Editor’s Note — DCC.
The Measures for Network Data Security Risk Assessment (《网络数据安全风险评估办法》, CAC–MIIT–MPS Order No. 24) were promulgated June 18, 2026 and take effect August 20, 2026. DCC has published the full instrument and a close reading and a self-identification guide for important-data handlers. This JunHe piece answers the next question: where the new Measures sit in China’s wider security-review architecture. Its useful move is to run four regimes — foreign investment security review, cybersecurity review, data export security assessment, and the new risk assessment — through one five-question grid, and its practical warning is about finality: for the three admission-style reviews there is effectively no ex-post remedy.
Two reading notes. The author cites the Cybersecurity Law by its 2025-amended article numbering (e.g., the penalty for using unreviewed products appears as Article 67). And the “matrix” characterizations — filter, gatekeeper, pass, physical exam — are the author’s, as is the closing AI-company walkthrough. The tables below are reconstructed from the original.
On June 18, 2026, the Cyberspace Administration of China (CAC) released the Measures for Network Data Security Risk Assessment — adding another important piece to China’s security-review puzzle.
I. The map of China’s security reviews
The foundation of security review is national security, and national security has been the theme of the era. Geopolitical conflict and great-power competition have pushed its importance to a new height, and China — guided by the holistic approach to national security (总体国家安全观) — is accelerating a new “security first” (安全至上) macro-governance posture.
China has no single, unified national security review system. Instead, national security is broken down into separate dimensions — foreign investment; specific items and key technologies; network information technology products and services — each with its own security review.
A preliminary survey of security-review provisions at the level of statute:
| Review field | Law | Key provision |
|---|---|---|
| National security | National Security Law (2015, Presidential Decree No. 29) | The State establishes systems and mechanisms for national security review and oversight, conducting national security review of foreign investment; specific items and key technologies; network information technology products and services; construction projects involving national-security matters; and other major matters and activities that affect or may affect national security, to effectively prevent and defuse national-security risks. |
| Foreign investment | Foreign Investment Law (2020, Presidential Decree No. 26) | The State establishes a foreign investment security review system to review foreign investment that affects or may affect national security. A security review decision made in accordance with law is final. |
| Foreign investment | Anti-Monopoly Law (2022, Presidential Decree No. 116) | Where a foreign investor’s merger with or acquisition of a domestic enterprise, or other participation in a concentration of undertakings, involves national security, a national security review must be conducted under relevant state provisions in addition to the concentration review under the Anti-Monopoly Law itself. |
| Foreign investment | Food Security Guarantee Law (2023, Presidential Decree No. 17) | Foreign investment in grain production and operation that affects or may affect national security must undergo foreign investment security review under relevant state provisions. |
| Foreign investment | Hainan Free Trade Port Law (2021, Presidential Decree No. 85) | The foreign investment security review system is implemented in the Hainan Free Trade Port in accordance with law, reviewing foreign investment that affects or may affect national security. |
| Network information technology products and services | Cybersecurity Law (2025 amendment) | Where a critical information infrastructure operator (CIIO) procures network products and services that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with relevant State Council departments. |
| Network information technology products and services | Data Security Law (2021, Presidential Decree No. 84) | The State establishes a data security review system, conducting national security review of data processing activities that affect or may affect national security. |
| Network information technology products and services | Cryptography Law (2020, Presidential Decree No. 35) | Where a CIIO procures network products and services involving commercial cryptography that may affect national security, the procurement must pass a national security review organized by the national cyberspace administration together with the state cryptography administration and other relevant departments, per the Cybersecurity Law. |
| Biology / agriculture | Biosecurity Law (2024 amendment) | The State establishes a biosecurity review system: major biological-field matters and activities that affect or may affect national security undergo biosecurity review by relevant State Council departments. |
| Biology / agriculture | Seed Law (2022, Presidential Decree No. 105) | The State establishes a national security review mechanism for the seed industry, covering overseas institutions’ and individuals’ investment in, acquisition of, or technical cooperation with domestic seed enterprises and research institutes. |
Most of these statutory provisions run to only an article or two. Making security review actually operate usually requires more concrete implementing rules — and those rules are the core of China’s security-review system.
II. The four security-review “matrices”
To implement security review in the foreign-investment field, the Measures for the Security Review of Foreign Investments were adopted. (With the issuance of the Provisions of the State Council on Outbound Investment (《国务院关于对外投资的规定》), an outbound-investment national security review was also established at the administrative-regulation level, creating two-way review of investment “coming in” and “going out” — but because the detailed implementing rules have not yet landed, the author leaves it outside this article’s scope.)
To implement security review in the network field, the Cybersecurity Review Measures were adopted.
To implement the PIPL’s security assessment for providing personal information abroad and the DSL’s export security management of important data, the Measures for the Security Assessment of Data Export were adopted.
To implement security review in the data field, the Measures for Network Data Security Risk Assessment were adopted.
Together these build China’s four security-review “matrices,” marking a new, more granular and standardized stage of security governance. How these parallel, differently focused reviews are understood and applied is a red line for corporate operations. Below, each matrix is unpacked against the same questions: who reviews, what is reviewed, and when review is mandatory.
1. Foreign investment security review
Background. The current Measures for the Security Review of Foreign Investments (2020) implement the security-review system created by the Foreign Investment Law and are China’s first dedicated foreign-investment security-review instrument.
Who reviews? The State has established a working mechanism for foreign investment security review, responsible for organizing, coordinating, and guiding the work. The working mechanism’s office is housed at the National Development and Reform Commission (NDRC); the NDRC and the Ministry of Commerce (MOFCOM) take the lead and handle day-to-day review work.
What is reviewed?
- Investment in key sectors bearing on national defense — military industry, military-industry support, and similar fields — and investment in areas near military facilities and military-industry facilities: subject to review regardless of whether control is acquired.
- Investment in important agricultural products, important energy and resources, major equipment manufacturing, important infrastructure, important transport services, important cultural products and services, important information technology and internet products and services, important financial services, key technologies, and other important fields bearing on national security, where the investor acquires actual control of the invested enterprise.
When? Ex-ante. During the review period and before the working mechanism office issues its decision, the parties must not implement the investment.
Legal consequences.
- Cleared: the investment may proceed.
- Prohibited: the investment must not proceed; if already implemented, the parties must divest equity or assets within a prescribed period and take other necessary measures to restore the pre-investment state and eliminate the national-security impact.
- Conditionally cleared: the investment proceeds subject to the attached conditions.
- Failure to file when filing was required: ordered to file; on refusal, ordered to divest equity or assets within a prescribed period and restore the pre-investment state.
2. Cybersecurity review
Background. The 2016 Cybersecurity Law established that CIIO procurement of network products and services that may affect national security must pass a national security review organized by the national cyberspace administration together with relevant State Council departments. The 2017 trial measures for network products and services were the first implementation; the Cybersecurity Review Measures followed in 2020 and were revised in 2021 into the currently effective text.
Per the CAC’s own press Q&A, the 2021 revision responded to the Data Security Law taking effect on September 1, 2021, which mandated a state data security review system: the revision brought network platform operators’ data processing activities that affect or may affect national security into the review scope, and required network platform operators holding personal information of more than one million users to file for cybersecurity review before listing abroad.¹
Who reviews? Under the leadership of the Central Cybersecurity and Informatization Commission, the CAC together with twelve departments — NDRC, MIIT, MPS, MSS, MOF, MOFCOM, PBOC, SAMR, NRTA, CSRC, the State Secrecy Administration, and the State Cryptography Administration — has established the national cybersecurity review working mechanism. The Cybersecurity Review Office, housed at the CAC, drafts the rules and organizes reviews.
What is reviewed?
CIIO procurement of network products and services, where the products and services in use affect or may affect national security, including:
- the risk of critical information infrastructure being illegally controlled, interfered with, or destroyed once the products or services are in use;
- the harm a supply interruption would do to business continuity of critical information infrastructure;
- the security, openness, transparency, and diversity of sources of the products and services; the reliability of supply channels; and the risk of supply interruption from political, diplomatic, or trade factors;
- the provider’s record of compliance with Chinese laws, administrative regulations, and departmental rules.
Foreign listings by network platform operators holding personal information of more than one million users — presumed capable of affecting national security and therefore subject to mandatory filing with the Cybersecurity Review Office. The factors include:
- the risk of core data, important data, or large volumes of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad;
- the risk of critical information infrastructure, core data, important data, or large volumes of personal information being influenced, controlled, or maliciously used by foreign governments after listing, plus network information security risks.
In short: cybersecurity review targets the supply-chain stability and security of CIIO procurement, and the risk that a platform with more than one million users’ personal information comes under foreign-government influence, control, or malicious use after a foreign listing.
When?
- Procurement — unlike the FDI measures, there is no express bar on closing the purchase before a decision, but Article 3 states that cybersecurity review combines ex-ante review with continuous supervision.
- Listing — before submitting the listing application to the foreign securities regulator. The CAC’s press Q&A confirms this timing.²
Legal consequences. Article 67 of the Cybersecurity Law (2025 amendment): a CIIO that uses network products or services that have not undergone or have not passed security review will be ordered to stop using them and fined between one and ten times the procurement amount; directly responsible supervisors and other directly responsible personnel face fines of RMB 10,000 to 100,000.
For overseas listings, there is no express penalty for failing review, and regulators have not published any penalty decision resting solely on “failure to file for cybersecurity review.” But the reviews launched against DiDi, Yunmanman, Huochebang, BOSS Zhipin, and other US-listed companies show the pattern: during the investigation, new-user registration is suspended and apps are removed from stores — up to, in the end, delisting-and-rectification demands.
3. Data export security assessment
Background. Article 39 of the Cybersecurity Law [2025-amended numbering — Ed.] requires CIIOs to store personal information and important data collected and generated in their China operations inside China, and to pass a security assessment before any genuinely necessary export. Article 31 of the Data Security Law applies the Cybersecurity Law’s rule to CIIOs’ important data and directs the CAC and State Council departments to write export rules for everyone else’s important data — a step-by-step widening of scope from CIIOs to all handlers. Article 40 of the PIPL adds that CIIOs and handlers processing personal information above CAC-set volume thresholds must pass a CAC-organized security assessment before providing personal information abroad. The Measures for the Security Assessment of Data Export implement all three statutes.
Who reviews? The handler files with its provincial-level cyberspace administration; once materials are complete they are forwarded to the national cyberspace administration, which organizes the assessment with relevant State Council departments, provincial cyberspace administrations, and specialized agencies.
What triggers assessment?
- Providing important data abroad;
- A CIIO, or a handler processing the personal information of more than one million individuals, providing personal information abroad;
- A handler that since January 1 of the previous year has cumulatively provided abroad the personal information of 100,000 or more individuals, or the sensitive personal information of 10,000 or more individuals.
What is assessed?
- the legality, legitimacy, and necessity of the export’s purpose, scope, and method;
- the impact of the data-security policies, regulations, and cybersecurity environment of the recipient’s country or region on the security of the exported data; whether the overseas recipient’s protection level meets Chinese laws, administrative regulations, and mandatory national standards;
- the scale, scope, categories, and sensitivity of the exported data, and the risks of tampering, destruction, leakage, loss, transfer, or illegal acquisition or use during and after export;
- whether data security and personal information rights and interests can be fully and effectively safeguarded;
- whether the legal documents between the handler and the overseas recipient adequately allocate data-protection responsibilities and obligations;
- compliance with Chinese laws, administrative regulations, and departmental rules.
In short: the assessment targets whether personal information and important data face risks of tampering, destruction, leakage, loss, transfer, or illegal acquisition and use during and after export.
When? Ex-ante. Article 5 requires the handler to conduct a data export risk self-assessment before filing.
Legal consequences. The Measures set no new penalties; superior law applies. The Cybersecurity Law points to handling under relevant laws and administrative regulations; under the DSL and PIPL, unlawful exports draw consequences from warnings and fines up to revocation of the relevant business permit or business license and termination of services, depending on the violation.
4. Network data security risk assessment
Background. Per MIIT press Q&A and expert commentary,³ the Measures implement Articles 22 and 30 of the DSL — which call for a centralized, unified, efficient, and authoritative data security risk assessment mechanism and require important-data handlers to assess their processing activities periodically and report to competent authorities — and the Regulation on Network Data Security Management, which requires important-data handlers to assess annually and before providing, entrusting the processing of, or jointly processing important data. The Measures turn those principles into a concrete institutional path, answering the practical questions of who assesses, how, and what the results are used for.
Who reviews? The central national-security leadership body has established a national data security work coordination mechanism; under its guidance, the CAC together with the State Council’s telecommunications, public security, and other relevant departments has built a special working mechanism for network data security risk assessment that guides and supervises the work. Sectoral authorities organize regular assessments in their own industries under the principle “whoever is in charge of the business is in charge of the business data and is in charge of data security.”
What is assessed? Under GB/T 45577-2025 (Data Security Technology — Data Security Risk Assessment Method), the assessment centers on data and data-processing activities, focusing on risks to data confidentiality, integrity, and availability and to the reasonableness of processing activities — to grasp the overall security posture, find hidden dangers, propose management and technical measures, and improve resistance to attack, sabotage, theft, leakage, and abuse.
When? This is not a one-vote-veto ex-ante review but a normalized, continuous-improvement exercise:
- Important-data handlers assess annually.
- Where a material change in the security status of important data may adversely affect data security, the changed part and its impact must be assessed promptly.
- General-data handlers are encouraged to assess at least once every three years.
Legal consequences. Where authorities find in a risk assessment that an important-data handler’s processing may endanger national security or the public interest, they order rectification; a handler that refuses or falls short can be required to stop processing important data, among other measures.
In short: the object is the security of network data and network data-processing activities within China — an ongoing “physical exam,” not an admission gate.
Data security review vs. network data security risk assessment. Recall that the 2021 revision of the Cybersecurity Review Measures was how the DSL’s “data security review” landed. How does that review differ from the new risk assessment?
- Scope. The Cybersecurity Review Measures review data-processing activities for their impact on national security. But under Article 17 of the new Measures and GB/T 45577-2025, data-security incidents cover risks to national security, the public interest, and the lawful rights and interests of organizations and individuals — a wider net.
- Rhythm. Cybersecurity review is a node-based review triggered when a specific event may affect national security — like a visit to a specialist clinic. The risk assessment is periodic, reported to authorities, and improvement-oriented — more like an annual physical.
The risk-assessment mechanism is a foundational institution of the whole data-security regime — the root consideration that determines which protection strategies and management measures a network data handler adopts. It is not merely a national-security review; it is a broader security base for the data-security field.
III. The four matrices compared
-
Foreign investment security review is the filter at the capital entrance, watching whether foreign capital gains control of sensitive enterprises or sectors. Cybersecurity review is the gatekeeper of supply-chain security, watching CIIO procurement and the foreign-government-influence risk of platforms listing abroad with more than one million users’ personal information. Data export security assessment is the pass for cross-border flows, watching whether personal information and important data can be abused once abroad. Network data security risk assessment is the physical-exam chart for data security — a comprehensive checkup of network data and processing activities within China.
-
The first three are ex-ante, admission-style reviews. The risk assessment is normalized and is not an admission review.
-
On remedies: the foreign-investment security review and the data security review are both expressly final decisions; the Cybersecurity Law and the Cybersecurity Review Measures provide no reconsideration or re-examination; the export assessment result can be re-assessed, but the re-assessment is final. The mainstream academic view treats these reviews as final administrative acts — parties can neither apply for administrative reconsideration nor bring administrative litigation. For companies there is effectively no ex-post remedy, which is why active cooperation and careful handling during the review matter so much.
| Dimension | Foreign investment security review | Cybersecurity review | Data export security assessment | Network data security risk assessment |
|---|---|---|---|---|
| Characterization | Capital-entrance “filter” | Supply-chain “gatekeeper” | Cross-border “pass” | Data-security “physical exam” |
| Lead authority | NDRC + MOFCOM | CAC + 12 departments | National cyberspace administration | Cyberspace administration coordination + sectoral division of labor |
| Trigger | Before the investment | Before procurement / before listing | Before data export | Annual, plus material changes |
| Nature | Admission-style (veto) | Admission-style (veto) | Admission-style (veto) | Normalized (improvement-oriented) |
| Core focus | Foreign control + key technologies | Supply chain + listing security | Post-export abuse of data | Full-lifecycle data risk |
| Remedy | Final decision | Final decision | Re-assessment possible (final) | — |
IV. One company, full lifecycle: an AI-model company
In real business scenarios these seemingly separate reviews can run through a company’s entire life, in parallel. Take an AI-model company:
1. Fundraising. To launch or scale financing by bringing in foreign capital or a VIE structure, first ask whether the AI model falls in defense-and-military-related fields, or whether the deal is an investment in important information technology and internet products and services with the foreign investor taking actual control. If so, the FDI security review decision must be in hand before the investment — on top of industrial-policy requirements like the foreign investment negative list.
2. Equipment procurement. Financing closed, the company buys high-performance GPUs, optical modules, and the like. Set aside whether the exporting country will sell and what trade controls apply: on the Chinese side, if the purchaser has been identified as a CIIO, the procurement itself may trigger cybersecurity review — the Cybersecurity Review Office’s conclusion must come before the purchase, on pain of fines and a ban on use.
3. Model training. If the model will serve overseas users, be sold and deployed overseas, or transfer data abroad: under the China (Beijing) Pilot Free Trade Zone / National Comprehensive Demonstration Zone for Expanding Opening-up of the Services Sector Data Export Management List (Negative List) (2025 edition), high-value sensitive data bearing on industrial competitiveness that is collected and generated in R&D and design counts as important data — so the CAC’s export security assessment result must come before the data leaves.
4. Listing. Business grows; a US listing beckons. Any to-C business at listing scale almost certainly holds personal information of more than one million users — which triggers the mandatory cybersecurity review before filing with the foreign securities regulator.
5. Routine data processing. Large-model training and inference inevitably process massive data. Unless the product is purely on-device — and it almost never is — the normalized network data security risk assessment applies too.
V. Closing
A single AI company can trip all four lines at once: the security-review matrix sits much closer to ordinary businesses than it looks. Threading it precisely is hard, and — unlike other administrative acts — there is no ex-post remedy, so the cost of getting it wrong is extremely high.
Rather than blanket anxiety or wishful thinking, the author’s advice is to embed compliance across the whole management lifecycle: understand precisely what each review targets in each scenario, identify the red lines, build an effective governance system, defuse risks early, and turn the external constraint into internal security capability.
Notes
- CAC press Q&A on the revised Cybersecurity Review Measures, January 4, 2022: https://www.cac.gov.cn/2022-01/04/c_1642894602460572.htm
- Same source as note 1.
- CAC release accompanying the Measures, June 18, 2026: https://www.cac.gov.cn/2026-06/18/c_1783525612886783.htm
Source: 陈思佳 (Chen Sijia), “《网络数据安全风险评估办法》出台 安全至上时代企业如何应对中国四大安全审查’矩阵’?,” published on the JunHe Legal Review (君合法律评论) WeChat Official Account, original article. Chen Sijia is a lawyer at JunHe LLP whose practice covers telecommunications, information technology and high tech, competition law, and dispute resolution. Per the source’s own disclaimer, the article represents the author’s personal views and is not a formal legal opinion of JunHe.
— Not legal advice.