On March 22, 2026, the Cyberspace Administration of China (CAC) issued and issued a 2-year summary for the implementation of the Provisions on Promoting and Regulating Cross-border Data Transfer (hereinafter referred to as "the Provisions"). Over this two-year period, the CAC, in collaboration with local governments and relevant departments, has been managing China's cross-border data transfer security according to the Provisions and other relevant laws and regulations. 

The significance of the Provisions is that they clarify the implementation and integration of existing cross-border data transfer systems, including security assessments, standard contracts for exporting personal information, and personal information cross-border transfer certifications, while relaxing conditions for cross-border data transfer and narrowing the scope of security assessments. While ensuring data security and protecting personal information rights, they facilitate cross-border data transfer, reduce compliance costs for businesses, unlock the value of data as a production factor, expand high-standard opening-up, and support the high-quality development of the digital economy.

The summary publicized by the CAC summarized several key activities and achievements for the implementation of the Provisions and the laws and regulations that support their principles and requirements, and the items that are relevant to product manufacturers and service providers are listed as below:

ž   The publication of the Compliance Guidelines for Promoting and Regulating Cross-Border Data in the Financial Industry (issued in April 2025 by the People's Bank of China and other national ministries): It specifies scenarios for cross-border data transfers in the financial industry and provides a detailed list of data items eligible for cross-border flow, offering financial institutions more granular and effective guidance.

ž   The implementation of the Security Guidelines for Cross-Border Transfer of Automotive Data (2026 Edition) (issued in February 2026 by the Ministry of Industry and Information Technology and other national ministries): This document defines management methods, applicable conditions, and exemptions for automotive data transfers, as well as rules for identifying important data in business scenarios such as vehicle manufacturing and connected operations, helping auto companies conduct cross-border data activities efficiently and compliantly.

ž   Establishment of negative list system for cross-border data transfer in pilot free trade zones (FTZs): Nine FTZs (or ports), including Tianjin, Beijing, Hainan, Shanghai, Zhejiang, Guangxi, Jiangsu, Chongqing, and Fujian, have filed negative lists covering 22 sectors such as automotive, retail, civil aviation, reinsurance, deep-sea industries, seed industries, geographic information and meteorology, and corporate credit information. Some multinational companies operating in China have already used the negative list model to conduct cross-border data transfers efficiently.

ž   The issuing of the Application Guidelines for Security Assessment of Cross-Border Data Transfers (Third Edition): It further streamlines the documents businesses need to submit and clarify the conditions, procedures, and materials for applying to extend the validity period of security assessment results.

ž   Pilot programs launched for pre-assessments of cross-border data security: Building on pilot pre-assessments in Beijing, Shanghai, Guangdong, Tianjin, Jiangsu, and Zhejiang, eight additional provincial-level CAC offices have been added as pilot sites, improving assessment efficiency through central-local coordination.

ž   The implementation of the Measures on Cross-border Transfer Certification of Personal Information (formulated and issued in October 2025 by the CAC and the State Administration for Market Regulation): Three organizations have completed the record-filing for certification on personal information cross-border transfer. An online filing system for specialized personal information export certification bodies has been launched, advancing implementation of the certification system.

For foreign stakeholders, it is advised to:

ž   Monitor sector-specific guidance to ensure compliance, such as the Security Guidelines for Cross-Border Transfer of Automotive Data

ž   Leverage the FTZ negative list mechanism: If operating in any of the nine pilot FTZs (e.g., Tianjin, Beijing, Hainan), consider using the negative list model for more efficient cross-border data transfers with lower compliance costs.

ž   Proactively engage with local cross-border data service centers and consult the four published policy Q&A documents for compliance guidance, application support, and the latest policy interpretations.