information infrastructure (hereinafter, “operators”), notify the public security department under the State Council, and copy the national cyberspace administration.

Where an operator undergoes merger, division, dissolution or other such circumstances, or where a relatively major change occurs to critical information infrastructure that may affect the identification result, the operator shall promptly report the relevant circumstances in accordance with relevant provisions of the State Council financial management departments.

Article 16 (Operator organizational structure and support for duty performance). The principal person in charge of an operator shall bear overall responsibility for the security protection of financial-sector critical information infrastructure. The operator shall designate a member of its leadership team in charge of cybersecurity to serve as chief cybersecurity officer, in charge of security-protection work for critical information infrastructure, and shall designate, for each item of critical information infrastructure, one security-management responsible person to organize implementation of security-protection work for that critical information infrastructure.

An operator shall establish a dedicated security-management body and conduct security background checks on the head of the dedicated security-management body and on personnel in key positions.

The dedicated security-management body shall, in accordance with relevant provisions of the State Council financial management departments, submit plans for the security protection of critical information infrastructure and summaries of cybersecurity work.

Article 17 (Supply-chain security). Operators shall declare cybersecurity review in accordance with the State cybersecurity review provisions and the financial-industry pre-judgment guide, and shall submit annual lists of network products and services and cloud computing services procured in accordance with relevant provisions of the State Council financial management departments.

Operators shall regulate the use of commercial cryptography in accordance with the relevant management provisions on the use of commercial cryptography for critical information infrastructure.

Article 18 (Risk assessment). Operators shall, by themselves or by entrusting cybersecurity service institutions, conduct cybersecurity testing and risk assessment of critical information infrastructure at least once each year. The content shall include at least cybersecurity MLPS assessment, commercial cryptography application security assessment, implementation of systems and national standards related to the security protection of critical information infrastructure, protection of data and personal information processed by the critical information infrastructure, monitoring and handling of cybersecurity risks related to the critical information infrastructure, and implementation of improvements after emergency handling of cybersecurity incidents. Operators shall promptly rectify security problems discovered through testing and assessment, and shall annually submit testing, assessment and rectification information in accordance with relevant provisions of the State Council financial management departments.

Article 19 (Cybersecurity incident emergency plans). Operators shall, in accordance with the national cybersecurity incident emergency plan and the financial-sector critical information infrastructure cybersecurity incident emergency plan, formulate their own emergency plans for critical information infrastructure, conduct regular drills, and regulate the reporting and handling procedures for cybersecurity incidents and major cybersecurity threats related to critical information infrastructure.

Chapter III Coordination in Supervision and Administration

Article 20 (Principles for coordination in supervision and administration). The State Council financial management departments shall, in accordance with laws, administrative regulations, and the decisions and arrangements of the CPC Central Committee and the State Council, and in accordance with the division of regulatory duties, be responsible within the scope of their duties for work related to cybersecurity management of financial-sector entities.

The State Council financial management departments shall support and cooperate with the national cyberspace administration, the public security department under the State Council, the national cryptography administration, and other relevant competent departments in carrying out cybersecurity protection and supervision and administration work involving the financial sector in accordance with their duties.

Branches and dispatched offices of the State Council financial management departments shall carry out cybersecurity supervision and administration within their jurisdictions in accordance with the division of duties of the State Council financial management departments.

Article 21 (Coordinated implementation of special cybersecurity tasks). Where the CPC Central Committee, the State Council, or a relevant decision-making, deliberation and coordination body has already specified the division of work, the State Council financial management departments shall be responsible in accordance with that division. For matters where a particular State Council financial management department has been specified as the lead responsible department, the lead responsible department shall, on the basis of authorization and provisions in laws and regulations, further refine the division of duties among the relevant State Council financial management departments within the established framework of duties. Where neither of the foregoing circumstances applies, the State Council financial management departments shall communicate and consult, and then clarify their respective division of duties.

Article 22 (Information sharing). The State Council financial management departments and their same-level branches and dispatched offices shall strengthen sharing of information on cybersecurity incidents, risks, situations, intelligence and the like, and, as circumstances require, consult and judge the overall risk situation involving the financial sector.

Article 23 (Cooperation with supervision and administration). Financial-sector entities shall conscientiously accept and cooperate with all cybersecurity supervision and administration work carried out by relevant competent departments and by the State Council financial management departments and their branches and dispatched offices; provide true and complete information and materials on time; and shall not refuse or obstruct supervision and inspection lawfully implemented by relevant competent departments and by the State Council financial management departments and their branches and dispatched offices.

Article 24 (Handling of transmission of unlawful or non-compliant information). Where a financial-sector entity fails, with respect to malicious programs and information whose publication or transmission is prohibited by laws or administrative regulations, to promptly stop transmission, take disposal measures such as elimination, or preserve relevant records, the State Council financial management departments and their branches and dispatched offices shall transfer the relevant case information to the relevant competent department at the same level, and cooperate with that department in handling the matter in accordance with laws and regulations.

Article 25 (Handling of failure to use commercial cryptography as required). Where a financial-sector entity fails to use commercial cryptography to protect cybersecurity as required by the State’s Multi-Level Protection Scheme for cybersecurity, or where an operator violates management provisions on the use of commercial cryptography for critical information infrastructure, the State Council financial management departments and their branches and dispatched offices shall transfer the relevant case information to the cryptography administration at the same level, and cooperate with that department in handling the matter in accordance with laws and regulations.

Article 26 (Penalties for non-cooperation with supervision and inspection). Where a financial-sector entity refuses or obstructs cybersecurity supervision and inspection carried out by the State Council financial management departments and their branches and dispatched offices, the State Council financial management departments and their branches and dispatched offices shall impose penalties in accordance with relevant provisions of the Law of the People’s Republic of China on the People’s Bank of China, the Commercial Bank Law of the People’s Republic of China, the Banking Supervision Law of the People’s Republic of China, the Insurance Law of the People’s Republic of China, the Securities Law of the People’s Republic of China, the Securities Investment Fund Law of the People’s Republic of China, the Futures and Derivatives Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Regulation on the Supervision and Administration of Private Investment Funds, the Regulations of the People’s Republic of China on Foreign Exchange Administration, and other relevant provisions.

Article 27 (Penalties for violation of other cybersecurity-protection obligations). Where a financial-sector entity fails to perform the cybersecurity-protection obligations provided in these Measures, and the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Regulations on the Security Protection of Critical Information Infrastructure, or the Regulation on Network Data Security Management already provide penalties, the State Council financial management departments and their branches and dispatched offices shall impose penalties in accordance with the provisions of those laws and administrative regulations and according to the division of regulatory duties. Where those laws and administrative regulations do not provide penalties, but other laws or administrative regulations provide penalties, penalties shall be imposed in accordance with those provisions.

Article 28 (Other legal liability). Where a financial-sector entity fails to perform the cybersecurity-protection obligations provided in these Measures and is suspected of constituting an act violating public security administration, the matter shall be transferred to the public security organ for handling. Where a crime is constituted, the matter shall be transferred to a judicial organ for criminal liability to be pursued in accordance with the law.

Article 29 (Handling of violations by management personnel). Where staff of the State Council financial management departments and their branches and dispatched offices neglect duties, abuse powers, or engage in favoritism or malpractice, sanctions shall be imposed in accordance with laws and regulations. Where a crime is constituted, the matter shall be transferred to a judicial organ for criminal liability to be pursued in accordance with the law.

Chapter V Supplementary Provisions

Article 30 (Definitions). The following terms used in these Measures have the following meanings:

(1) “Financial-sector entities” refers to financial institutions and other institutions approved for establishment or recognized by the State Council financial management departments.

(2) “State Council financial management departments” refers to the People’s Bank of China, the National Financial Regulatory Administration, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange.

(3) “Key positions” refers to planning and construction, development and testing, security operation, and daily operation and maintenance positions that are directly related to the security protection of critical information infrastructure and that possess relatively comprehensive information.

Article 31 (Cybersecurity management of local financial organizations). Local financial management institutions shall take the lead in supervising and administering the performance of cybersecurity-protection obligations by local financial organizations, and may formulate corresponding management systems with reference to these Measures and to the cybersecurity-related provisions of the State Council financial management departments.

Article 32 (Authority to interpret). These Measures shall be interpreted by the State Council financial management departments.

Article 33 (Effective date). These Measures shall come into force on [month] [day], 2026.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →