In December 8, 2025, the National Energy Administration (NEA) issued the Measures on Data Security Management in the Energy Sector (Trial) (hereinafter referred to as the Measures), which are set to take effect on July 1, 2026 and will be valid for a period of five years. This regulatory framework represents a significant step in implementing China’s overarching Data Security Law within the critical energy sector, aiming to standardize data processing activities, strengthen security management, mitigate risks, promote data utilization, and safeguard national security and development interests.
The Measures define “energy sector data” as information from activities including energy planning, production, transportation, consumption, and research, while noting that city gas, heating, and gas station data fall under other relevant authorities. An “energy data processor” is defined as any entity within the sector that engages in processing activities, encompassing the collection, storage, use, processing, transmission, provision, disclosure, or deletion of such data. A cornerstone of the Measures is the establishment of a three-tier data classification system: General, Key, and Core Data. Key Data is defined as information which, if leaked, tampered with, or destroyed, could directly harm national security, economic operations, social stability, or public health and safety. Core Data is a subset of Key Data whose illegal use or sharing could directly impact political security. General Data encompasses all energy sector data not classified as Key or Core.
Moreover, the Measures provide a three-level governance structure:
- NEA: Holds overarching supervisory authority, formulates data classification standards, and approves the national Key Data catalogues.
- Provincial Energy Authorities: Conduct supervision within their regions, compile and update local Key Data catalogues, and manage incident reporting and emergency response.
- Energy Data Processors: Bear primary security responsibility. Key duties include identifying and cataloging their Key Data, reporting to local authorities, and establishing internal data security management systems.
For processors of Key and Core data, the Measures stipulate several critical obligations:
- Annual Assessment: Must perform at least one yearly risk assessment of data processing activities, address issues and report findings.
- Technical Measures: Must apply safeguards like encryption and authentication throughout the data lifecycle.
- Access Management: Must enforce strict, least-privilege access controls.
- Data Transfers: Overseas transfers of Key Data require a mandatory data export security assessment. Sharing Core Data with other entities may trigger NEA risk assessments, particularly for significant volumes.
- Incident Handling: Must promptly remediate flaws and report security incidents.
The Measures establish the core regulatory framework for energy sector data security. Technical classification standards will follow to aid implementation. Foreign-invested firms shall now prepare for compliance with new cataloging, assessment, and protection mandates.
Chinese sources of the article:https://www.gov.cn/zhengce/zhengceku/202512/content_7051044.htm
