On 22 May 2023, China’s Ministry of Industry and Information Technology issued the Guidelines for Establishing Industrial Data Security Standard System (Draft for Comment) (hereinafter referred to as the Guidelines). The Guidelines, which are aimed at supporting the implementation of the data security and protection requirements outlined in the Data Security Law and Cybersecurity Law, are open for comment until 22 June. Stakeholders are free to submit comments via email or the contact number.
The Guidelines target national standards, sector standards and association standards. The goal for the short to medium term is to establish a standard system, support the requirements of data security management, and meet relevant regulatory and industry demand. In addition, the Guidelines also set quantitative goals, including the development of more than 30 standards (national, sector, or association) by 2024, and more than 100 by 2026.
Similar to standard systems in other fields, the Guidelines mainly consist of three parts: basic principles, goals, and structure of the standard system (see below); implementation measures; as well as two annexes listing relevant standards already published, standards currently under development, as well as the standards or priorities for future development. In general, the lists included in the annexes are comprehensive and detailed. Yet from what perspective and with what considerations that those standards in each vertical sectors will be developed is still vague based on the Guidelines. For instance, the Guidelines list development of key data determination, data grading and classification, as well as data protection for the sector of energy conservation and resource usage as one of the priorities. Yet it’s hard to tell from that priority what type of data it will cover and to what extent its protection shall be differentiated from other sectors.
