China's National Financial Regulatory Administration has released draft measures for public consultation that would set a dedicated cybersecurity management framework for banking institutions, insurance institutions and financial holding companies. The draft is intended to strengthen supervisory oversight of cybersecurity and critical information infrastructure in these sectors and is designed to dovetail with the broader draft financial industry cybersecurity management rules published for consultation on July 3. The draft contains eight chapters and 72 articles covering cybersecurity governance, cybersecurity development and operational management, cybersecurity risk monitoring, incident response and handling, critical information infrastructure management, and supervision. It is framed as an implementation measure for existing higher-level laws and regulations, including the Cybersecurity Law, Data Security Law, Personal Information Protection Law and rules on the protection of critical information infrastructure. It also incorporates supervisory practice from recent years and reflects sector-specific features by emphasizing group-wide unified management, coordination between technology and business functions, and joint governance across the three lines of defense. The framework applies a graded and classified approach, with stricter requirements for critical information infrastructure management. The National Financial Regulatory Administration said it will review feedback, further revise the draft and issue the measures in due course.
China Banking and Insurance Regulatory Commission2026-07-10
China's National Financial Regulatory Administration launches consultation on cybersecurity management rules for banks insurers and financial holding companies
China's National Financial Regulatory Administration is consulting on draft cybersecurity management measures for banking institutions, insurance institutions and financial holding companies. The 72-article draft sets requirements on governance, operations, risk monitoring, incident response and critical information infrastructure, with stricter standards for higher-risk infrastructure. The authority plans to revise the text after consultation and publish final rules later.