On January 30, 2026, China's eight ministries and departments including the Ministry of Industry and Information Technology (the "MIIT"), the Cyberspace Administration of China, the National Development and Reform Commission, the National Data Administration, the Ministry of Public Security, the Ministry of Natural Resources, the Ministry of Transport, and the State Administration for Market Regulation jointly issued the Guidelines for Security of Automotive Data Cross-border Transfer (2026 Edition) (the "Guidelines"), which have entered into force immediately.

In June 2025, the same eight ministries and departments released the Guidelines for Security of Automotive Data Cross-border Transfer (2025 Edition) (Exposure Draft) (the "Draft"). After a further seven months of adjustments and refinements, the formal version has now been issued. In terms of legal hierarchy, the Guidelines constitute an administrative normative document, providing specific implementation requirements for relevant higher-level laws. The most significant highlight of the Guidelines is the systematic categorization of typical application scenarios for automotive data, based on which it lists the criteria for identifying important data in the automotive sector, covering five major scenarios—R&D and design, production and manufacturing, driving automation, software upgrade services, and connected operations. Additionally, the Guidelines propose 27 categories comprising 51 specific data items and their corresponding identification criteria, providing a detailed foundation for the regulation of important data and compliance adherence in the automotive field.

This article will focus on several core provisions of the Guidelines, including the management methods for automotive data cross-border transfer activities, the criteria for identifying important data, the data cross-border transfer process, and the security protection requirements for automotive data cross-border transfer. It will also analyze the relevant compliance requirements and provide corporate response recommendations by comparing the Guidelines with the Draft.

Compared to the Draft, the Guidelines have not undergone a major overhaul but have refined the scope of application, further aligned with other regulations, and removed the specific implementation steps for the three data cross-border transfer methods. Notably, the Guidelines have added, removed, and optimized data items, item descriptions, and identification criteria for important data.

For instance, data items or their descriptions related to power batteries or battery management have been added in the R&D and design, production and manufacturing, software upgrade services (OTA), and connected operations scenarios. Furthermore, identification criteria such as "meeting the relevant technical control points in the Catalogue of Technologies Prohibited or Restricted by China from Export" and/or "involving relevant items in the Export Control List of Dual-Use Items of the People's Republic of China" have been added to identification criteria of relevant scenarios. For more detailed comparisons of changes, please refer to Part 4 of this article (Criteria for Identifying Important Data).

The Guidelines basically adopt the definitions of automotive data and automotive data processors from the Several Provisions on the Management of Automobile Data Security (for Trial Implementation) (the "Automotive Data Provisions") which came into effect in October 2021. However, the definition of an automotive data processor has been expanded to include individuals, and it is clarified that an automotive data processor is an "organization or individual that autonomously determines the purpose and method of processing". This adjustment aligns closely with the definition of a personal information processor under the Personal Information Protection Law. How the relevant provisions of the Guidelines will apply to entrusted parties who process automotive data on behalf of others remains to be seen. Moreover, compared to the Automotive Data Provisions, the Guidelines have added three types of enterprises to the list of automotive data processors: telecommunications operators, autonomous driving service providers, and platform operators, further supplementing and reflecting relevant service providers in the automotive industry.

The Guidelines further clarify the identification of data cross-border transfer activities, including processing within China, cross-border remote access, and scenarios where extraterritorial effect applies. These provisions are consistent with the identification of data cross-border transfer activities by the national cyberspace authorities in the Guidelines for Declaration of Security Assessment of Cross-border Data Transfer (Second Edition).

Regarding the circumstances requiring a security assessment of cross-border data transfer and conclusion of a standard contract, or certification of the cross-border transfer of personal information, the Guidelines are generally consistent with the Provisions on Promoting and Regulating Cross-border Data Flow implemented on March 22, 2024. However, the Guidelines add three additional exemption scenarios specific to the automotive industry:

• Security vulnerability data reported by the automotive data processor to the MIIT in accordance with the requirements of the Provisions on the Management of Security Vulnerabilities in Network Products for the purpose of patching security vulnerabilities.
• Security incident data related to automotive products, connected vehicle platforms, and related systems, reported by the automotive data processor to the MIIT and relevant industry regulatory authorities in accordance with industry cybersecurity and data security incident emergency plans for the purpose of handling security incidents.
• Source code corresponding to OTA upgrade software packages filed by the automotive data processor to the State Administration for Market Regulation in accordance with the Regulation on the Administration of Recall of Defective Auto Products for the purpose of eliminating automobile product defects and implementing recalls.

Prior to the issuance of the Guidelines, the identification of important data in the automotive industry primarily relied on the Automotive Data Provisions. Additionally, the recommended national standard GB/T 43697-2024 Data security technology — Rules for data classification and grading and its Appendix G: Guidelines for Identification of Important Data also provided reference for important data identification.

Furthermore, certain free trade zones have defined lists of important data applicable within their jurisdictions for the automotive sector using a "negative list" approach. For example, the Administrative List (Negative List) of the China (Beijing) Pilot Free Trade Zone for Cross-border Data Transfer (2024 Edition) specifically includes a "list of data that needs to pass the security assessment of cross-border data transfer" for the automotive industry, categorizing important data through "data sub-categories" and specifying "basic characteristics and descriptions", thereby implementing a list-based regulatory approach.

The Guidelines provide detailed subdivision and enumeration of important data across scenarios such as R&D and design, production and manufacturing, driving automation, software upgrade services, and connected operations, from the perspectives of data category, data item, data item description, and identification criteria. This enriches the rules for identifying and determining important data and provides significant content and foundation for formulating important data catalogs in the automotive industry. However, the identification of important data is not solely determined by the Guidelines themselves but also involves several other regulations, such as judgment conditions in the China's Catalogue of Technologies Prohibited or Restricted from Export (the "Export Control Technology Catalogue") and the Export Control List of Dual-Use Items of the People's Republic of China (the "Dual-Use Item List"), to ultimately identify important data in the automotive field.

The following will analyze the criteria for identifying important data under each scenario in the Guidelines, clarifying the specific scope of important data in conjunction with its associated regulations.

1. R&D and Design

In the "product R&D" scenario, the Guidelines stipulate that relevant data items "supported by national major special projects or national key R&D programs" constitute important data.

Furthermore, the Guidelines add two new identification criteria: "meeting the relevant technical control points in the Export Control Technology Catalogue" and "involving relevant items in the Dual-Use Item List," extending the requirements of technology export control and item export control to the field of security assessment of data cross-border transfer.

The Guidelines also stipulate that relevant data items that "after aggregation and analysis, can be used to infer confidential or sensitive geographic information data" are subject to important data management. The specific scope of "confidential or sensitive geographic information data" involves regulations such as the Provisions on the Scope of State Secrets Involved in the Administration of Surveying, Mapping and Geoinformation, the Specifications for the Representation of Content on Public Maps, and the Notice by the Ministry of Natural Resources Regarding Strengthening the Security Management of Mapping and Geographic Information Concerning Intelligent Connected Vehicles.

In the product testing scenario, one noteworthy criterion for important data is "involving data collected from over 100,000 vehicles operating within China". The Automotive Data Provisions state that "personal information involving over 100,000 individuals" constitutes important data. The Guidelines adjust this from 100,000 individuals to 100,000 vehicles, which seems more reasonable and avoids inconsistency with the threshold of "cumulatively providing personal information of over one million individuals to overseas recipients" triggering a security assessment under the Provisions on Promoting and Regulating Cross-border Data Flow. The Guidelines use "over 100,000 vehicles operating within China" as a criterion for constituting important data in the driving automation, connected operations, and connected vehicle platform operation scenarios.

2. Production and Manufacturing

In the production and manufacturing scenario, the important data identification criteria stipulated in the Guidelines are consistent with those in the "product R&D scenario", both determined based on "supported by national major special projects or national key R&D programs", the Export Control Technology Catalogue and the Dual-Use Item List.

3. Driving Automation

In the driving automation scenario, the Guidelines identify important data from three major categories: driving automation algorithm data, driving automation algorithm training data, and driving automation algorithm feature data. For "driving automation algorithm data", it is noteworthy that the identification criteria of important data include "achievements related to connected vehicle network, data security or driving automation function that have received provincial/ministerial level or above awards" or "may have an impact on national technological security, and industry competitiveness, etc."

4. Software Upgrade Services (OTA)

In the software upgrade services (OTA) scenario, the identification criteria for important data require that the relevant data items simultaneously satisfy three conditions to potentially be identified as important data:

• involves upgrading vehicles operating within China;
• involves vehicle remote control functions, excluding control functions implemented via near-field communication methods[1];
• involves functions such as vehicle start/operation, power loss, emergency braking, cruise control, lane keeping, charge/discharge control, and battery temperature control.

5. Connected Operations Scenario

The Guidelines stipulate that automotive data processors need to identify automotive data requiring declaration for cross-border security assessment, conclusion of a personal information cross-border standard contract, or personal information cross-border protection certification based on the filing of the important data catalog and in accordance with the Guidelines.

Regarding the "important data catalog filing" in the automotive field, it primarily relies on the relevant provisions of the Measures for the Administration of Data Security in the Industrial and Information Technology Sectors (for Trial Implementation), requiring data processors to file their internal catalogs of important data and core data with the local industry regulatory authorities. The filing content includes, but is not limited to, basic information such as data source, category, level, scale, medium, processing purpose and method, scope of use, responsible entity, external sharing, cross-border transfer, and security protection measures, but does not include the data content itself.

Regarding the cross-border security assessment, the Guidelines state, "Automotive data processors shall apply for the data cross-border security assessment through a legal entity established within China. If there is no legal entity within China, it shall be applied for by a branch within China". In scenarios where extraterritorial effect applies, how the representative offices within China of overseas automotive data processors will conduct filings requires further observation. The Guidelines also emphasize, "If multiple subsidiaries belong to the same group company (parent company) and the data cross-border transfer scenarios are similar, the group company (parent company) may act as the applicant for a consolidated declaration. It is not permitted to split quantities or use other methods to transfer data that should undergo a security assessment abroad through means such as concluding standard contracts". Consolidated application is consistent with practical practices. 

The Guidelines specify detailed requirements for the security protection of automotive data cross-border transfer from four aspects: management requirements, technical protection requirements, log requirements, and emergency response requirements.

Regarding management requirements, the Guidelines provide detailed provisions from the aspects of departmental requirements, personnel requirements, system requirements, and approval requirements.

Regarding technical protection requirements, the Guidelines specify concrete requirements from three aspects: security of data cross-border transfer, security monitoring of data cross-border transfer, and support for inspections.

Regarding log requirements, the Guidelines stipulate provisions for log recording, log retention, and log auditing. They clarify the content of logs, the retention period (3 years), and the requirement to audit relevant logs. 

Regarding emergency response requirements, the Guidelines require automotive data processors to establish the capability to handle unauthorized automotive data cross-border transfers, promptly respond when abnormal behavior is detected, and report to the local industry regulatory authorities in accordance with relevant requirements. These requirements further clarify the reporting obligations stipulated in documents such as the Emergency Plan for Public Internet Network Security Incidents and the Emergency Plan for Data Security Incidents in the Industrial and Information Technology Sectors (for Trial Implementation).

The Guidelines clarify the applicable conditions for the three management methods involved in automotive data cross-border transfer: security assessment, conclusion of a personal information cross-border standard contract, or certification for personal information cross-border transfer. For the first time, the Guidelines systematically categorize and formulate "panoramic" important data identification criteria for typical business scenarios in the automotive industry such as R&D and design, production and manufacturing, driving automation, software upgrade services, and connected operations, providing important content for the identification and cataloging of important data in the automotive industry.

The Guidelines also regulate automotive data cross-border transfer activities around the identification and filing of important data, the determination and implementation of management methods for data cross-border transfer activities, and specify security protection requirements for automotive data cross-border transfer from four aspects: management systems, technical protection, log management, and emergency response.

For relevant companies in the automotive industry, it is recommended to take the following actions as soon as possible:

• Conduct a systematically inventory of automotive data within the company’s system, identify important data based on the business scenarios and data items specified in the Guidelines, combined with the important data identification criteria. Automotive data processors (such as automobile manufacturers, component and software suppliers, telecommunications operators, autonomous driving service providers, platform operators, dealers, maintenance institutions, and mobility service enterprises, etc.) should conduct a comprehensive review of their respective business scenarios to determine whether they trigger or involve important data.
• In cases where important data is identified, prepare for the filing of the important data catalog. As an overall preliminary procedure in the automotive data cross-border transfer process, companies should allocate time to carry out the important data catalog filing work in a timely manner.
• Analyze the necessity of cross-border transfer of important data and, considering the overall business situation, delineate the scope of important data that must be transferred abroad.
• Based on the identification results of important data and the necessity of cross-border transfer, apply for a cross-border security assessment or assess whether the scope of data already applied for security assessment can cover the relevant important data or if further application is required.
• If an automotive data processor is involved in security vulnerability patching, security incident handling, or eliminating automobile product defects and implementing OTA upgrades for recalls that are exempt from cross-border application, it must first report or file with departments such as MIIT and the State Administration for Market Regulation.

While identifying important data, companies should also pay attention to the general security protection requirements for automotive data cross-border transfer explicitly stipulated in the Guidelines, improving corporate systems and technical security requirements from management and technical protection aspects to mitigate risks related to data cross-border transfer.

Footnote：

[1] Near Field Communication (NFC) refers to the communication mode of the Near Field Communication Interface and Protocol 1 (NFCIP-1) that connects computer peripherals using inductively coupled devices at a center frequency of 13.56 MHz (ISO/IEC 18092:2023).