On December 12, 2025, the Measures for Data Security Management in the Energy Industry (trial) (the "Measures", in Chinese: 《能源行业数据安全管理办法(试行)》) were publicly issued by the National Energy Administration (the "NEA"), which are to be officially implemented on July 1, 2026.
The introduction of these Measures comes as part of the requirements under Article 6 of the Data Security Law of the People's Republic of China, which emphasizes the importance of data security in critical industries. As the first regulatory document of its kind in the energy sector, the Measures are designed to strengthen the security of data management within the energy sector, ensuring robust protection while supporting the lawful and orderly data development.
The Measures will be applicable to the data processing activities in the energy sector within the territory of the People's Republic of China (the "PRC" or "China").
One of the notable features of the Measures is the 7-month transition period from the official release to the implementation date. This transition period would allow energy sector regulators to formulate new regulations related to the data classification and grading standards, important data catalogues, etc. This period serves not as a waiting phase, but as a window for companies to conduct compliance gap analyses and implement corrective actions, ensuring readiness for full compliance by July 2026.
01. Responsibilities of Data Processor in the Energy Sector
Data processors are the primary obligated subjects. Processors of important data and core data in the energy sector bear the main responsibility for their own data security.
Accountability is also assigned to individuals. On one hand, the legal representative or principal person in charge of the entity is primarily responsible for data security. On the other hand, the person in charge of data security is the directly responsible person.
In addition, data processors are responsible for providing organizational safeguards. Entities shall clearly designate a data security officer and management body, and establish and improve a sound data security management system.
02. Three-tier Data Classification
Based on the importance, precision, scale, and security risks of data, the Measures classify data in the energy sector into three levels and implement differentiated protection requirements.
Core Data refers to important energy sector data that has relatively high coverage over a sector, group, or region, or that reaches relatively high precision, large scale, or a certain depth. Once illegally used or shared, such data may directly affect political security. It mainly includes: data related to key areas of national security; data related to the lifeline of the national economy, important livelihoods of people, and major public interests; and other energy sector data determined through assessment.
Important Data refers to energy sector data related to specific sectors, specific groups, or specific regions, or that reaches a certain level of precision and scale. Once leaked, tampered with, or destroyed, such data may directly endanger national security, economic operations, social stability, public health, and safety. Energy sector data that only affects the organization itself or individual citizens is generally not classified as important energy sector data.
General Data refers to other energy sector data that does not fall under important data or core data.
03. Specific Action List for Data Processors
The Measures set out specific requirements for data processors in processing data in the energy sector, especially for important data and core data in this sector.
1. Requirements for important data catalog management
a) Identification and compilation: Energy data processors shall, in accordance with the energy sector data classification and grading standards, identify and compile their own catalog of important data in the energy sector.
b) Submission and review: The catalog shall be submitted to the provincial energy regulatory authority based on the location of the data carrier. After summary and review by the provincial authorities, it shall be submitted to the NEA.
c) Catalog contents: Including but not limited to data fields such as data category, level, scale, precision, source, carrier, scope of application, external sharing, cross-border transfer, security status, and responsible entity; the catalog does not include the data content itself.
d) Dynamic catalog shall be resubmitted within three months.
2. Regular conduct of data security risk assessments
Processors of important data in the energy sector shall conduct a risk assessment at least once a year, promptly rectify identified risks, and submit the risk assessment report in accordance with the requirements of the provincial energy regulatory authority.
3. Strict control of cross-border transfer of important data
Where important data in the energy sector collected and generated within the territory of China needs to be provided abroad, the data processor shall apply for a security assessment for the cross-border data transfer in accordance with laws and regulations.
4. Implementation of the cybersecurity multi-level protection scheme (MLPS)
As for important data, the information networks that store or process it in the energy sector shall implement Level 3 or above requirements of the MLPS.
As for core data, on the one hand, information networks that store or process core data in the energy sector and involve critical information infrastructure shall, on the basis of the MLPS, implement critical information infrastructure security protection requirements. On the other hand, where critical information infrastructure is not involved, Level 4 requirements of the MLPS shall be implemented.
5. Prudent implementation of cross-entity transfer of core data
Where core data processors provide, transfer, or share core data with other legal entities, necessary security protection measures shall be adopted, and data recipients shall be informed to implement classification and grading protection according to the corresponding level.
If, from January 1 of the current year, the cumulative amount may reach 30% or more of the static total amount of such core data at the end of the previous year, a risk assessment shall be organized by the relevant departments upon submission by the NEA.
If the 30% threshold is not reached, the provincial energy regulatory authority shall put forward preliminary assessment opinions and submit them to the NEA for assessment.
6. Strengthening technical protection measures
a) General technical requirements: Processors of important data in the energy sector shall comprehensively apply technical measures such as encryption, authorization, authentication, desensitization, verification, and auditing to ensure security during the collection, storage, use, processing, transmission, provision, disclosure, and deletion of important data.
b) Principle of least authorization: Processors of important data in the energy sector shall, in accordance with business needs and the principle of least authorization, set data processing permissions based on job responsibilities, control the scope of access to important data, and promptly adjust permissions when personnel changes occur.
7. Establishment of monitoring, early warning, and emergency response mechanisms
a) Enterprise obligations
Upon discovering data security defects or vulnerabilities, remedial measures shall be taken immediately.
In the event of a data security incident, immediate action shall be taken, users shall be notified in a timely manner in accordance with regulations, and reports shall be made to the provincial energy regulatory authority.
b) Reporting time limits
For major or particularly major energy sector data security risks or incidents that may directly endanger national security, economic operations, social stability, public health and safety, or directly affect political security, the relevant information shall be reported to the NEA within one working day after discovery or awareness, and follow-up reports shall be submitted as required.
c) In addition, in accordance with the Measures for the Administration of Cybersecurity Incident Reporting, issued by the Cyberspace Administration of China and took effect on November 1 2025, network operators that build or operate networks within China, or provide services through networks, shall, in the event of a cybersecurity incident, make reports accordingly.
For example, in the case of a relatively serious cybersecurity incident (i.e. the leakage of the personal information of more than 1 million citizens, or direct economic losses exceeding RMB 5 million), where critical information infrastructure is involved, the network operator shall report to the competent protection authorities and the public security authorities at the earliest time, and no later than one hour. Other network operators shall promptly report to the provincial-level cyberspace administration at the place where they are located, and no later than four hours.
Suggestions
The Measures clarify the responsibilities and obligations of the data processors in processing energy data. It also sets forth specific requirements for the identification and protection of important data and core data in China's energy industry. While pending the issuance of new regulations related to the data classification and grading standards and important data catalogues etc., we suggest that companies in this sector make full use of the 7-month transition period to prepare for compliance with the requirements set out in the Measures, in particular to consider the actions and steps below:
1.Establish monitoring, early warning, and emergency response mechanisms
Organizations should establish a clear data governance framework, including defined roles, responsibilities, and reporting lines for data security and compliance.
2. Ensure compliance on cross-border data transfer
Compliance check on cross-border data transfer and ensure the completion of necessary governmental procedures where triggered.
3. Implement data classification and inventory management
All data assets are advised to be identified, classified, and documented in accordance with current industry standards, with regular review and updates.
4. Strengthen technical and organizational safeguards
Appropriate technical and organizational measures, such as encryption, access controls, authentication, logging, and monitoring, should be implemented throughout the data lifecycle.
5. Conduct regular risk assessments
Periodic data security and compliance risk assessments should be conducted to identify vulnerabilities, evaluate potential impacts, and implement corrective actions in a timely manner.
Source:King& Wood Malleason
Authors:
- Atticus Zhao, Partner, Corporate & Commercial Group, atticus.zhao@cn.kwm.com; Areas of Practice:M&A, foreign direct investment, corporate restructuring, data and privacy protection
- Dannie Sima, Associate, Corporate & Commercial Group