Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · TC260 DATA RISK ASSESSMENT GUIDE

Cybersecurity Standards Practice Guide — Implementation Guidelines for Network Data Security Risk Assessment.

网络安全标准实践指南 — 网络数据安全风险评估实施指引

FILED UNDER · Data Security

DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.

Scope

This practice guide provides implementation guidelines for carrying out a network data security risk assessment — a procedural, hands-on walkthrough of how to plan, perform, and report an assessment of the security risks to network data across its lifecycle. It applies to data processors conducting such assessments (including those required to assess important-data processing) and to bodies assisting them.

It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard, and is designed to be the procedural complement to the formal risk-assessment method standard.

Key contents

At a structural level the guide is expected to cover:

  • Assessment preparation — scoping, team and work-plan setup, and gathering of data inventories (informed by classification and grading).
  • Asset and risk identification — identifying data assets, threats, vulnerabilities, and the existing security measures across collection, storage, transmission, use, provision, disclosure and deletion.
  • Risk analysis and rating — analyzing likelihood and potential impact (to national security, public interest, organizations and individuals) and determining an overall risk level.
  • Treatment and reporting — recommending risk-treatment measures and producing the assessment report, including any matters to be reported to regulators.
  • Templates and worked steps — practical checklists and report formats to standardize execution.

Editor: verify specific clauses against the published guide.

How it fits the regime

The guide operationalizes the risk-assessment duties of the Network Data Security Management Regulations (effective 1 January 2025), which require processors of important data to conduct periodic data-security risk assessments and report the results, and which expect risk assessment around other significant processing activities. It gives organizations a concrete procedure to satisfy those duties.

It is the practice-oriented companion to GB/T 45577 (Data Security Risk Assessment Method), which supplies the formal method, and it relies on GB/T 43697 (classification and grading) to identify which data is important or core. For overseas compliance teams whose Chinese operations process important data or operate at scale, it is the step-by-step reference for running and documenting a network-data-security risk assessment that regulators will recognize.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →