On October 9, the Ministry of Industry and Information Technology (MIIT) drafted the Implementing Rules for Data Security Risk Assessments in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment) (the "Draft"), which is currently open for public comments until November 8, 2023.

The Draft, consisting of 17 articles, establishes a two-level work system for data security risk assessments at the ministerial and provincial levels, refines the assessment obligations of processors of important data and core data, and clarifies the mechanism and process for competent industry authorities to supervise and manage assessment activities. Its main contents include the scope of application and management responsibilities, assessment objects and contents, assessment mechanism requirements, the review, supervision and management system, and confidentiality and other requirements. Among other things, the Draft specifies the assessment period, circumstances for re-application of an assessment, permissible assessment methods, and regulations on commissioned assessment, assessment collaboration, risk control, and submission of assessment reports.

(Source: Ministry of Industry and Information Technology)