On 1 September 2021, the Data Security Law was officially enforced in China. This Law puts forward requirements on establishing a standards system for data security, and to participate proactively in international data security standardization activities. Since then, TC 260, as China’s standard development organizations in charge of cybersecurity, has formulated 26 national standards (7 of them already released) for data security, released 3 technical documents and practical guidelines, and participated in formulation of 5 international standards.
On the occasion of the first anniversary of the Data Security Law enforcement (1 September 2022), TC 260 released a form summarizing the progress and achievements of its standardization work, and the support it provides to the implementation of the Data Security Law. The form is presented in the Annex below; it includes general mechanisms, specific items, articles of the Law supported, needs for standard, and the standards drafted/revised/released by TC 260. General mechanisms mostly correspond to the name of the relevant chapters in the Data Security Law. Those standards indicated with the status “draft” indicate those standardization project which had not yet been officially approved by the time of publication; more information about these projects and their progress is available in TC 260’s recently-released List of Projects for Formulation of National Cybersecurity Standards in 2022 (click here to check the original Chinese version), which shows the approved standardization project that are ready to get kicked-off.
In terms of recommendations for next steps, TC 260 indicates four major topics: data security-related technology and product, data security-related risk monitoring and emergency response, data as a production factor and market safety, as well as other related topics. The advice is only for reference since they are not officially confirmed yet.
Annex: Summary of Standardization Activities Supporting the Implementation of the Data Security Law.
(Please note that the form indicates information as it was when released on 1 September 2022. Since that time, certain information might have already been updated: for instance, the Security requirements for processing of motor vehicle data has already been released, even though the form below shows “waiting for approval”)
