On 13 June, 2025, China’s Ministry of Industry and Information Technology launched a public consultation on the draft Guidelines for the Security of Automotive Data Cross-Border Export (2025 Version) (hereinafter referred to as the draft guidelines). The move comes amid rapid growth in the self-driving technology and connected car sector, where increasing data processing activities and export demands has led to rising compliance challenges. To address these concerns and mitigate compliance risks, Chinese authorities decided to develop the guidelines, reducing regulatory burden on the automotive businesses.
The draft guidelines conclude 29 pages with 11895 Chinese characters and are structured into four chapters:
Chapter 1 – General Principles
This chapter establishes the foundational framework for enterprises to determine whether they must conduct security assessments for cross-border data activities. It clearly defines what constitutes data export and outlines permissible data transfer pathways.
Notably, the draft guidelines expand the existing regulatory framework by introducing several exemption scenarios, including:
– Operations within free trade pilot zones
– Security vulnerability remediation
– Emergency security incident response
– OTA software updates for product defect recalls
Chapter 2 – Cross-Border Transfer of Key Data
This chapter specifies six critical application scenarios and outlines a total of 49 data types requiring security assessment under these scenarios:
- R&D Design Scenarios
- Manufacturing Scenarios
- Driving-Automation Scenarios
- Software Upgrade Services Scenarios
- Network Operation Scenarios
- Additional scenarios classified under the sector standard YD/T 4981-2024 Guidelines for Identification of Key Data in Industrial Fields
Chapter 3 – Implementation Procedures for Data Cross-Border Transfer
This chapter establishes a structured three-phase compliance framework:
- Data Type Identification: Categorization of data based on sensitivity and regulatory requirements
- Transfer Pathway Determination: Selection of appropriate data transfer mechanisms in accordance with risk levels
- Security Assessment Execution: Completion of mandated evaluations for high-risk data exports
Chapter 4 – Requirements for the Security Protection of Data Cross-border Transfer
This chapter establishes comprehensive safeguards governing cross-border data transfers, outlining three critical compliance dimensions:
- Management Requirements
– Mandates organizational measures including designated oversight roles and documented policies
- Technical Protection Measures
– Specifies implementation of encryption, access controls, and other cybersecurity protocols
- Logging & Retention Obligations
– Requires systematic recording of data transfers with mandated retention periods
The draft guidelines specifically targets personal information and key data generated throughout the automotive lifecycle, including car design, manufacturing, sales, usage, operation, and maintenance. If China rolls out the draft guidelines, they will impact a wide range of stakeholders such as:
- Automotive manufacturers,
- Component and software suppliers,
- Telecommunications operators,
- Autonomous driving service providers and platform operators,
- Dealers/retailers
- Maintenance service providers, and
- Ride-hailing applications, etc.
SESEC will closely monitor the developments and updates of this draft guideline and provide timely updates on their implementation.
Chinese source: https://www.cac.gov.cn/2025-06/13/c_1751439043533847.htm
Full text of the Draft Guidelines in Chinese here:
