Clifford Chance
The People's Bank of China Data and Cyber Security Measures: Practical Compliance Guide For Financial Institutions
18 June 2025
The People’s Bank of China ("PBOC") released (i) the Regulations on Data Security in PBOC Business Areas (the "PBOC Measures"), which will be effective from 30 June 2025 and (ii) the Measures on Cybersecurity Incident Report in PBOC Business Areas (the "PBOC Incident Reporting Measures", collectively with the PBOC Measures, the "PBOC Rules"), which will be effective from 1 August 2025.
The PBOC Rules implement China's core data protection laws (i.e., the PRC Cybersecurity Law (2017), the PRC Personal Information Protection Law (2021) and the PRC Data Security Law (2021)) within PBOC-supervised sectors. Importantly, these rules set forth clear and actionable requirements on in-scope institutions, with detailed instructions. Given PBOC's central role, these measures will likely serve as a benchmark for broader data/cyber governance regimes in China's financial sector.
This briefing discusses the key compliance obligations under the PBOC Rules and their potential implications for businesses operating under PBOC's supervision.
