China Cybersecurity and Data Protection: Monthly Update - August 2025 Issue

This newsletter summarises the latest developments in cybersecurity and data protection in China with a focus on the legislative, enforcement and industry developments in this area.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at james.gong@twobirds.com.

Our View

1. China’s Personal Information Protection Audit - When Is It Required and How to Conduct It?
2. Cybersecurity Administration of China Rolls Out Mandatory Reporting of Personal Information Protection Officers
3. An In-depth Analysis of China’s Network Data Security Regime Part III: Cross-Border Data Transfer and Platform Data Protection

Key Highlights

In July 2025, China continued to establish and improve institutional systems in key areas such as personal information protection, data and network security, and data basic institutional system construction by issuing a series of laws, regulations, and national standards, while deepening network security, data security, and personal information protection efforts in these key areas:

• Personal Information Protection: At the legislative level, the Cyberspace Administration of China (“CAC”) issued an announcement requiring handlers processing personal information of more than 1 million individuals to report information on their personal information protection officers to the CAC department at the prefecture-level city where they are located. The National Technical Committee 260 on Cybersecurity of Standardisation Administration of China (“TC260”) successively released several standards/guidelines closely related to personal information protection: the release of Data Security Technology - Technical Requirements of Electronic Products Information Erasure (Draft for Comments), which specifies requirements for clearing personal information during equipment transfer, maintenance, and recycling; the release of Data Security Technology – Personal Information Protection Requirement for Minors’ Products and Service (Draft for Comments), further clarifying requirements for protecting minors' personal information; and the release of Cybersecurity Standard Practice Guide - Requirements for Personal Information Protection in Scan-to-Order Services (Draft for Comments), which refines the personal information protection obligations of catering enterprises. At the same time, the Ministry of Industry and Information Technology (“MIIT”) launched a “Number Protection Service Business Pilot” to reduce risks of number leakage and telecom fraud. On the enforcement front, the Ministry of Public Security (“MPS”) notified 33 applications (“Apps”) of issues involving illegal collection and use of personal information; the National Computer Virus Emergency Response Centre (“CVERC”) notified 68 non-compliant Apps in terms of privacy; the Shanghai Communications Administration (“CA”) notified 162 Apps and mini-programs that infringed on user rights; the Jiangsu CA notified 6 Apps that had not been rectified and imposed a deadline for rectification; and the Cyber Security Association of China (“CSAC”) published a list of 12 Apps that had completed optimizations and improvements for personal information protection. In addition, the Beijing CAC carried out special governance on "mandatory facial recognition" in public places and conducted special summer remediation in the culture and tourism industry.
• Data and Network Security: At the legislative level, the CAC in collaboration with relevant departments, issued the Regulations on the Management of Commercial Cryptography Use in Critical Information Infrastructure, imposing multiple cryptography usage requirements on critical information infrastructure operators (“CIIO”). The TC260 released five national standards: Cybersecurity Technology - Disaster Recovery Specifications for Information Systems, Cybersecurity Technology - Technical Implementation Guideline of Digital Watermarking, Cybersecurity Technology - Capability Requirements and Evaluation Specifications for Assessment Organization of Classified Protection of Cybersecurity, Cybersecurity Technology - Implementation Guide for Critical Information Infrastructure Cybersecurity Proactive Defence, and Cybersecurity Technology - Implementation Guide for Monitoring and Warning of Critical Information Infrastructure Security, which respectively provide detailed provisions on information system disaster recovery, digital watermarking, cybersecurity graded protection evaluation institutions, and active defence and security monitoring for critical information infrastructure (“CII”), offering useful guidance for data and network security protection. On the enforcement level, the Chengdu CAC notified three typical cases of violations involving network and data security. At the enforcement level, the national CAC interviewed a certain chip manufacturing enterprise, requiring it to explain security risks and provide supporting materials. At the industry level, the MIIT issued the 2025 Action Plan for Safeguarding Network Security in the New Industrialization, focusing on enterprise protection, optimization of industrial control product security, and service capabilities.
• Data Basic Institutional System Construction: At the legislative level, the National Data Administration (“NDA”) released four model texts for data circulation and trading contracts (data provision, data entrusted processing services, data fusion development, and data intermediary services), aiming to reduce data transaction costs and accelerate data circulation. At the same time, the NDA announced the 2025 list of pilot projects for innovative development of trusted data spaces, covering 63 enterprises in three categories across three directions to promote large-scale circulation, sharing, and use of data elements. At the local level, Hubei Province issued the Hubei Province Data Regulations, systematically regulating data rights protection, resource management, circulation and utilization, and security safeguards; the Jiangsu Provincial Data Administration solicited opinions on the Measures for the Evaluation and Recognition of Data Enterprises in Jiangsu Province (Trial), planning to recognize and include data enterprises in a database for cultivation based on six categories: resources, technology, services, applications, security, and infrastructure. At the industry level, the General Office of the State Council issued opinions requiring the establishment of a normalized promotion mechanism for key matters under the “efficiently handling one thing” initiative and increasing the sharing of government data.

Follow the links below to view the official policy documents or public announcements.

Legislative Developments

1. CAC issued regulations to standardize the management of commercial cryptography use in CII (1 July)

The CAC, in collaboration with multiple departments, issued the Regulations on the Management of Commercial Cryptography Use in Critical Information Infrastructure, aiming to standardize the full lifecycle management of commercial cryptography use in the CII field and enhance CII security assurance capabilities. The regulations apply to legally identified CIIO, first clarifying the overall responsibilities of CIIO and implementing the “three synchronizations and one evaluation” principle for commercial cryptography use in critical information infrastructure, namely synchronous planning, synchronous construction, and synchronous operation of commercial cryptography assurance systems, with regular assessments of commercial cryptography application security. Second, the regulations specify the specific institutional, personnel, and funding assurance responsibilities of CIIO, including establishing systems for commercial cryptography use, emergency response, and major incident reporting. Regarding specific requirements for commercial cryptography use, the regulations clarify requirements for the use of commercial cryptography technologies, products, and services, and simultaneously specify data security protection and personal information protection requirements, refining the commercial cryptography use requirements in stages such as planning, construction, and operation, as well as transitional arrangements and requirements for commercial cryptography application security assessments.

2. CAC consulted on draft mandatory national standard to standardize electronic product information erasure technology (14 July)

The CAC circulated the Data Security Technology - Technical Requirements of Electronic Products Information Erasure (Draft for Comments) for public consultation, aiming to standardize user data erasure in consumer electronic products during transfer, maintenance, recycling, and decommissioning, reducing the risk of personal information leakage. The standard applies to electronic devices for consumers that have data storage space and have stored user data, clarifying the scope of erasure and technical requirements for erasure, proposing a path of "data overwriting + command cleanup," and requiring that after erasure, data cannot be recovered through recovery tools, memory editing, or disassembly reading methods. Electronic product manufacturers should provide "one-click erasure" and forced account logout functions, and have power-off/abnormal protection. The minimum overwriting times vary for different electronic products: ≥2 times for mobile phones/tablets, ≥2 times for semiconductor storage, and ≥3 times for magnetic storage. After completing electronic product information erasure, relevant information should be recorded and archived for at least six months. Recycling operators must not read old device data without separate consent, must confirm effective erasure, and devices that cannot be confirmed as erased must not be resold or exported, with measures such as overwriting, removing storage media, or destruction taken as appropriate.

3. CAC issued announcement requiring the reporting of personal information protection officers’ information (18 July)

The CAC issued the Announcement on Carrying Out the Reporting of Personal Information Protection Officers’ Information, aiming to implement the territorial supervision and responsibility implementation for large-scale personal information processing activities under the Personal Information Protection Law (“PIPL”) and the Measures for Personal Information Protection Compliance Audits. The announcement specifies: Controllers processing personal information of more than 1 million individuals must report the officers' information to the CAC department at the prefecture-level city where they are located; those reaching the threshold from the date of the announcement should report within 30 working days, and those who reached the threshold before the announcement must supplement the report by August 29, 2025; if there are substantive changes to the relevant information, changes should be handled within 30 working days. The reporting is handled entirely online through the "Personal Information Protection Business System" by submitting materials according to the filling instructions.

4. MIIT issued notice requiring the launch of number protection service business pilot work (2 July)

The MIIT issued the Notice on Launching the Pilot for Number Protection Service Business, aiming to carry out a pilot for number protection service business, implement requirements under the PIPL, Cybersecurity Law, Anti-Telecom and Online Fraud Law, etc., reduce number leakage, and curb telecom fraud and harassment. The notice specifies a collaborative mechanism among three parties: application platform providers, basic platform providers (must hold cellular mobile communication business licenses), and business users. Application platform access requires meeting conditions such as cross-provincial operations and registered capital of no less than 10 million yuan, and applying to the MIIT for the pilot and code numbers. The notice plans the 700 number segment as dedicated resources (management digit length of 11 digits, usage digit length of 15 digits, belonging to business platform numbers), with a timeline of 3 months preparation, 3 months transition, and 2 years pilot. Among them, existing businesses must migrate during the transition period, and violations will result in suspension until revocation of qualifications. Regarding requirements for each business entity, the notice prohibits application platform providers from using dedicated code numbers for marketing calls/SMS. Basic platforms are responsible for routing and inter-network interconnection, should enable voice and SMS services, and retain usage data for no less than two years. Business users should use dedicated code numbers only for providing services to individual users and protect users' relevant rights.

5. NDA in collaboration with the State Administration for Market Regulation, released four model texts for data circulation and trading contracts, involving data provision, data entrusted processing services, data fusion development, and data intermediary services (4 July)

The NDA released four model texts for data circulation and trading contracts, namely the Data Provision Contract, Data Entrusted Processing Services Contract, Data Fusion Development Contract, and Data Intermediary Services Contract, aiming to advance the construction of basic data institutions and reduce data circulation and trading costs. Among them, the Data Provision Contract applies to activities where data providers provide data to data recipients through paid transactions, gratuitous sharing, licensed use, etc., covering various provision methods such as App interfaces (API) and datasets; the Data Entrusted Processing Services Contract applies to activities where data entrusting parties entrust their held or controlled data to entrusted parties, who process the data according to the entrusting parties' instructions and requirements; the Data Fusion Development Contract applies to situations where participants in data fusion open and share their held data with each other or jointly entrust it to specific processors for jointly creating data platforms, data spaces, data pools, derivative data, etc., such as cooperating in building AI data training zones, industry data sharing application platforms, and jointly building alliance-style data resource pools; the Data Intermediary Services Contract applies to intermediary services activities where data intermediaries provide market promotion, information release, customer docking, transaction matching, contract conclusion, etc., to facilitate data circulation and trading.

6. TC260 released two national standards, respectively involving disaster recovery of information systems and digital watermark technology in cybersecurity technology (4 July)

The TC260 released two national standards, namely Cybersecurity Technology - Disaster Recovery Specifications for Information Systems and Cybersecurity Technology - Technical Implementation Guideline of Digital Watermarking, aiming to provide technical basis for the resilience construction of information systems and the implementation of digital watermark technology. Among them, Cybersecurity Technology - Disaster Recovery Specifications for Information Systems covers the full lifecycle of disaster recovery, clarifying the planning and design of disaster recovery, the construction and implementation of disaster recovery systems and centres, as well as the security construction and operation management of disaster recovery systems. At the same time, the standard specifies the testing and evaluation methods for disaster recovery. Cybersecurity Technology - Technical Implementation Guideline of Digital Watermarking targets carriers such as images, audio, and video, standardizing the full process operations of watermark embedding, distribution, and extraction, and providing reference factors for watermark algorithm selection for different carriers. In addition, the document refines the selection of three watermark service encapsulation forms: SDK, SaaS, and products, providing useful references for relevant entities.

7. TC260 issued national standard to provide guidance on capability requirements and evaluation specifications for assessment organizations of classified protection of cybersecurity (14 July)

The TC260 solicited public opinions on the Cybersecurity Technology - Capability Requirements and Evaluation Specifications for Assessment Organizations of Classified Protection of Cybersecurity, aiming to improve the capability building and evaluation system for graded protection assessment organizations and enhance assessment quality and data security. The standard classifies assessment organizations into Levels I/II/III and correspondingly grades assessors into junior, intermediate, and senior levels. For assessment organizations of different levels, the standard specifies different basic conditions, organizational management capabilities, assessment implementation capabilities, facility and equipment security and assurance capabilities, quality management capabilities, assurance capabilities, risk control capabilities, and sustainable development capabilities. For example, Level I organizations should have ≥10 full-time personnel (including ≥1 senior and ≥3 intermediate), possess basic penetration testing/vulnerability scanning tools and log auditing capabilities, and establish dedicated document storage areas and data encryption environments. At the same time, assessors of different levels should meet different conditions and capabilities. In addition, the standard refines the entire process of capability evaluation for assessment organizations, clearly stipulating the obligations of assessment organizations throughout the processes of commission acceptance, evaluation preparation, review, on-site evaluation, rectification, and report preparation.

8. TC260 planned to release national standards, providing guidance on the implementation of cybersecurity proactive defence and the implementation of security monitoring and warning for critical information infrastructure (14 July)

The TC260 solicited public opinions on the Cybersecurity Technology - Implementation Guide for Critical Information Infrastructure Cybersecurity Proactive Defence and the Cybersecurity Technology - Implementation Guide for Monitoring and Warning of Critical Information Infrastructure Security, aiming to establish an integrated implementation framework of "proactive defence + monitoring and warning" around CII, refining capabilities, processes, and management requirements. The Cybersecurity Technology - Implementation Guide for Critical Information Infrastructure Cybersecurity Proactive Defence starts from exposure surface management, vulnerability governance, supply chain security, execution environment governance, and structural security design, proposing mechanisms for unknown threat discovery, resilient response, attack traceability, as well as attack and defence drills and simulation verification, and supporting requirements for joint defence and control, intelligence collaboration, and institutional, organizational, and personnel assurances. The Cybersecurity Technology - Implementation Guide for Monitoring and Warning of Critical Information Infrastructure Security provides a monitoring and warning system, clarifying monitoring content, monitoring points and methods, data correlation and intelligent analysis, security warnings, internal and external linkage, and organizational management arrangements for routine and key targets, enhancing the ability to discover and handle threats.

9. TC260 planned to release practice guide to standardize personal information processing activities in scan-to-order services (22 July)

The TC260 solicited public opinions on the Cybersecurity Standard Practice Guide - Requirements for Personal Information Protection in Scan-to-Order Services (Draft for Comments), aiming to standardize personal information processing in scan-to-order scenarios. The guide applies to catering merchants standardizing personal information processing activities in scan-to-order services, proposing basic principles such as "legitimate, justified, and necessary," and clearly prohibiting practices such as excessive collection, forcing users to follow official accounts or register as members, processing without consent, and failing to provide personal information deletion functions. For self-developed mini-programs by merchants, the guide requires a pop-up window on first use to explicitly inform and require active user consent to personal information processing rules. Permission requests should use scenario-based pop-ups for explanation, collect only the minimum necessary information, and additional services should be actively selected by users. For entrusting third parties with processing, the guide requires signing entrustment processing agreements, continuous supervision, and deletion or return of personal information upon contract termination. For mini-program platforms, the guide requires review of developer qualifications and privacy rules, personal information security testing before launch, and continuous sampling after launch, with deadlines for rectification or removal of non-compliant applications. The guide clarifies the responsibility boundaries of all parties and limits "necessary personal information" to order and payment information.

10. TC260 planned to issue national standard to specify personal information protection requirements for minors’ products and services (29 July)

The TC260 solicited public opinions on Data Security Technology – Personal Information Protection Requirement for Minors’ Products and Services, aiming to regulate personal information processing throughout the lifecycle of minors’ products and services, enhancing age-appropriate protection and security governance capabilities. The standard proposes principles such as “default protection, age-appropriate design, and open co-governance,” establishing personal information protection requirements for minors’ products at three levels: basic, enhanced, and optimized, with A/B/C product service classifications, high/medium/low functional impact identification classifications, and age identification mechanisms. The standard refines consent notification, minimum necessity, and guardian control rules for minors above and below 14 years old, detailing personal information security protection requirements in areas such as system and app security and account security, and requiring personal information protection impact assessments, records of processing activity, and compliance audits. Additionally, the standard specifies special protection requirements for minors, including but not limited to requirements for new hardware applications and generative AI applications. The standard’s appendices clarify age-appropriate development optimization requirements for minors’ personal information protection, methods for specifying personal information processing rules, personal rights impact analysis methods, and network protection impact assessment methods.

11. Hubei issued data regulations, establishing a systematic institutional framework for data rights protection, resource management, and circulation utilization (31 July)

Hubei Province issued the Hubei Province Data Regulations, aiming to regulate data processing, ensure rights and security, and promote circulation, utilization, and factor market construction. The regulations apply to data rights protection, resource management, circulation, industry, and security within the province, establishing a governance framework led by the provincial government, with the data authority in charge and multiple departments sharing responsibilities. For data resource protection, the regulations clarify rights to data holding, use, and operation, as well as registration systems, requiring lawful collection, explicit rules, and consent, with prominent signage for public place data collection, and platforms prohibited from mandatory algorithm recommendations while providing opt-out options. For data resource management, public data adopts directory management, “one data, one source,” and platform aggregation, with the regulations requiring the construction of basic/thematic databases and quality control systems. For data circulation, the regulations mandate compiling open lists, exploring authorized operations and provincial trading platforms, and improving pricing and revenue distribution. For data security, data processors must establish full-lifecycle data management systems, cyberspace departments must establish cross-border flow assessment and filing systems and pilots, and promote security assessments and testing certifications for new technologies.

The Jiangsu Provincial Data Administration solicited public opinions on the Measures for the Evaluation and Recognition of Data Enterprises in Jiangsu Province (Trial), aiming to implement national and provincial data industry policies, accelerate the recognition and inclusion of data enterprises, and standardize market cultivation and service systems. The measures classify data enterprises into six categories: data resources, technology, services, applications, security, and infrastructure, and specify entry and basic conditions. The recognition process is outlined as “enterprise online application—prefecture-level city preliminary review and recommendation—provincial expert evaluation (including document review and on-site verification)—public announcement and certification,” with recognition results valid for 5 years and 2–3 evaluation batches planned annually. Recognized enterprises will receive comprehensive support, including policy services, supply-demand matching, data provision, financial support, and promotional activities.

Enforcement Developments

13. CAC interviewed chip manufacturing enterprise, requiring explanation of security risks and submission of supporting materials (31 July)

The CAC interviewed a foreign chip manufacturer regarding security risks such as “vulnerabilities/backdoors” in certain computing chips, requiring it to explain potential “tracking and positioning” or “remote shutdown” functions and related security issues in products sold in China and submit supporting materials. Prior reports from foreign political and industry sources indicated that the enterprise’s advanced chips exported abroad were required to include trackable and remotely disableable technologies. To safeguard Chinese users’ network and data security, the CAC conducted the interview under the Cybersecurity Law, Data Security Law, and PIPL, emphasizing that enterprises must fulfil primary responsibilities for network information content security and product safety, ensuring that chips sold in China are secure, reliable, compliant, and controllable.

14. MPS notified batch of mobile Apps illegally collecting and using personal information, involving issues such as excessive collection (23 July)

The Computer Information System Security Product Quality Supervision and Inspection Centre of the MPS detected 33 Apps with illegal and non-compliant collection and use of personal information. Issues include failure to disclose collection and use rules, failure to synchronously inform users of collection purposes, excessive or overly frequent collection of non-essential personal information, mandatory authorization, and mandatory provision of non-essential personal information, totalling 132 categories. The notification requires relevant Apps and distribution platforms to rectify; 8 Apps from the previous notification batch that remained non-compliant after retesting have been delisted.

15. CVERC notified batch of Apps illegally collecting and using personal information, involving issues such as failure to prompt users to read privacy policies (11 July)

The CVERC detected 68 Apps with non-compliant privacy behaviours, including failure to prompt users via pop-ups or other obvious methods to read privacy policies and other collection and use rules during the app’s first run, failure to list the purpose, method, and scope of personal information collection in privacy policies, and failure to collect personal information or enable permissions only after obtaining user consent. The CVERC issued an initiative urging users to cautiously download and use these non-compliant Apps and to carefully read their user agreements and privacy policy statements.

16. CSAC issued announcement, notifying list of Apps that have completed optimization and improvement of personal information collection and use (8 July)

The CSAC released the 2nd batch of 2025 “List of Apps that Have Completed Optimization and Improvement of Personal Information Collection and Use,” aiming to regulate App personal information processing and enhance user rights protection. The list covers 12 Apps across 7 categories, including online communities, app stores, food delivery, housing rental and sales, live streaming, instant messaging, and job recruitment, addressing issues such as excessive collection of personal information, excessive invocation of sensitive permissions, and inconvenient permission settings and account cancellation. The operators of the 12 Apps have released optimized versions on app stores or official websites and committed to maintaining compliance in updated versions.

17. Beijing CAC conducted special governance on “mandatory facial recognition” in public places, further strengthening regulation of facial recognition information (8 July)

The Beijing CAC launched special governance on “mandatory facial recognition” in public places to prevent misuse risks of sensitive biometric information and regulate facial recognition applications. Starting in July, Beijing, in collaboration with relevant departments, will focus on enforcement inspections in sectors such as transportation, accommodation and tourism, education and training, culture and sports, logistics and commerce, and leisure and entertainment, strictly addressing illegal and non-compliant behaviours such as setting facial recognition as the sole verification method or collecting facial information coercively; citizens can report via Beijing citizen service hotline “(010) 12345.” Additionally, the Beijing CAC noted that 69 entities have completed filing for facial recognition technology applications.

18. Beijing CAC launched special rectification on illegal collection and use of personal information, focusing on facial recognition in public places and offline consumer data collection (25 July)

The Beijing CAC continued a city-wide campaign to address unlawful collection and use of personal information. The effort focuses on facial-recognition activities in public places and on the collection of personal data during offline consumption, and it covers sectors such as transport, accommodation and tourism, education and training, culture and sports, logistics and commerce. It proceeds on a closed-loop track of “self-inspection and baseline checks → departmental oversight → cyberspace-authority spot checks.” In addition, the administration held a specialised training session for more than 120 leading enterprises and institutions in the above sectors to explain applicable laws and regulations in depth and to strengthen corporate compliance capabilities for personal information protection.

19. Shanghai CA notified batch of Apps infringing user rights, involving issues such as illegal personal information collection, self-activation, and associated activation (3 July)

The Shanghai CA notified 162 Apps and mini-programs with behaviours infringing user rights, involving key issues such as illegal collection of personal information, improper handling of user complaints, failure to disclose personal information processing rules, and self-activation or associated activation behaviours. Relevant Apps and mini-programs must rectify non-compliant issues in accordance with relevant regulations. For those failing to implement rectification, the Shanghai CA will take lawful measures.

20. Jiangsu CA notified batch of Apps infringing user rights, involving illegal personal information collection and account cancellation difficulties (17 July)

The Jiangsu CA notified 6 Apps and mini-programs with behaviours infringing user rights, involving key issues of illegal personal information collection and difficulties in account cancellation. The 6 notified Apps are those that remained non-compliant from the previous notification. If rectification is not completed or is inadequately implemented by 29 July, the Jiangsu CA will take measures such as delisting, shutdown, or administrative penalties as appropriate.

The Chengdu CAC reported lawful handling of multiple network and data security violations, imposing penalties on three typical cases under the Cybersecurity Law and Data Security Law: First, a commerce enterprise was fined 25,000 yuan, with its responsible person fined 5,000 yuan, for failing to deploy virus protection and intrusion interception, and lacking internal systems and emergency plans, leading to tampering of its OA system; second, a value-added telecom enterprise was warned and fined 50,000 yuan for unauthorized open access to the ElasticSearch 9200 port, lack of logging, and missing policies and procedures; third, an internet enterprise was warned and fined 150,000 yuan for a weak password vulnerability in a MySQL database port and lack of full-process data security management and technical measures. The notification emphasized that the Chengdu CAC will continue to strengthen enforcement supervision.

Industry Developments

22. General Office of the State Council issued opinions, requiring establishment of a normalized promotion mechanism for key matters, including increasing government data sharing (8 July)

The General Office of the State Council issued the Opinions on Establishing a Normalized Promotion Mechanism for Key Matters of “Efficiently Handling One Thing”, increasing government data sharing. The opinions require leveraging the national integrated online government service and government big data system, strengthening shared government data, supply-demand matching, and responsibility list management, promoting the interconnection of vertically managed business systems of State Council departments with local government service platforms, and accelerating data backflow to localities in areas such as public security, customs, and maritime affairs. While ensuring security, the opinions support data sharing through methods such as result verification, algorithmic models, and batch exchanges, while emphasizing desensitization and encryption protection for data involving trade secrets and personal information.

23. MIIT issued special action plan to guide the 2025 network security action for safeguarding new industrialization (1 July)

The MIIT issued the 2025 Action Plan for Safeguarding Network Security in the New Industrialization, aiming to safeguard new industrialization and high-quality manufacturing development with high-level network security. The plan sets quantitative goals and identifies key tasks: first, focusing on key management to improve enterprise network security protection levels; second, targeting critical links to enhance the security capabilities of industrial control system products; third, innovating empowerment management to optimize network security services in the industrial sector. The action is implemented in three stages: “June launch, July–October advancement, November summary,” requiring localities to integrate network security with manufacturing digital transformation, and improve collaboration and risk control mechanisms.

24. NDA announced 2025 trusted data space innovation development pilot list, promoting large-scale circulation, sharing, and use of data elements (17 July)

The NDA issued the Notice on Announcing the 2025 Trusted Data Space Innovation Development Pilot List, identifying 63 companies for the 2025 trusted data space innovation development pilot. Among them, 13 companies belong to the urban trusted data space direction, 22 companies to the industry trusted data space direction, and 28 companies to the enterprise trusted data space direction.