China China Cybersecurity Law data localisation

China's Order No. 24 Turns a Vague Data-Security Mandate Into an Annual Compliance Calendar

Order No. 24 mandates annual data-risk self-assessments for 'important data' handlers — eased from its draft, but still a real compliance load.

China's Order No. 24, By the Numbers People of Internet Research · China 20 working days Annual filing deadline Doubled from the draft's 10-day wi… Aug 20, 2026 Rule takes effect Roughly nine weeks after publicati… RMB 10M Max fine, core data breach Ceiling under Article 45 of the 20… 3 consecutive years Assessor tenure cap A certified third-party assessor c… peopleofinternet.com
China's Order No. 24, By the Numbers People of Internet Research · China 20 working days Annual filing deadline Aug 20, 2026 Rule takes effect RMB 10M Max fine, core data breach 3 consecutive years Assessor tenure cap peopleofinternet.com

Key Takeaways

From One Sentence to a Rulebook

On June 18, 2026, China's Cyberspace Administration (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) jointly published Order No. 24, the Measures for Network Data Security Risk Assessment — approved at the CAC's 12th office meeting of 2026 on June 1 and set to take effect August 20, 2026 (CAC announcement). The rule is the first tri-agency regulation of its kind on data security, and it does something narrow but consequential: it converts a single clause in the 2025 Regulations on Network Data Security Management — that "important data handlers" must periodically assess their risk — into an actual operating procedure, with defined triggers, deadlines, and consequences.

Under the Measures, entities designated as important data handlers must conduct a comprehensive risk assessment at least once a year, plus ad hoc reassessments when their security posture changes materially, and must file a report with the relevant regulator within 20 working days of completing it (Hunton Andrews Kurth summary). General data handlers face only a non-binding suggestion to self-assess every three years.

Steelmanning the Rule

The underlying instinct is defensible. China has genuine reason to worry about data risk: the 2021 Data Security Law already treats leaks or mishandling of "important data" and "national core data" as matters of national security, backed by fines up to RMB 10 million and possible business-license revocation for the most severe violations (Data Security Law, official translation). A regulator that wants firms to actually find their own weak points before a breach happens — rather than discovering them after one, in the headlines — has a reasonable case for mandating structured self-review. And a fixed annual cycle with a known filing window is, in principle, more predictable than the alternative: ad hoc audits triggered at a regulator's discretion, with no calendar a compliance officer can plan around. Predictability is something proportionate-regulation advocates should actually welcome, not just tolerate.

Where Beijing Pulled Its Punches

What's notable is how much the final text backed off from the December 2025 draft after the public comment period closed on January 5, 2026 (Digital Policy Alert tracker). Three changes stand out, and all cut toward lighter compliance load:

That is a real, substantive retreat, and it suggests the consultation process did what consultation is supposed to do. Regulators listened, and the version that shipped is materially less burdensome than the one they proposed. That is worth crediting explicitly rather than assuming every Chinese data rule tightens on contact with industry feedback.

The Cost That Didn't Go Away

But the loosened procedural mechanics don't touch the rule's actual weak point: nobody outside the regulator reliably knows who counts as an "important data handler" in the first place. China's data laws define the term only in general terms, and firms are largely left checking whether their sector regulator — automotive, finance, healthcare, and so on — has published its own catalogue, or waiting to be notified directly (Chambers & Partners, Data Protection & Privacy 2026 guide). A firm that guesses wrong either over-invests in a compliance regime it never needed, or under-invests and faces the fine schedule set out in Article 45 of the 2021 Data Security Law: RMB 500,000 to 2 million for ordinary violations that go uncorrected, up to RMB 10 million for anything touching national core data. Order No. 24 gives that ambiguous designation a hard annual deadline and a paper trail — it operationalizes the uncertainty rather than resolving it.

The better fix was available and wasn't taken: publish a comprehensive, cross-sector important-data catalogue, and let a Cybersecurity Law or Data Security Law assessment already on file satisfy this one instead of stacking a fourth parallel compliance calendar on top of PIPL, CSL, and cross-border transfer assessments multinationals already run. For a foreign firm weighing whether China's data regime is navigable or simply exhausting, the procedural mercy in Order No. 24 helps at the margin — but the classification fog is still the real tax, and this rule leaves it firmly in place.

Sources & Citations

  1. CAC — official publication of Order No. 24
  2. Data Security Law of the PRC, official translation (Art. 45 penalties)
  3. Hunton Andrews Kurth — summary of the final Measures
  4. geopolitechs.org — analysis of draft-to-final changes
  5. Digital Policy Alert — regulatory tracker entry
  6. Chambers and Partners — China Data Protection & Privacy 2026 guide