DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.
Scope
This practice guide provides implementation guidelines for carrying out a network data security risk assessment — a procedural, hands-on walkthrough of how to plan, perform, and report an assessment of the security risks to network data across its lifecycle. It applies to data processors conducting such assessments (including those required to assess important-data processing) and to bodies assisting them.
It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard, and is designed to be the procedural complement to the formal risk-assessment method standard.
Key contents
At a structural level the guide is expected to cover:
- Assessment preparation — scoping, team and work-plan setup, and gathering of data inventories (informed by classification and grading).
- Asset and risk identification — identifying data assets, threats, vulnerabilities, and the existing security measures across collection, storage, transmission, use, provision, disclosure and deletion.
- Risk analysis and rating — analyzing likelihood and potential impact (to national security, public interest, organizations and individuals) and determining an overall risk level.
- Treatment and reporting — recommending risk-treatment measures and producing the assessment report, including any matters to be reported to regulators.
- Templates and worked steps — practical checklists and report formats to standardize execution.
Editor: verify specific clauses against the published guide.
How it fits the regime
The guide operationalizes the risk-assessment duties of the Network Data Security Management Regulations (effective 1 January 2025), which require processors of important data to conduct periodic data-security risk assessments and report the results, and which expect risk assessment around other significant processing activities. It gives organizations a concrete procedure to satisfy those duties.
It is the practice-oriented companion to GB/T 45577 (Data Security Risk Assessment Method), which supplies the formal method, and it relies on GB/T 43697 (classification and grading) to identify which data is important or core. For overseas compliance teams whose Chinese operations process important data or operate at scale, it is the step-by-step reference for running and documenting a network-data-security risk assessment that regulators will recognize.