China issues new guidelines to classify and grade financial data for security

China’s financial regulators jointly issued the Financial Information Service Data Classification and Grading Guidelines on June 13, 2026, setting new rules for data security in the financial sector ^{[1, 2, 3]}. The guidelines apply to all financial information service providers operating in China and establish a framework for data classification, grading, and protection ^{[1, 2, 3]}.

Data under the guidelines is sorted into three main categories: business data, user data, and enterprise data. Each category is further detailed into nine secondary categories and 67 tertiary categories based on specific business attributes ^{[1, 2, 4]}. Data is also graded into four levels reflecting the potential impact of breaches or misuse: core, important, sensitive general, and general ^{[1, 2]}. This system aims to prioritize protection efforts proportionate to the data’s sensitivity and importance.

Firms must inventory their data, classify and grade it according to the new categories and levels, maintain classification lists, and report catalogs of important data to regulators ^{[1, 2]}. This structured approach is designed to standardize data management and enhance security amid rapid growth and frequent data flows within China’s financial information sector ^{[1, 2, 4]}.

The guidelines were issued collaboratively by six major agencies: the Cyberspace Administration of China, People’s Bank of China, National Financial Regulatory Administration, China Securities Regulatory Commission, National Bureau of Statistics, and State Administration of Foreign Exchange ^{[2, 3]}. They align with several existing Chinese laws, including the Cybersecurity Law, Data Security Law, Personal Information Protection Law, Network Data Security Management Regulation, and the Financial Information Service Management Provisions ^[3].

The new guidelines clearly define how financial data must be classified and handled to comply with national data security requirements. Implementation and enforcement details will unfold as regulators monitor adherence by financial service providers.