National Energy Administration: The information network that stores and processes important data in the energy industry should implement the protection requirements of level three or above network security.

On December 12th, the National Energy Administration issued a notice on the issuance of the "Energy Industry Data Security Management Measures (Trial)": It mentioned that for energy industry data processing activities conducted using the internet and other information networks, the requirements of network security level protection, protection of critical information infrastructure security, password protection, and confidentiality system should be implemented. Information networks that store and process important energy industry data should adhere to level three and above network security level protection requirements. Information networks that store and process core energy industry data, if involving critical information infrastructure, should implement critical information infrastructure security protection requirements on the basis of the network security level protection system; if not involving critical information infrastructure, they should implement level four network security level protection requirements. The original text is as follows: Notice from the National Energy Administration on the Issuance of the "Energy Industry Data Security Management Measures (Trial)" (Guonengfa Planning Rules [2025] No. 108) To all relevant units: In order to implement the "People's Republic of China Data Security Law" and other laws and regulations, our administration has formulated the "Energy Industry Data Security Management Measures (Trial)", which is hereby issued and implemented from July 1, 2026. National Energy Administration December 8, 2025 Energy Industry Data Security Management Measures (Trial) Chapter I General Provisions Article 1 In order to regulate energy industry data processing activities, strengthen data security management, prevent data security risks, promote data development and utilization, protect the legitimate rights and interests of individuals and organizations, safeguard national security and development interests, and in accordance with the "People's Republic of China Data Security Law", "People's Republic of China Cybersecurity Law", "People's Republic of China Energy Law", "People's Republic of China Personal Information Protection Law", "Regulations on Network Data Security Management" and other laws and regulations, these measures are formulated. Article 2 These measures apply to energy industry data processing activities conducted within the territory of the People's Republic of China and their security supervision and management. When energy data processors engage in energy industry data processing activities involving state secrets or matters that become state secrets after being aggregated, they should comply with the provisions of laws and administrative regulations such as the "People's Republic of China Law on Guarding State Secrets". Article 3 The term "data" as used in these measures refers to any record of information by electronic or other means. The term "energy industry data" as used in these measures refers to data collected and generated in the course of energy activities. Energy activities mainly include planning, design, construction, production, storage, transportation, consumption, scientific research, etc. For data related to activities such as urban gas, heating, gas stations, and other energy-related activities, relevant competent authorities regulations should be followed. The term "energy data processor" as used in these measures refers to various units in the energy industry engaged in energy industry data processing activities. Energy industry data processing activities include the collection, storage, use, processing, transmission, provision, public disclosure, deletion, etc. of energy industry data. The term "data security" as used in these measures refers to ensuring that energy industry data is effectively protected and legally used through necessary measures, as well as having the capability to maintain a continuous state of security. Article 4 According to the importance, accuracy, scale, and security risks of the data, energy industry data is classified into three levels: general, important, and core. Important energy industry data refers to data in specific areas, for specific groups, specific regions, or data in the energy industry that reaches a certain level of accuracy and scale. If leaked or tampered with, this data could directly harm national security, economic operations, social stability, public health, and safety. Data that only affects the organization itself or individual citizens is generally not considered as important energy industry data. Core energy industry data refers to important energy industry data with a high coverage in fields, groups, regions, high accuracy, large scale, and a certain depth. If used or shared illegally, this data could directly impact political security. This includes data related to national security key areas, the economic lifeline, important livelihoods, and significant public interests as determined through assessment, along with other energy industry data. General energy industry data refers to energy industry data that is not classified as important or core energy industry data. Article 5 Energy data processors are encouraged to actively promote innovative applications of energy industry data while ensuring security and compliance, to promote the development and utilization of data. Chapter II Basic Responsibilities for Energy Industry Data Security Article 6 Under the overall coordination of the national data security working mechanism, the National Energy Administration is responsible for the supervision and management of energy industry data security, guiding and supervising the energy competent departments of provinces, autonomous regions, municipalities directly under the central government, and Xinjiang Production and Construction Corps (referred to as provincial-level energy competent departments) to carry out data security supervision and management in their respective regions. The State-owned Assets Supervision and Administration Commission-administered energy enterprises (referred to as central energy enterprises) and national energy industry associations guided and supervised by the National Energy Administration shall fulfill their responsibilities as energy data processors in accordance with the law and regulations, organize the development and issuance of energy industry data classification and rating standards, review and confirm the directory of important energy industry data, propose core data directory suggestions to relevant departments, implement dynamic management, and enhance the construction of energy industry data security monitoring, warning, and emergency response capabilities. Article 7 The provincial-level energy competent departments are responsible for supervising and managing energy industry data processing activities and security protection in their regions, guiding and supervising energy data processors in their regions (including subsidiary companies and holding companies of central energy enterprises in their regions) to fulfill their responsibilities as energy data processors in accordance with the law and regulations, compiling and annually updating the directory of important energy industry data in their regions, conducting monitoring, warning, information reporting, drafting emergency plans, and carrying out emergency response work related to energy industry data security. Article 8 Energy data processors should fulfill their data security protection responsibilities in accordance with the law and regulations. The processors of important energy industry data and core energy industry data are responsible for the security of their own data, should clarify the data security personnel and management organization, the legal representative or the main person in charge of the unit is the first person responsible for data security, and the leader in charge of data security is directly responsible. Central energy enterprises are responsible for supervising and managing the data processing activities and security protection of their subsidiary companies and holding companies. Article 9 Energy data processors should identify and compile the directory of important energy industry data in their unit in accordance with the energy industry data classification and rating standards, and submit the important data directory as required by the provincial-level energy competent department where the data is located. The directory of important energy industry data compiled by subsidiary companies and holding companies of central energy enterprises should be submitted to the provincial-level energy competent department where the data is located and the headquarters of the central energy enterprise as required. The content of the important data directory submission includes but is not limited to data categories, levels, scale, accuracy, sources, carriers, scope of application, external sharing, cross-border transmission, security situation, and responsible units, among other data field information. It does not include the actual data content. Article 10 The provincial-level energy competent departments and central energy enterprises are responsible for summarizing and reviewing the directory of important energy industry data in their regions and enterprises, respectively, and submitting it to the National Energy Administration. Once data is confirmed as important or core energy industry data according to the procedures, the provincial-level energy competent departments and central energy enterprises should promptly inform the energy data processors. Article 11 After submitting the important data directory, if there are significant changes in the level of important data, responsible entity conditions, data processing status, or data security status, energy data processors should re-submit the important data directory according to the procedure within three months. Chapter III Energy Industry Data Protection Requirements Article 12 When conducting data processing activities, energy data processors should establish sound data security management systems, clarify the management requirements for each link in the data lifecycle, and regularly organize energy industry data security knowledge and skills education and training. Processors of important energy industry data and core energy industry data should establish a data security system, strengthen personnel and funding support, and cooperate with relevant departments to conduct supervision and inspection. Article 13 When conducting energy industry data processing activities using the internet and other information networks, the requirements of network security level protection, protection of critical information infrastructure security, password protection, and confidentiality system should be implemented. Information networks that store and process important energy industry data should implement level three and above network security level protection requirements. Information networks that store and process core energy industry data, if involving critical information infrastructure, should implement critical information infrastructure security protection requirements on the basis of the network security level protection system. If not involving critical information infrastructure, they should implement level four network security level protection requirements. If the use of commercial passwords for protection is required by laws, regulations, and relevant national provisions, the relevant rules for commercial password protection should also be followed. Article 14 Processors of important energy industry data should conduct risk assessments at least once a year on their data processing activities, either independently or by entrusting a third-party assessment organization with risk assessment capabilities. They should promptly rectify any identified risks and submit a risk assessment report to the provincial-level energy competent department as required. The provincial-level energy competent departments, central energy enterprises should submit summaries of the data security risk assessment in their regions and enterprises to the National Energy Administration annually. The risk assessment report should accurately and clearly describe the main content of the assessment activity, including but not limited to basic information about the data processor, the assessment team, the situation of data processing activities and compliance evaluation, the types and quantity of important energy industry data processed, the data security risks faced and their responses, risk assessment conclusions, and improvement suggestions among other key elements. Article 15 Risk assessments for energy industry data security should focus on the following: Identification and assessment of basic information, safety status, and risk analysis of important energy industry and core data; Whether data processing activities are legal, legitimate, and necessary; The situation of data security personnel, management organization, job positions, and responsibilities; The establishment and implementation of a full-process data security management system and guarantee mechanism; Management of personnel involved in data processing activities and education and training situation; Implementation of the national data classification and protection system, as well as compliance with the protection requirements for important and core energy industry data; Data security technology protection capabilities and application situation; Past data security incidents and responses, as well as the implementation of data security risk monitoring and warning work; In cases of data sharing, transmission, entrusted processing, or joint processing, assessment of the security capabilities, responsibility constraints, and compliance of the data recipient; Other relevant data security-related information. Article 16 Processors of important energy industry data should use encryption, authentication, desensitization, validation, auditing, as well as other technical means for security protection at all stages of data collection, storage, use, processing, transmission, provision, public disclosure, and deletion. Article 17 Processors of important energy industry data should establish data processing permissions based on business needs and the principle of least privilege, defining data processing permissions based on job responsibilities to control the scope of access to important data. When there are personnel changes, permissions should be adjusted in a timely manner. Article 18 Processors of important energy industry data should strengthen security control of data sharing and access, monitoring data sharing and access regularly with technical measures, and equip with security protection measures such as risk isolation, authentication, and threat alerts. Article 19 When entrusting others to process or jointly process important energy industry data, the entrusting party should inform the entrusted party of the data level in advance, and the data security responsibility shall not change due to the entrustment. The entrusting party should rigorously approve and define the data processing permissions and protection obligations of the entrusted party, supervise the entrusted party to fulfill the data security protection obligations according to laws, regulations, and contract agreements, and shall not retain, use, disclose or provide important energy industry data to others without authorization. For the use of cloud computing services to process important energy industry data, cloud computing services that have undergone a security assessment may be selected and must comply with the relevant requirements of these measures. Article 20 Without the approval of the entrusting party, information system construction and operation projects involving important energy industry data shall not be subcontracted. Without the explicit authorization of the entrusting party, personnel involved in the construction and operation of information systems handling important energy industry data are not allowed to process important data of the entrusting party. Data collected or generated during the information system construction and operation processes involving important data should not be used for other purposes, and should be handled or deleted promptly after the service is completed according to agreements with the entrusting party. Article 21 Processors of important energy industry data should keep logs needed for data security maintenance, whereby logs related to security incident response and tracing shall be retained for no less than one year. Logs related to providing data to others, entrusting data processing, or jointly processing important energy industry data should be retained for no less than three years. During the organization's data security risk assessment, processors should conduct auditing analysis on the key operations of data queries, downloads, modifications, deletions, etc., and take appropriate measures if any violations or abnormal behaviors are discovered. Article 22 Processors of important energy industry data who need to transfer or destroy important energy industry data due to reasons such as mergers, separations, dissolution, bankruptcy declaration, etc., should take necessary security protection measures and report the data disposal plan to the provincial-level energy competent department in advance. If changes to the important data directory occur, they should promptly report to the provincial-level energy competent department where the data is located. Article 23 For important energy industry data collected and generated in China that need to be provided overseas, energy data processors should declare data export security assessments in accordance with laws and regulations. Article 24 Processors of core energy industry data, when providing, transferring, or sharing core data across different legal entities, should take necessary security protection measures and inform the data recipient to classify and protect the data according to the corresponding level. From January 1st of the current year, if the static total amount of core data may cumulatively reach 30% or more of the total core data as of the end of the previous year, the National Energy Administration should organize a risk assessment, while the provincial-level energy competent department should provide preliminary assessment opinions and report to the National Energy Administration if it has not reached 30%. This excludes core data related to the lawful duties of state agencies, internal movements of state agencies, or enterprise internal flows. Article 25 Processors of core energy industry data can strengthen the protection of core energy industry data through the following measures, on top of the protection requirements for important energy industry data: Prioritize the use of commercial passwords for protection; Prioritize the use of secure and trustworthy products and services; Prioritize the use of third-party assessment organizations to conduct risk assessments; Logs related to security incident response and tracing shall be retained for no less than three years; Key personnel, units involved in core data information system construction and maintenance, among others, should submit to public security organs and national security organs a national security background check in accordance with laws and regulations. Article 26 If different categories or levels of data are being processed and it is difficult to implement protection measures separately, the highest level requirements should be implemented to ensure that the overall dataset is continuously in a state of effective protection and legal use. Chapter IV Energy Industry Data Security Monitoring, Warning, and Emergency Response Article 27 The provincial-level energy competent departments and central energy enterprises should strengthen the construction of energy industry data security monitoring, warning, and emergency response capabilities in their respective regions and enterprises, instruct data processors in their regions and the subsidiary companies and holding companies of central energy enterprises to perform risk monitoring, event response, reporting, and other work, enhance research and evaluation of energy industry data security risks from new technologies and applications, strengthen monitoring capabilities for data aggregation and associations that may lead to energy industry data security risks through public channels. Article 28 When energy data processors identify security vulnerabilities, loopholes, or other risks, they should immediately take remedial measures. In the event of a data security incident, they should take immediate action, inform relevant users according to regulations, report to the provincial-level energy competent department, and central energy enterprises at the same time, among other required procedures. The content of risk monitoring and warning should include: basic information about the risk, potential harm and severity, evolution of the risk, potential impact range, countermeasures, and other relevant information that should be reported. The content of the event report should include: time of the event, brief description, harm and impact, measures taken, next steps, and other relevant information that should be reported. Article 29 In the event of an energy industry data security incident in their region or enterprise, the provincial-level energy competent departments, and central energy enterprises should, according to the severity of the incident, activate the emergency plan according to the law, take corresponding emergency response measures, prevent further harm, eliminate security risks, and promptly release warning information related to the incident to the public. Article 30 In the event that the provincial-level energy competent departments and central energy enterprises discover major or particularly significant energy industry data security risks or incidents that could directly harm national security, economic operations, social stability, public health, safety, or directly affect political security, they should report the situation to the National Energy Administration within one business day after discovery or obtaining the information, and continue to provide updates as required. In emergencies, they may report promptly through telephone contact and submit a written report afterward. The National Energy Administration is responsible for reporting to relevant departments according to the regulations. Article 31 After completing significant or particularly significant emergency response work for energy industry data security, the provincial-level energy competent departments and central energy enterprises should summarize and distill their experiences within three business days to create a situation report and within ten business days to create a summary report, which should be submitted to the National Energy Administration. The National Energy Administration is responsible for submitting a summary report to relevant departments according to the regulations. Chapter V Supervision, Inspection, and Legal Responsibilities Article 32 The National Energy Administration and provincial-level energy competent departments should conduct supervision and inspection of energy industry data security work according to the relevant provisions of the "Regulations on Network Data Security Management." Article 33 In fulfilling their responsibilities for data security supervision and management, the National Energy Administration and provincial-level energy competent departments may conduct interviews with relevant energy data processors to request corrective measures, identify and rectify hazards when significant security risks are found in data processing activities, and promptly transfer issues or leads to relevant competent authorities. Article 34 Violations of these measures should be dealt with according to laws and regulations such as the "People's Republic of China Data Security Law", "People's Republic of China Cybersecurity Law", "People's Republic of China Personal Information Protection Law", "Regulations on Network Data Security Management," among others; if constituting a crime, refer to judicial authorities for criminal responsibility. Chapter VI Supplementary Provisions Article 35 When conducting data processing activities involving personal information, relevant laws and regulations should be followed. Article 36 These measures are to be interpreted by the National Energy Administration. Article 37 These measures shall be implemented from July 1, 2026, and shall be valid for 5 years. The above information is compiled from the National Energy Administration, edited by GMTEight: Chen Wenfang.