Administrative Measures for Data Security in the Business Areas of the People’s Bank of China Issued
ISSUING AUTHORITY:
People's Bank of China
DATE OF ISSUANCE:
May 1, 2025
EFFECTIVE DATE:
June 30, 2025
On May 1, the People’s Bank of China (PBOC) issued the Administrative Measures for Data Security in the Business Areas of the People’s Bank of China (“Measures”), which will take effect on June 30, 2025.
The Measures apply to financial institutions and other entities approved or recognized by the PBOC that conduct data-related processing activities within China in the business areas overseen by the PBOC. These business areas include monetary credit, macroprudential regulation, cross-border RMB transactions, interbank markets, comprehensive financial statistics, payment and clearing, RMB issuance and circulation, treasury management, credit reporting and ratings, and anti-money laundering, amongst others.
The Measures outline general data security obligations for data processors while specifying exemptions under exceptional circumstances, ensuring that financial business operations remain unaffected. They also define scenarios for lighter or mitigated administrative penalties, encouraging data processors to diligently strengthen data security protections. Additionally, the Measures support data processors in providing valuable risk intelligence and assisting in the early detection of major data security risks, thereby enhancing collaborative data security efforts.
The Measures consist of seven chapters and 56 articles. Chapter I General Provisions clarifies legal basis, scope of application, management principles, and operational mechanisms. Chapter II includes Data Classification, Grading, and General Requirements concerning specifying provisions on data resource catalogs, classification and grading, institutional frameworks, and operational procedures. Chapter III includes Full-Cycle Data Security Management Requirements concerning establishing security rules for data collection, storage, usage, processing, transmission, disclosure, and deletion. Chapter IV includes Full-Cycle Data Security Technical Requirements concerning definition technical standards for data storage protection, backups, secure transmission, and algorithmic risk prevention. Chapter V explains Data Security Risk and Incident Management covering risk monitoring, alert mechanisms, assessments, audits, incident classification, and response measures. Chapter VI explains Legal Responsibilities outlining supervisory duties of the PBOC and its branches, as well as penalties for non-compliance. Chapter VII includes Supplementary Provisions providing definitions of key terms, interpretation authority, and the effective date.
The Measures aim to strengthen data security governance in financial operations while ensuring efficient financial services and fostering a secure, compliant data ecosystem.
Reference:
