2 hours ago
3
China’s top internet regulator just laid down new rules for how financial companies must sort, label, and protect data. The guidelines, issued on June 13 by the Cyberspace Administration of China (CAC), represent the latest brick in Beijing’s growing wall of cybersecurity regulations.
The framework focuses on grading and classification of data within the financial services sector. Every financial entity operating in China now has clearer marching orders on what counts as sensitive data, what counts as really sensitive data, and what they’re supposed to do about each category.
What the guidelines actually require
The new rules zero in on how financial institutions categorize information, with particular emphasis on identifying what regulators call “important data.” That term carries legal weight in China’s regulatory ecosystem, triggering specific compliance obligations around storage, processing, and especially cross-border transfers.
Financial information service providers, including platforms that deliver market data and analysis, fall squarely within the scope.
The guidelines reinforce compliance with three pillars of Chinese data law: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.
Cross-border data transfers get special attention. Regulators have made clear that sharing critical financial data outside China’s borders requires careful navigation, with national security and consumer protection cited as the driving concerns.
A regulatory stack that’s been building for years
The National Financial Regulatory Authority (NFRA) introduced banking and insurance data rules in December 2024. Those established sector-specific requirements for how traditional financial institutions handle customer and operational data.
The People’s Bank of China (PBOC) entered the picture with its own data security measures, set to take effect on June 30, 2025.
By January 24, 2026, the CAC had already circulated a draft specifically targeting financial information service providers. That draft laid out rules for classifying data by risk level, signaling that the final guidelines issued in June were coming.
What’s notably absent, and what it means for investors
The guidelines make no specific mention of crypto tokens or digital assets. The omission suggests that Beijing continues to treat traditional financial services and digital assets as separate regulatory domains. The data classification framework applies to banks, insurers, market data providers, and similar entities.
For traditional financial companies, the compliance burden is real and growing. Foreign firms operating in China face particular challenges, as cross-border data transfer restrictions could complicate everything from routine reporting to parent companies to sharing analytics with global teams.
The regulatory layering, NFRA rules, PBOC measures, and now CAC guidelines, creates a complex compliance matrix.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) · 