The People's Bank of China and two other departments: implement key protection for critical information infrastructure in important industries and sectors such as finance.
The People's Bank of China and two other departments have issued a public consultation on the draft Regulations for the Management of Cybersecurity in the Financial Sector.
On July 3, the People's Bank of China and three other departments publicly solicited opinions on the draft "Administrative Measures for the Cybersecurity Management of the Financial Industry." The "Regulation for the Protection" stipulates that key information infrastructure in important industries such as finance should be subject to priority protection. The Central Committee of the Communist Party of China and the State Council require the establishment of a comprehensive cross-departmental regulatory system for regulatory matters that involve multiple departments, are difficult to govern, and have significant risks. The State Council's financial management department jointly issued the Financial Industry Cybersecurity Comprehensive Cross-department Regulatory System, which is in line with the overall framework of national cybersecurity laws and regulations, is universally applicable to the financial industry, and ensures effective supervision and management coordination. The system is also designed to dovetail with existing and future cybersecurity management systems of the State Council's financial management department, aiming to strengthen the management system for financial cybersecurity and enhance the coordinated supervision of cybersecurity in the financial industry as a long-term measure.
The full text includes:
Administrative Measures for Cybersecurity Management in the Financial Industry (Draft for Comments)
Chapter 1 General Provisions
Article 1 (Purpose and Basis) In order to comprehensively regulate the cybersecurity management of the financial industry, safeguard financial services, and maintain financial security, these measures are formulated in accordance with the "Cybersecurity Law of the People's Republic of China," the "Data Security Law of the People's Republic of China," the "Personal Information Protection Law of the People's Republic of China," the "Regulation for the Protection of Key Information Infrastructure Security," and the "Regulation on Cybersecurity Management," as well as other laws, administrative regulations.
Article 2 (Scope of Application) These measures shall apply to financial institutions that build, operate, maintain, and use networks within the territory of the People's Republic of China and to the supervision and management of the cybersecurity of the financial industry. If there are regulations from other competent authorities, they shall also be complied with in accordance with the law. If there are regulations from the state on the cybersecurity management of networks involving state secrets, they shall be followed.
Article 3 (Overall Requirements for Cybersecurity Protection) Financial institutions shall fulfill their obligations to protect cybersecurity in accordance with laws, administrative regulations, relevant regulations of the state and the State Council's financial management departments, assuming primary responsibility for the cybersecurity of their networks. Financial institutions shall adhere to the principles of giving equal importance to cybersecurity and information technology development, provide necessary resources for cybersecurity work, establish and improve cybersecurity systems applicable to their organizations, enhance cybersecurity protection capabilities, effectively manage cybersecurity risks, prevent illegal activities on networks, and actively provide technical support and assistance to public security organs and state security organs in maintaining national security and investigating crimes.
Article 4 (Industry Self-Discipline) Trade associations in the financial industry shall enhance self-discipline management, formulate regulations on cybersecurity behavior and group standards in accordance with the law, and guide their members to strengthen cybersecurity protection.
Chapter 2 Cybersecurity Protection Obligations
Article 5 (Cybersecurity Responsibility System) Financial institutions shall establish and implement a cybersecurity responsibility system in accordance with relevant regulations of the state, and appoint a person responsible for cybersecurity.
Article 6 (Cybersecurity Governance) Financial institutions shall establish a cybersecurity management organizational structure and decision-making mechanism, designate a department responsible for cybersecurity as the lead management department, ensure the allocation of funds and personnel for cybersecurity, formulate internal cybersecurity management systems and operational procedures, clarify the cybersecurity protection responsibilities of the institutions, branches, subsidiary legal entities, etc., and supervise the implementation of cybersecurity protection responsibilities.
Article 7 (Secure Network Operations) Financial institutions shall carry out network operation monitoring, cybersecurity risk and incident reporting, etc., in accordance with laws, administrative regulations, relevant regulations of the state and the State Council's financial management departments, establish and improve emergency response plans for cybersecurity incidents, take corresponding technical and management measures to ensure secure network operations.
Article 8 (Network Security Level Protection) Financial institutions shall reasonably determine the security protection levels of their networks in accordance with the requirements of the national network security level protection system, fulfill the obligation of level determination and record filing, conduct regular network security level evaluations, and promptly rectify risks identified in the evaluations.
Article 9 (Commercial Password Use) Financial institutions shall use commercial passwords to protect network security in accordance with the requirements of the national network security level protection system. If the State Council's financial management department has further regulations on the use of commercial passwords, financial institutions shall comply with the regulations.
Article 10 (Network Data Protection) Financial institutions shall strengthen the classified management of network data, implement relevant technical and management measures in accordance with laws, administrative regulations, relevant regulations of the state and the State Council's financial management departments, prevent network data from being tampered with, destroyed, leaked, or illegally accessed and utilized.
Article 11 (Protection of Personal Information on Networks) Financial institutions shall regulate the processing of personal information in accordance with laws, administrative regulations, relevant regulations of the state, and the State Council's financial management departments, ensuring the security of personal information. Financial institutions are encouraged to use the national network identity authentication public service for user identity verification.
Article 12 (Innovation in Technological Applications) Financial institutions shall manage the risks of information technology applications in accordance with laws, administrative regulations, relevant regulations of the state, and the State Council's financial management departments.
Article 13 (Prevention of Illegal and Unauthorized Information) Financial institutions shall strengthen the management of information published on networks and, in accordance with laws, administrative regulations, relevant regulations of the state, and the State Council's financial management departments, cease the transmission of information prohibited by laws and regulations, take corrective measures, and report to the relevant competent authorities to prevent the spread of such information and keep relevant records.
Article 14 (Security Management of Information Services) Financial institutions that provide application software download services to the public shall detect and block malicious programs and illegal information in accordance with laws, administrative regulations, relevant regulations of the state, and the State Council's financial management departments. If malicious programs are detected in application software, or if the software contains information prohibited by laws and regulations, financial institutions shall immediately suspend the download service, keep relevant records, and report to the relevant competent authorities.
Article 15 (Identification of Key Information Infrastructure in the Financial Industry) The State Council's financial management department shall organize the identification of key information infrastructure in the financial industry in accordance with the rules for identifying key information infrastructure, determine the results of the identification, promptly notify the operators of key information infrastructure in the financial industry (hereinafter referred to as operators), and report to the State Council's Ministry of Public Security, copying the National Cyberspace Administration. In the event of mergers, separations, disbandments of operators, or significant changes in key information infrastructure that may affect the identification results, operators shall promptly report the relevant circumstances in accordance with the relevant regulations of the State Council's financial management department.
Article 16 (Organizational Structure and Performance Assurance of Operators) The main person in charge of operators is responsible for the security protection of key information infrastructure in the financial industry. Operators shall appoint a senior network security officer as the head of the cybersecurity leadership team, responsible for the security protection of key information infrastructure, and appoint a security manager for each key information infrastructure to organize and implement security protection measures for the infrastructure. Operators shall establish a dedicated security management organization, conduct security background checks on the person in charge of the security management organization and key position personnel, and submit security protection plans and cybersecurity work summaries for key information infrastructure in accordance with the relevant regulations of the State Council's financial management department.
Article 17 (Supply Chain Security) Operators shall declare cybersecurity reviews in accordance with national cybersecurity regulations and the financial industry's preemptive guidelines, and submit annual procurement lists of network products and services and cloud computing services in accordance with the relevant regulations of the State Council's financial management department. Operators shall regulate the use of commercial passwords according to the relevant regulations on the management of commercial passwords for key information infrastructure.
Article 18 (Risk Assessment) Operators shall conduct cybersecurity testing and risk assessments for key information infrastructure at least once a year, either independently or through cybersecurity service organizations. The assessments should at least include cybersecurity level evaluations, assessments of the security of commercial passwords, the implementation of relevant systems and national standards for the security protection of key information infrastructure, the protection of data and personal information processed by the infrastructure, monitoring and handling of cybersecurity risks related to the infrastructure, and the implementation of emergency response measures for cybersecurity incidents. Operators shall promptly rectify security issues identified in assessments, and submit annual reports on testing, assessments, and rectifications in accordance with the relevant regulations of the State Council's financial management department.
Article 19 (Cybersecurity Incident Emergency Plans) Operators shall develop emergency plans for key information infrastructure in line with national cybersecurity incident emergency plans and those specific to the financial industry's key information infrastructure. They shall regularly conduct drills, standardize reporting and response procedures for cybersecurity incidents related to key information infrastructure, and address significant cybersecurity threats.
Chapter 3 Coordinated Supervision and Management
Article 20 (Principles of Coordinated Supervision) The State Council's financial management department, in accordance with laws, administrative regulations, decisions and deployment by the central authorities and the State Council, shall be responsible for the cybersecurity management of financial institutions within the scope of their regulatory responsibilities. The State Council's financial management department shall support and cooperate with the national cyberspace administration, the State Council's Ministry of Public Security, the National Administration of Cryptography, and other relevant competent authorities in conducting cybersecurity protection and supervision and management involving the financial industry. Branches and agencies of the State Council's financial management department shall carry out cybersecurity supervision and management within their jurisdictions in accordance with the division of responsibilities of the State Council's financial management department.
Article 21 (Coordination in Implementing Special Cybersecurity Tasks) If the central authorities and the State Council or relevant decision-making and coordination mechanisms have specified roles, the State Council's financial management department shall be responsible for fulfilling those roles. If certain matters are designated as the responsibility of a specific department of the State Council's financial management, that department shall further elaborate on the division of responsibilities within the established framework of responsibilities based on the authorization and regulations of laws and regulations. For matters that do not fall under the two aforementioned categories, after consultation and negotiation by the State Council's financial management department, responsibilities shall be clarified.
Article 22 (Information Sharing) The State Council's financial management department and its counterpart institutions shall strengthen the sharing of information on cybersecurity incidents, risks, trends, intelligence, etc., and jointly analyze and assess the overall risk situation involving the financial industry.
Article 23 (Cooperation in Supervision and Management) Financial institutions shall voluntarily accept and cooperate with relevant competent authorities, the State Council's financial management department and its branches, and agencies in conducting cybersecurity supervision and management, and shall provide timely and complete information and documentation, and shall not refuse or obstruct the legal supervision and inspections conducted by the relevant competent authorities, the State Council's financial management department, and its branches and agencies.
Chapter 4 Legal Responsibilities
Article 24 (Handling of Transmission of Illegal and Unauthorized Information) If a financial institution fails to promptly stop the transmission of malicious programs or information that is prohibited by laws and regulations, and does not take corrective measures or keep relevant records, the State Council's financial management department and its branches and agencies shall transfer the relevant case information to the relevant competent authorities at the same level and cooperate with them in handling the matter according to the law.
Article 25 (Sanctions for Failure to Use Commercial Passwords as Required) If a financial institution fails to use commercial passwords to protect network security as required by the national network security level protection system, or if an operator violates the regulations on the use of commercial passwords for key information infrastructure, the State Council's financial management department and its branches and agencies shall transfer the relevant case information to the competent authority at the same level in charge of cryptography and cooperate with them in handling the matter according to the law.
Article 26 (Penalties for Failure to Cooperate in Supervision and Inspection) If a financial institution refuses or obstructs supervisory inspections conducted by the State Council's financial management department and its branches and agencies, they shall be punished according to relevant provisions of the "Law of the People's Republic of China on the People's Bank of China," the "Law of the People's Republic of China on Commercial Banks," the "Banking Law of the People's Republic of China," the "Insurance Law of the People's Republic of China," the "Securities Law of the People's Republic of China," the "Law on Securities Investment Funds of the People's Republic of China," the "Law on Futures and Derivatives of the People's Republic of China," the "Cybersecurity Law of the People's Republic of China," the "Regulations on the Supervision and Administration of Private Investment Funds," and the "Regulations on Foreign Exchange Management of the People's Republic of China."
Article 27 (Penalties for Violation of Other Cybersecurity Protection Obligations) If a financial institution fails to fulfill the cybersecurity protection obligations stipulated in these measures and laws on cybersecurity, data security, personal information protection, the protection of key information infrastructure, and the management of cybersecurity, and if penalties have been stipulated, the State Council's financial management department and its branches and agencies shall, in accordance with the above-mentioned laws and regulations, be responsible for imposing penalties according to the scope of their supervisory responsibilities. If penalties have not been stipulated in the above-mentioned laws and regulations, but in other laws and regulations, penalties shall be imposed in accordance with the regulations.
Article 28 (Other Legal Liabilities) If a financial institution fails to fulfill the cybersecurity protection obligations stipulated in these measures and is suspected of violating public security regulations, the case shall be transferred to the public security organs for handling; if it constitutes a crime, it shall be transferred to the judicial authorities for criminal responsibility.
Article 29 (Penalties for Violation by Management Personnel) If employees of the State Council's financial management department and its branches and agencies neglect their duties, abuse their powers, engage in favoritism, or commit corruption, they shall be subject to disciplinary actions according to the law and regulations; if they commit crimes, they shall be transferred to the judicial authorities for criminal responsibility.
Chapter 5 Supplementary Provisions
Article 30 (Definition of Terms) In these measures, the following terms shall have the following meanings: (1) Financial institutions refer to financial institutions and other institutions established or recognized by the State Council's financial management department. (2) State Council's financial management department refers to the People's Bank of China, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange. (3) Key positions refer to positions directly related to the security protection of key information infrastructure, with comprehensive information on planning, construction, development testing, secure operation, and daily maintenance.
Article 31 (Management of Network Security in Local Financial Organizations) Local financial regulatory authorities shall take the lead in supervising and managing the cybersecurity obligations of local financial organizations, and may formulate corresponding management systems in accordance with these measures and relevant regulations of the State Council's financial management department on cybersecurity.
Article 32 (Interpretation) The State Council's financial management department shall be responsible for interpreting these measures.
Article 33 (Effective Date) These measures shall come into effect on [specific date in 2026].
This text is compiled from the "People's Bank of China's official website"; GMTEight Editor: Huang Xiaodong.
Related Articles

Earned war money and hurt the president's heart? American oil companies' profits skyrocket, may ignite a direct conflict with the White House.

US stocks experienced the largest single-week outflow of funds in nearly four months, according to Bank of America's Hartnett: "Sell signal" still flashing.

The Hong Kong Monetary Authority injected HK$371 million liquidity into banks through its discount window.
Earned war money and hurt the president's heart? American oil companies' profits skyrocket, may ignite a direct conflict with the White House.

US stocks experienced the largest single-week outflow of funds in nearly four months, according to Bank of America's Hartnett: "Sell signal" still flashing.

The Hong Kong Monetary Authority injected HK$371 million liquidity into banks through its discount window.

RECOMMEND





