Editor’s Note — DCC.
On July 10, 2026 the National Financial Regulatory Administration (国家金融监督管理总局, NFRA) opened public consultation on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation) (《银行业保险业网络安全管理办法(征求意见稿)》). This brief is a DCC structured summary of the announcement and the full draft text, which circulated via the tracked account 数据何规; the official consultation notice is on the NFRA website. Comments close August 10, 2026 (email kjszxc@nfra.gov.cn, post, or fax).
The draft is the sectoral companion to the financial-sector cybersecurity measures that went out for comment on July 3 — the NFRA text states expressly that the two are designed to interlock. Read alongside the NFRA’s existing banking and insurance data security measures, the sector now has parallel rulebooks for data security and for cybersecurity proper.
What the draft is
An eight-chapter, 72-article departmental rule that would consolidate the NFRA’s cybersecurity supervision of banking financial institutions, insurance financial institutions, and financial holding companies under the Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), and the Security Protection Regulations for Critical Information Infrastructure. The NFRA describes the drafting logic in four strokes: implement the higher-level laws with a concrete sectoral path; convert recent supervisory practice into standing rules; fit the requirements to how banking and insurance groups actually run (group-wide unified management, technology–business coordination, “three lines of defense”); and manage by classification and grading, with a distinctly higher bar for critical information infrastructure (CII).
Scope is wide. Article 2 enumerates policy banks, commercial banks, rural cooperative institutions, asset-management companies, group finance companies, leasing, auto-finance and consumer-finance companies, trust companies, wealth management companies, insurers of every stripe, reinsurers, and mutual insurance organizations. Foreign bank branches, foreign insurers’ branches, insurance agencies and brokers, and other NFRA-supervised institutions apply the rule by reference. Overseas branches and subsidiaries must be folded into the institution’s group-wide cybersecurity management system.
Governance: responsibility lands at the top
- The Party committee and the board bear primary responsibility for cybersecurity; the institution’s principal officer is the first person responsible, and the senior executive in charge of cybersecurity is the directly responsible person (Article 7).
- Institutions must designate a cybersecurity department with enumerated duties, keep an independent cybersecurity risk-management function, and put cybersecurity within the scope of internal audit — with external audit reports filed to the NFRA where third parties are engaged (Articles 8–10).
- Annual all-staff training and inclusion of cybersecurity performance in the institution’s annual appraisal system round out the governance chapter.
Build-and-run obligations worth flagging
The middle chapters read as a consolidated baseline of obligations most large institutions will recognize, now stated as enforceable sectoral rules:
- Network segmentation into security domains, isolating production from the internet and headquarters from domestic and overseas branches, with cross-domain access controlled on a minimum-necessary basis (Articles 17–20).
- Log retention of no less than six months, with logs adequate to support monitoring, early warning, and incident analysis (Article 22).
- Vulnerability management on a closed-loop basis, quarterly analysis of disposition, and immediate reporting to the NFRA of vulnerabilities that could affect the industry (Article 23).
- Change control: internet-facing systems, MLPS Level 3-and-above networks, and important information systems must pass security testing before launch or major change; no major go-lives in peak business periods or sensitive windows (Article 26).
- Supply chain security: a product inventory, service-level agreements with important outsourcing providers, supply-interruption contingency plans and drills, and industry-impact reporting to the NFRA (Article 30).
- MLPS and commercial cryptography: Level 3-and-above networks tested annually; commercial-cryptography application security assessments required (Articles 33–34).
- Data security and personal information: the draft cross-references the institutions’ existing duties — classification and grading, a designated lead department, PIPL protections — and encourages connection to the national network identity authentication public service for real-name verification (Articles 35–36).
- Annual testing: at least one cybersecurity risk assessment and one internet penetration test per year covering the institution and its domestic and overseas branches; a cybersecurity audit at least every three years (Article 41).
The incident regime: a four-tier scale with a two-hour clock
The draft attaches a grading annex that sorts cybersecurity incidents into four tiers — extraordinarily major (Level 1), major (Level 2), relatively major (Level 3), and ordinary (Level 4) — keyed to data-security impact, outage duration and geographic spread, and harm to national security, social order, or the public interest. Illustratively: a business outage across two or more provinces for three hours or more, or one province for six hours or more, is a Level 1 incident; sensitive-grade-or-above data compromise constituting an extraordinarily major data security incident also lands at Level 1.
The reporting mechanics (Article 45):
- Level 3 and above: report to the NFRA or its local office within 2 hours, with a formal written report within 24 hours.
- Level 1: immediate disposal measures, user notification per regulations, and progress reports every 2 hours until the incident is closed.
- After closure, a disposition summary is due within five working days for Level 3 and above (Article 48); Level 2 and above trigger a special audit (Article 49); and concealment, omission, false reporting, or intentional delay of Level 3-plus incidents must itself be pursued for accountability (Article 50).
The CII chapter sets the high bar
Chapter 6 is a self-contained regime for financial-sector CII operators, and several requirements go beyond the generic CII Regulations:
- CII must be operated and maintained within China, with same-city and remote disaster-recovery centers capable of fully taking over production and running long-term, exercised annually against high-risk scenarios (Article 57).
- CII protection is graded no lower than MLPS Level 3; the operator’s principal officer bears overall responsibility (Article 52).
- Procurement of network products and services requires a security confidentiality agreement; purchases that may affect national security go through the national cybersecurity review; secure and trusted products and services get procurement priority; and operators must file an annual procurement list of network products, services, and cloud services with the NFRA (Article 56).
- Operators must run a 24/7 cybersecurity monitoring and command center (Article 59), maintain a supplier directory (Article 62), and conduct annual CII testing and risk assessment covering MLPS evaluation, cryptography assessment, data security, and personal information protection (Article 63).
- Level 3-and-above incidents on CII must be reported to the NFRA and public security authorities within 1 hour at the latest — a tighter clock than the general two-hour rule (Article 61).
- Article 55 requires CII operators to possess independent research and development capability for CII systems, with key technologies “mastered in-house” (自主掌握) — language overseas counsel will recognize from the broader secure-and-controllable policy line.
Supervision and what happens next
The NFRA supervises through ratings, risk alerts, supervisory notifications and interviews, on-site inspection, and — notably — may itself run attack-defense exercises and internet penetration tests against institutions, or commission professional bodies to inspect (Article 66). Institutions must fold a cybersecurity annual report into their annual IT report to the NFRA by January 15 each year. Violations draw correction orders, supervisory measures, and administrative penalties under the underlying laws.
For overseas counsel, three practical takeaways. First, if a client’s China operation is an NFRA-supervised institution — including a foreign bank branch or insurance brokerage applying the rule by reference — the incident-reporting clocks (2 hours generally, 1 hour for CII) and the annex’s grading standard are the operational items to wire into group incident-response playbooks now, ahead of finalization. Second, the CII chapter’s domestic-operation, procurement-review, and in-house-capability language continues the localization trajectory familiar from the CII Regulations, applied with sectoral teeth. Third, the draft is expressly designed to interlock with the July 3 financial-sector measures — the two consultations should be read, and commented on, together.
— Not legal advice.