On February 4, 2026, the National Technical Committee on Cybersecurity (SAC/TC260) release the Cybersecurity Standard Practice Guideline – Requirements for Labeling and Identifying Technology for Network Data, which provides standardized technical specifications for data handlers to manage internal and cross-organizational data flows more effectively. The Guidelines are designed to support compliance with China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law.

Specifically, the Guideline introduces a clear technical architecture for data labeling and identification, distinguishing between two main scenarios: static scenarios for internal data management and dynamic scenarios for cross-organizational data flow. The application of network data labeling and identifying technology includes the processes of generating, binding, transmitting, verifying, receiving network data labels and identifications, as well as log retention and security protection.

Static labels are used internally and include attributes such as the data source subject, provider, and classification level. Dynamic labels, designed for data being transferred between organizations, contain more comprehensive information, including the data source, sender, receiver, data scale, timestamp, a transmission checksum for integrity, and a digital signature for authenticity.

A key aspect of the Guideline is its adaptable approach to “labeling” (binding labels to data). It prescribes different methods depending on the data’s structure:

• For unstructured or semi-structured data(like documents, images, and videos), the embedded method is used in both static and dynamic scenarios. In static scenarios, labels are embedded into the file header or metadata. In dynamic scenarios, the data sender shall embed the dynamic label into the data object and transmit them together.
• For structured data(like databases):

In static scenarios, the mapping-based method shall be used, adding mapping tables without altering the original database structure.

In dynamic scenarios, the method varies by business need: synchronous labeling for real-time transmission, or asynchronous labeling for separate transmission of data and labels.

• For high-security scenarios, such as cross-border data transfers or operations by major platforms, the Guideline recommends using a collaborative platform to act as a trusted intermediary for label archiving and verification.

The verification process requires the data receiver to check the integrity and consistency of the incoming data with its attached label. Upon successful verification, the dynamic label must be converted into a static label and stored securely. Both sending and receiving parties are required to maintain detailed logs of all labeling operations to ensure auditability.

The rollout of the Guidelines signals a pivotal transition in China’s data security framework—moving beyond legislation to concrete technical implementation. By detailing protocols for data labeling throughout its lifecycle, the system promises full traceability. For European enterprises in China, this creates immediate compliance challenges, requiring systems to adapt to both domestic rules and GDPR. However, those that swiftly align with this new architecture may secure a strategic edge in data utilization. Meanwhile, European companies should re-evaluate the data security capabilities of their China-based supply chains, ensuring that every stage from source to endpoint aligns with the technical specifications. SESEC will keep monitoring the development of this field.

Source: https://www.tc260.org.cn/portal/article/2/8decf5f653ed4fe8a6beedb73452421b