Our Expert in China
No results available
On 24 January 2026, the Cyberspace Administration of China (CAC) released the Guidelines for Data Classification and Grading of Financial Information Service Data (金融信息服务数据分类分级指引), establishing the first unified framework that tells banks, payment institutions and fintechs exactly how to inventory, classify and grade the financial data they hold in China. Understanding how to comply with CAC financial data classification China 2026 is now the single most urgent compliance priority for any institution that processes financial information within the PRC.
The Guidelines introduce a mandatory four‑tier grading system, core data (核心数据), important data (重要数据), sensitive general data and general data, and require institutions to build auditable inventories, conduct data protection impact assessments (DPIAs), remediate vendor contracts and, where applicable, submit important‑data catalogues to regulators. This guide walks compliance officers, in‑house counsel and external advisers through the end‑to‑end implementation steps, ownership matrix, document checklist, realistic timeline and cost budget they need to reach compliance before regulator review or internal audit.
The Guidelines for Data Classification and Grading of Financial Information Service Data sit within the broader regulatory architecture created by the Data Security Law (DSL), the Personal Information Protection Law (PIPL) and sector‑specific PBOC and CBIRC guidance. The CAC Guidelines financial data framework operationalises the DSL’s requirement for every industry sector to produce classification and grading rules tailored to its own risk profile.
Financial information service data, covering transaction records, account details, credit assessments, payment flows, market data feeds and customer due‑diligence files, is now subject to a structured six‑step process: inventory data resources, classify data by subject‑matter domain, grade data against national‑security and public‑interest impact criteria, compile a classification and grading list, apply differentiated controls and maintain classifications through dynamic updates.
The data classification requirements China 2026 apply to any entity that collects, stores, processes, transmits or provides financial information service data within the territory of the PRC. This includes domestic commercial banks, policy banks, rural credit cooperatives, securities firms, insurance companies, payment institutions, licensed fintechs and financial information service providers (FISPs) regulated under the Provisions on the Administration of Financial Information Services. Critically, third‑party processors and cloud vendors handling regulated financial data on behalf of in‑scope institutions are also caught, meaning the compliance obligation cascades through vendor and outsourcing chains.
Industry observers expect the likely practical effect to be a material increase in compliance documentation and internal governance, comparable in scale to the initial PIPL rollout. Every institution must produce, at minimum, a data inventory, classification register, DPIA, controls evidence pack, remediated vendor contracts and (where the institution holds important or core data) a regulator‑ready catalogue of important data. The sections that follow break each of these deliverables into concrete implementation steps.
Before launching the classification project, institutions must confirm scope and satisfy a short list of governance prerequisites.
The Guidelines apply to all financial institutions and financial information service providers operating in China. Specifically:
Before commencing the classification exercise, institutions should ensure the following prerequisites are in place:
The following six implementation steps form the compliance checklist that every in‑scope institution must work through. The table below provides a quick‑reference summary of each step, the responsible owner and a realistic duration estimate; detailed guidance follows in the numbered sub‑sections.
| Step | Who Does It (Owner) | Typical Duration |
|---|---|---|
| 1. Project governance & scoping | Head of Compliance / CTO / Legal | 1–2 weeks |
| 2. Data inventory & flow mapping | Data Engineering / IT / CISO | 4–8 weeks |
| 3. Classification & grading exercise | Data Classification Committee (Legal + Risk + IT) | 2–4 weeks |
| 4. Controls mapping & DPIA | CISO / IT Security / Legal | 3–6 weeks (parallel with Step 5) |
| 5. Contractual & third‑party remediation | Legal / Vendor Management | 4–12 weeks |
| 6. Catalogue submission & ongoing governance | Head of Compliance / Regulatory Affairs | 1–3 weeks after Step 3, then ongoing |
Owner: Head of Compliance / CTO. Objective: Secure executive sponsorship, define project scope, assemble the classification committee and allocate budget.
Obtain formal board or senior‑management sign‑off through a documented approval memo. Appoint the Data Classification Lead and convene a cross‑functional committee comprising representatives from Legal, Risk, IT/Data Engineering, Information Security and Vendor Management. Prepare a project charter that sets out milestones, resource requirements, communication cadence and an initial risk register. Shortlist any legal‑tech or data‑discovery vendors whose tooling will be needed for Step 2. Budget estimates should cover internal labour, tooling licences, external advisory and remediation costs (see the Costs section below).
Deliverables to retain: signed project charter, stakeholder map, board approval memo, initial risk register and budget estimate.
Red flag: Proceeding without documented senior‑management approval is a common audit finding. Regulators look for evidence of governance before examining technical controls.
Owner: Data Engineering / IT, supported by Compliance. Objective: Produce a comprehensive, system‑by‑system inventory of every financial dataset stored or processed in China, and map all inbound and outbound data flows.
Deploy automated data‑discovery tools or conduct manual system surveys to catalogue every database, data warehouse, data lake, file share, SaaS application and API endpoint that holds financial information service data. For each dataset, record the system owner, data subjects (customers, counterparties, employees), data types (account data, transaction data, credit data, market data), storage location (on‑premise or cloud, region), retention period and whether the data is transferred cross‑border.
Map data flows using standardised diagrams showing the origin, intermediate processors, destinations and transfer mechanisms for each dataset. Where data crosses national borders, note the legal basis for the transfer (standard contract, CAC security assessment or PIPL certification). Prepare a draft DPIA scope document listing every dataset that will require a formal data protection impact assessment in Step 4.
Deliverables to retain: data‑inventory export (CSV or database extract), data‑flow diagrams, draft DPIA scoping document and a reconciliation log confirming coverage against the institution’s system register.
Quick win: Start with systems already catalogued in the institution’s PIPL or DSL records, then expand to identify shadow IT and ungoverned data stores. Conduct spot checks by sampling live system access logs against the inventory to detect omissions.
Owner: Data Classification Committee (Legal + Risk + IT). Objective: Assign each dataset to a classification domain and then grade it within the four‑tier hierarchy mandated by the CAC Guidelines.
The classification step groups datasets by subject‑matter domain, for example, customer identity data, transaction and payment data, credit and risk data, market and pricing data, internal operations data. Once classified, each dataset must be graded against the impact criteria specified in the Guidelines. The four grading tiers are:
For each dataset graded as important or core, the committee must prepare a written grading rationale memo documenting the criteria applied, the scoring methodology and the decision. Borderline datasets should be escalated to senior management for adjudication. Update source systems and data catalogues with classification and grading labels.
Deliverables to retain: classification register (Excel or GRC‑system record), grading rationale memos for every important or core dataset, committee meeting minutes and a summary report for senior management.
Owner: CISO / IT Security, supported by Legal. Objective: Derive the technical and organisational controls required for each grading tier, complete formal DPIAs for graded datasets and validate that controls are implemented and tested.
Using the grading output from Step 3, map each dataset to its required control baseline. Higher‑grade data (core and important) will require stricter access controls, encryption at rest and in transit, data segregation, enhanced logging, shortened retention periods and more frequent audit cycles. Sensitive general data requires standard security controls aligned with PIPL and DSL baselines, while general data requires only basic hygiene measures.
Complete a formal DPIA for every dataset classified as important or core, and for any dataset involved in cross‑border transfers. The DPIA should assess the necessity and proportionality of the processing, evaluate risks to data subjects and the state, describe existing and planned mitigations and conclude with a risk‑acceptance recommendation signed off by the Head of Compliance or a delegated senior officer.
Run control‑effectiveness testing, including penetration tests, access‑control audits and encryption‑key management reviews, and document the results. Log any control gaps in a remediation backlog with owners and deadlines.
Deliverables to retain: DPIA report (signed), control‑mapping matrix, penetration‑test and audit reports, remediation backlog with status tracking and evidence of management sign‑off on residual risk.
Owner: Legal / Vendor Management. Objective: Review and update all vendor, outsourcing and inter‑company agreements to reflect classification‑grade‑specific security obligations, cross‑border transfer safeguards and audit rights.
Identify every third party that processes, stores or has access to data graded as sensitive, important or core. For each relationship, review the existing contract and assess whether it includes:
Where contracts lack these provisions, issue amendments or addenda. For high‑risk vendors handling important or core data, conduct a vendor security assessment or on‑site audit before granting continued access.
Deliverables to retain: contract amendment schedule, executed amendments and addenda, vendor audit reports and a clause‑bank reference document for future negotiations.
Owner: Head of Compliance / Regulatory Affairs. Objective: File the important‑data catalogue with the relevant regulator (if required), formalise periodic review procedures and embed classification governance into business‑as‑usual operations.
Compile the important‑data catalogue in the format expected by the CAC and any sector regulators (PBOC, NFRA, CSRC). The catalogue should list each important and core dataset, its grading rationale, the responsible business unit, the storage location, the control baseline applied and any cross‑border transfers. Submit the catalogue to the relevant data‑regulatory authority within the timeframe specified in the Guidelines or follow‑on sector rules. Retain proof of submission.
Establish an internal governance cycle that includes quarterly reviews of the classification register, triggering a reclassification whenever new data types are introduced, systems change or regulatory guidance is updated. Conduct a full annual reclassification exercise. Integrate classification governance into the institution’s existing data‑governance, information‑security and internal‑audit frameworks to avoid creating a siloed compliance function.
Deliverables to retain: important‑data catalogue (regulator and internal versions), proof of submission or filing receipt, periodic review schedule, standard operating procedures for dynamic updates and internal audit reports confirming ongoing effectiveness.
Regulators conducting a compliance review will expect the institution to produce a comprehensive evidence pack. The following table lists the documents needed, along with practical notes on format, ownership and retention.
| Document | Notes |
|---|---|
| Data inventory export | CSV or database extract listing every in‑scope system, dataset, owner, location and PII flags. Produced by IT/Data team. Retain for a minimum of 5 years. |
| Data‑flow diagrams & DPIA report | Visio/PDF diagrams plus signed DPIA document. Author: CISO / Privacy Counsel. Signed off by Head of Compliance. Store in the compliance document‑management portal. |
| Classification register & grading rationale | Excel or GRC‑system record showing the grading score, criteria applied and decision memo for each important or core dataset. |
| Important‑Data Catalogue (regulator version) | PDF or Excel in CAC template format (if prescribed). Prepared by Regulatory Affairs. Signed by senior management before submission. |
| Control implementation evidence | Change tickets, configuration screenshots, encryption‑key policies, IAM access lists and penetration‑test reports. Preserved in an audit evidence folder with timestamps. |
| Third‑party contracts & amendments | Redlined and executed agreements, including the security annex, cross‑border transfer clause and audit‑rights provision. Legal maintains a version‑control change log. |
| Board approval / project charter | Signed board minutes or management approval memo. Required to demonstrate governance sponsorship. |
| Incident‑response playbook & notification logs | IR plan; tabletop exercise reports; logs of any historical data incidents with remediation notes and evidence of regulator notification (if any). |
| Internal audit reports & manager sign‑offs | IA reports verifying that the classification exercise and control implementation are effective and up to date. |
The overall timeline for completing the data classification process depends on the institution’s size, system complexity and volume of third‑party relationships. The table below provides indicative end‑to‑end durations.
| Institution Size | Target Completion (from Project Start) |
|---|---|
| Fintech / startup (single legal entity, limited systems) | 8–12 weeks |
| Regional bank / payment provider | 3–6 months |
| Large bank / multinational with China footprint | 6–12 months (multiphase roll‑out by business unit) |
Implementation costs vary significantly depending on system complexity, vendor count and whether the institution already has mature data‑governance tooling. The table below provides indicative budget ranges for planning purposes.
| Item | Typical Amount (Range) | Notes |
|---|---|---|
| Internal project labour (compliance / IT / legal) | USD 50,000–300,000 | Depends on headcount, duration and internal billing rates. Treat as operational expense. |
| Data‑discovery / classification tooling (licence) | USD 20,000–250,000 / year | Includes one‑time deployment plus annual licence. Larger banks with complex estates pay more. |
| External DPIA / penetration test / security assessment | USD 10,000–150,000 | Depends on scope, dataset volume and vendor selection. |
| Legal contract review & amendments | USD 5,000–80,000 | Per vendor or contract set. Retain external counsel for high‑risk or cross‑border vendors. |
| Remediation implementation (dev / security) | USD 10,000–500,000+ | Highly variable. Encryption uplift, network segregation and IAM re‑architecture drive the top end. |
Most expenditure qualifies as operational rather than capital expenditure for accounting and tax purposes. However, significant technology deployments (e.g., new classification tooling platforms) may be capitalised under IAS 38 / PRC GAAP depending on the institution’s accounting policy. Institutions should confirm the treatment with their finance team and tax advisers.
2026 marks the implementation year for financial data classification in China. The CAC’s January 2026 release of the draft Guidelines, followed by a public‑consultation period and a finalised version issued on 13 June 2026, consolidated what was previously a patchwork of sector rules and guidance notes into a single, enforceable framework. Key substantive changes include:
This article was produced by Global Law Experts. For specialist advice on this topic, contact Martin Hu at MHP Law Firm, a member of the Global Law Experts network.
posted 13 minutes ago
posted 39 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
posted 1 hour ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message