On 24 January, the Cyberspace Administration of China (CAC) released the Draft Guidelines on Data Classification and Grading for Financial Information Services (the Guidelines) for public consultation. The draft Guidelines require financial institutions, technology companies and other financial market participants to create a data inventory, classify that data using a strict taxonomy and notify certain important data types to their regulator. The consultation runs until 23 February 2026.
The cross-sector data classification landscape
Since the Data Security Law took effect in September 2021, China has gradually built a cross-sector and industry data security framework, most recently complemented by the Network Data Security Management Regulations (effective from 1 January last year).
The national standards on data classification and grading, effective from November 2024, established a precedent to guide businesses on data classification across sectors and industries. Sector- and industry-specific rules and guidelines on classified data security protection have emerged over the past few years across a range of sectors and industries, including industrial, telecommunications, education, healthcare, securities and futures, aviation, transportation, automotive, natural resources and energy.
In financial services industry, both China’s central bank – namely the People’s Bank of China (PBoC) – and China’s National Financial Regulatory Administration (NFRA) have released rules that require in-scope financial industry players to classify and grade data to enhance data security. The Guidelines, once implemented, mark the CAC’s latest effort in conjunction with financial industry regulators to translate general data classification and grading requirements into operational standards for the financial information services sector.
Who is captured by the Guidelines?
The Guidelines apply broadly to financial information service providers (FISP) operating in China. Entities are in scope where they provide information and/or financial data that may influence financial markets to users engaged in financial analysis, trading, decision‑making or other financial activities.
This extends beyond various licensed financial institutions (such as banks, securities firms, and insurance institutions) whose business lines provide financial information services, to include financial technology companies, rating agencies, outsourced technology platforms serving financial institutions, and financial news or intelligence services. For example, both the 31 non-PRC firms which have registered with the CAC for their offshore financial information services offering into the PRC, and the 10 international brands which have established PRC-based entities to provide financial information services in the PRC, will be subject to the Guidelines.
Three-tier data classification framework
The Guidelines introduce a three tier data classification framework built around how data is used in specific financial activities. At the top level, data is divided into business data (“业务数据”), user data (“用户数据”), and enterprise data (“企业数据”). These are then refined into nine second tier categories and 66 third tier types:
| Tier 1 | Tier 2 | Tier 3 (non exhaustive) |
| Business data | Financial market data | Stock, bonds, funds, foreign exchange, commodities data |
| Macroeconomic data | National accounts, price indices, trade, investment data | |
| Organisational data | Business related, employee related or financial information of listed companies or financial institutions | |
| Industry indicator | Industry supply chain data, demand metrics | |
| News and reports data | Industry news, research reports, policies, expert opinions | |
| User data | Individual user data | Basic information, transactions data and biometric data |
| Institutional user data | Basic information, transactions data | |
| Enterprise data | Business management data | Finance, settlement, HR, Marketing and other operational data |
| System operations data | System configurations, logs, security monitoring and security incident data |
Four-tier grading system
The Guidelines adopt a four-tier grading system for financial data: core data (“核心数据”), important data (“重要数据”), sensitive general data (“敏感一般数据”) and ordinary general data (“常规一般数据”), each attracting differentiated protection requirements. This approach to distinguishing sensitive data from general data appears broadly consistent with the frameworks adopted under the PBoC rules (which employ the concept of a “highly sensitive data field”) and the NFRA measures (which refer to “sensitive data”), though it remains to be seen whether these regulators will clarify the precise alignment of these concepts.
When grading a dataset, FISPs must assess three dimensions together:
- Grading elements: This considers coverage, time span, accuracy, public disclosure status and geographic scope.
- Affected objects: This considers potential impact on national security, economic operations, social order, public interests, organisational interests and individual rights.
- Degree of harm: This considers particularly serious harm, serious harm and general harm.
A dataset must be graded according to the highest grade of any data item it contains. For example, if a dataset combines ordinary general data with core data, the entire dataset must be handled as core data.
Typical examples of important data now specified
Appendix A sets out detailed grading guidance and key examples for the 66 granular data types identified in the Guidelines.
Notably, Appendix A specifies some concrete numerical thresholds for core data, important data and sensitive general data relating, respectively, to individual users and institutional users in financial information services:
| User type | Data category | Data description | Core data | Important data | Sensitive |
| Individual users | Basic information | Individual users’ basic personal name gender birthday mobile phone number, ID number, email address correspondence address, location information, user portrait, account password, behavioural data | >100 million individuals | >10 million individuals | Others |
| Transaction data | Individual users’ financial accounts, financial assets, trading positions, trading orders | >100 million individuals | >1 million individuals | Others | |
| Biometric identification | Individual users’ biometric information, such as faces fingerprints | >10 million individuals | >100, 000 individuals | others | |
| Institutional users | Basic information | Institutional users’ basic information, such as the nam, address contact person, business license, unified social credit code, organisation description, institutional user preferences institutional account password information | >10 million institutions | >1 million institutions | Others |
| Transaction data | Institutional users’ financial assets, trading positions, trading orders | >100.000 institutions, or if disclosure or tampering could directly affect national security, regardless of volume | Others |
The six step process
The Guidelines set out a six step process for data classification and grading.
FISPs should create an inventory of all data assets and build a complete data register, classify each dataset using a top down taxonomy, grade the sensitivity of each dataset against the prescribed factors and protected interests, validate the results, and report the important data catalogue to the competent regulator. FISPs are also under an ongoing obligation to periodically review and update classifications.
Implications for market participants in financial services and beyond
Financial information services usually involve large and technically complex datasets spanning multiple categories and sensitivity levels. The initial classification and grading exercise will be resource intensive and keeping catalogues accurate over time will require sustained governance and technical support.
FISPs that obtain data from Chinese financial institutions, listed companies or government statistical authorities, in particular, should:
- Confirm with upstream data providers whether data supplied has been classified as core or important data under the Guidelines.
- Establish contractual or procedural mechanisms requiring upstream providers to notify them promptly of any change in the classification of supplied datasets.
Multinational groups distributing financial information products with PRC generated data should also expect queries from clients on data sources, classification status, and compliance with China’s data security requirements. Investors acquiring PRC datasets should, on the flipside, consider enhancing their due diligence and contractual protections accordingly.
Once implemented, the Guidelines are likely to have broader implications extending beyond the financial sector. In particular, the comprehensive examples of important data identified in the Guidelines, encompass not only financial data but also extend to industry indicator data, supply chain data and research reports. These examples may serve as a useful reference point for organisations across sectors when developing and implementing their own data classification policies and catalogues.
While the Guidelines focus primarily on data classification and grading methodology, organisations remain subject to existing requirements to implement appropriate safeguards commensurate with the classification and grading assigned to their data, and should continue to monitor regulatory developments in this area.
We remain ready to assist businesses in aligning their practices with the latest regulatory requirements.
For further information, please contact:
Alex Roberts, Partner, Linklaters
alex.roberts@linklaters.com
