On September 16, 2025, the Secretariat of the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (or TC 260) issued the National Standard System for Data Security (2025 Edition) and the National Standard System for Personal Information Protection (PIP) (2025 Edition). The release aims to strengthen the implementation of key laws and regulations, including the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and the Regulation on Network Data Security Management. Moreover, these standardized frameworks are designed to establish a robust foundation for data security and personal information protection, providing essential guidance for critical tasks, industrial development, and risk mitigation. Specifically, they are expected to guide future standardization efforts, enhance data security governance, and contribute to the high-quality development of the digital economy.

The National Standard System for Data Security is composed of six core categories: Basic Commonalities, Data Security Technologies & Products, Data Security Management, Data Security Services, Product & Service Data Security, and Sector-Specific & Application Data Security (See Figure 1).

Among these categories, the Product & Service Data Security standards build upon the foundational categories (including A, B, C) to address risks in specific platforms and services, establishing security requirements and guidelines, while the Sector-Specific & Application standards form the top layer, tailoring provisions for key sectors like telecom and transportation, and emerging technologies such as AI and UAVs. Complementing the data security framework, the National Standard System for Personal Information Protection is architected around a parallel six-category structure, which covers Basic Commonalities, PIP Technologies, PIP Management and Rights Safeguarding, PIP Assessment and Certification, Product and Service PIP, and Sector-Specific and Application PIP (See Figure 2). Likewise, product-specific standards define requirements for offerings like mobile apps, while sector-specific standards at the top layer adapt these provisions for key sectors like education and healthcare and emerging technologies related to areas such as biometric recognition data.

Moving forward, standardization will focus on four key areas to strengthen both data security and personal information protection:

  • Enhancing the Framework: Evolving both systems into a multi-tiered architecture with national standards at the core, supported by technical documents, guidelines, and case studies.
  • Accelerating Key Standards: Expediting the development of mandatory and critical standards, from data erasure for electronics to child smartwatch safety and anonymization.
  • Expanding Guidance: Formulating new standards and practical guidelines for emerging domains like AI, cross-border data, and facial recognition.
  • Boosting Implementation: Promoting the adoption of published standards through targeted initiatives and building supporting toolkits and case libraries for sectors and regions.

To conclude, the new standards frameworks bring both clarity and challenges for foreign stakeholders. While providing clearer compliance roadmaps for data security and personal information protection, they also require greater investment in governance – particularly for cross-border data flows, sensitive data handling, and compliance assessments. This represents China’s more sophisticated regulatory approach, turning compliance into an opportunity for market trust-building.

The Chinese source of the article: https://www.tc260.org.cn/front/postDetail.html?id=20250915154109