A New Enforcement Architecture
China's Cyberspace Administration (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) jointly issued the Measures for Network Data Security Risk Assessment (Order No. 24) on June 18, 2026 — set to take effect August 20, 2026. The regulation is the first time these three agencies have co-signed a data-security rule, and that structural detail matters more than it might appear. Until now, the CAC acted as the primary data-law enforcer; bringing in MIIT (which oversees telecoms and industrial internet) and MPS (which handles cybercrime and public-security data) creates a multi-lane enforcement structure with overlapping supervisory claims across China's data economy.
Why the Rule Exists
Steelman first: China's 2021 Data Security Law (DSL) requires important-data processors to "regularly assess risks and report to relevant authorities." State Council Order No. 790, which took effect January 1, 2025, narrowed that mandate to annual assessments — but left the operational mechanics undefined. Order No. 24 fills that gap, converting a one-sentence legal obligation into a five-stage assessment methodology, a 20-working-day reporting window, and three-year record-retention requirements. Proponents can reasonably argue that companies operating under clear, structured procedures are better positioned than those navigating two years of deliberate ambiguity — and that the rule finally delivers the certainty the DSL promised.
Who Must Comply
The regulation divides the compliance universe along two tracks:
Mandatory (annual): * Processors of "important data" — a category covering data whose leakage, manipulation, or destruction could threaten national security, economic stability, or public health * Processors of personal information of more than 10 million individuals, explicitly treated as important-data processors for assessment purposes
Encouraged (every three years): * Ordinary data processors not otherwise classified
The 10-million-individual threshold is the key practical tripwire for consumer-facing platforms. Any app or service with a sizeable Chinese user base — social media, e-commerce, fintech, health logistics, or ride-hailing — almost certainly clears it. For foreign multinationals, the rule's geographic scope extends to offshore activities that could harm China's national security or public interest.
The Assessment Process
Order No. 24 prescribes a five-stage methodology under national standard GB/T 45577-2025: (1) scope definition, (2) data-asset inventory, (3) risk identification across management, processing, and technical dimensions, (4) risk analysis and evaluation, and (5) a written summary with remediation recommendations. Companies may self-assess with a named responsible person, or engage certified third-party evaluators — but third parties cannot sub-delegate assessments, and no single assessor may serve the same client for more than three consecutive years. Reports must be submitted to sector regulators or provincial cyberspace authorities within 20 working days of completion.
AI risks are explicitly in scope: the regulation names "excessive bulk data collection, data poisoning, and model memorization leading to leakage of training data or personal information" as assessment categories — a sign that regulators anticipate growing volumes of AI-driven data processing and want audit trails in place before incidents occur.
Draft-to-Final: Some Burden Reduction
It is worth noting what the final rule removed from the December 2025 public consultation draft. That version required reports within 10 working days (doubled to 20 in the final), mandated a specific reporting template (dropped — sector-specific formats now apply), and included a "shall" (not "may") requirement for certified evaluators in high-risk cases. Assessment bodies were also originally required to report discovered risks directly to regulators — that obligation was removed, meaning confidential findings stay between evaluator and client.
These relaxations suggest an effective negotiating process involving industry groups and sector ministries. The result is a more workable rule than the draft — but the core annual-audit obligation, tri-agency co-enforcement structure, and multi-ministry reporting architecture remain firmly intact.
The Multi-Agency Question
The significance of CAC, MIIT, and MPS co-signing is not ceremonial. Each agency retains distinct jurisdiction: MIIT over telecoms, industrial internet, and app-store compliance; MPS over public-security systems, cybercrime investigations, and biometric data; CAC over internet content, platform governance, and cross-border data flows. Under Order No. 24, annual risk assessment reports flow to "competent departments" — which may mean any of the three, depending on sector.
For multinationals already navigating China's cross-border data transfer framework (fully operational since January 1, 2026, requiring CAC security assessments before important data exits China), the addition of a parallel annual audit obligation managed by three separate agencies creates a second, overlapping compliance calendar. Companies must now track two distinct processes: pre-transfer assessments for cross-border flows and annual risk assessments for ongoing data handling — potentially filed to different ministries.
Proportionate Enforcement Would Focus on High-Risk Sectors First
The critical question is how aggressively the three agencies will inspect filings. The 2025 enforcement action against Dior demonstrated that cross-border personal data transfer rules extend to foreign consumer brands, not just tech giants. Revised Cybersecurity Law amendments, effective January 1, 2026, raised maximum fines for business entities to RMB 10 million — providing a sharper financial deterrent than previous penalty caps.
Proportionate enforcement would focus initial inspections on finance, health, and critical infrastructure, using the first compliance cycle as a calibration exercise rather than a revenue event. The 20-industry sectoral standards published in 2025 to identify "important data" help — but there are well over 20 sectors with significant data-handling footprints in China, and many companies are still self-assessing whether their data crosses the "important" threshold at all.
Bottom Line
Order No. 24 is technically competent regulation that converts a vague legal obligation into an operational audit framework. The draft-to-final improvements show regulators listened on implementation feasibility. But the first-ever tri-agency co-signature is a governance signal that should not be read lightly: China's data-security enforcement architecture is consolidating, not fragmenting. Companies that treated "important data" classification as aspirational rather than operational will find the August 20 effective date uncomfortably close.