Key Points
- Six Chinese regulatory bodies, including the Cyberspace Administration of China (CAC) and the People’s Bank of China, released the “Guidelines for Data Classification and Hierarchy of Financial Information Services,” establishing a comprehensive framework for financial data.
- The Guidelines classify financial data into three main categories (Business, User, Enterprise), branching into 9 secondary and 67 tertiary categories, and grade it into a four-tier hierarchy of sensitivity (Core, Important, Sensitive General, Regular General Data) based on national standard GB/T 43697-2024.
- All financial information service providers in the People’s Republic of China must comply, and they are required to report “Important Data” to authorities as part of a six-step implementation process.
- The “Sensitive General Data” category is intentionally broad for financial data like macroeconomic indicators, highlighting regulators’ concern for market stability and social order.
- This initiative is part of China’s broader effort to build a systematic and centralized data governance infrastructure, indicating a mature regulatory approach with practical tools and enforcement mechanisms.
Six major Chinese regulatory bodies just dropped a comprehensive framework for how financial information services should classify and manage data.
We’re talking about the Cyberspace Administration of China (CAC) (Guojia Hulianwang Xinxi Bangongshi 国家互联网信息办公室), the People’s Bank of China (Zhongguo Renmin Yinhang 中国人民银行), the National Financial Regulatory Administration (Guojia Jinrong Jiandu Guanli Zongju 国家金融监督管理总局), the China Securities Regulatory Commission (Zhongguo Zhengquan Jiandu Guanli Weiyuanhui 中国证券监督管理委员会), the National Bureau of Statistics (Guojia Tongjiju 国家统计局), and the State Administration of Foreign Exchange (Guojia Waihui Guanliju 国家外汇管理局).
Together, they released the “Guidelines for Data Classification and Hierarchy of Financial Information Services.”
If you’re building in fintech, investing in Chinese financial tech companies, or just trying to understand how Beijing thinks about data governance, this is worth your time.
—
Breaking Down the Data Classification Framework
Here’s the deal: the Guidelines organize financial information service data into a clear three-tier structure.
At the top level, you’ve got three main categories:
- Business data
- User data
- Enterprise data
These branch out into 9 secondary categories and expand further into 67 tertiary categories.
Think of it like a filing system on steroids.
Every type of data a financial information service collects now has a designated home in this taxonomy.
This matters because standardization is the first step toward enforcement.
—
The Four-Tier Hierarchy: How Data Gets Ranked
Beyond just classifying what data is, the Guidelines also rank how sensitive it is.
The framework references the national standard GB/T 43697-2024 “Data Security Technology—Data Classification and Grading Rules.”
Data gets evaluated based on:
- Its importance to economic and social development
- The potential damage if it leaks, gets tampered with, destroyed, or illegally accessed
- Impact on national security, economic operations, social order, public interest, and individual rights
This assessment creates four hierarchical levels, ranked from most to least sensitive:
- Core Data — The crown jewels. Maximum protection required.
- Important Data — High sensitivity. Significant impact if compromised.
- Sensitive General Data — Moderate-to-high sensitivity. Could still cause market or social ripples.
- Regular General Data — Lower sensitivity. Standard protection protocols apply.
Here’s what’s interesting: even “general” financial data gets the Sensitive General Data label in many cases.
Why?
Because financial information services deal with macroeconomic indicators, agricultural data (Nong Lin Mu Yu 农林牧渔), and other metrics that directly impact market stability and social order.
That’s not “general” in the traditional sense.
—
Find Top Talent on China's Leading Networks
- Post Across China's Job Sites from $299 / role
- Qualified Applicant Bundles
- One Central Candidate Hub
Your First Job Post Use Checkout Code 'Fresh20'
Why This Matters: The Real-World Impact
This isn’t just bureaucratic red tape.
Financial information services in China operate in a space where data flows constantly.
You’ve got increasing data volumes, frequent data flows, and growing complexity in how financial data gets processed and shared.
Without standardized classification and protection frameworks, you get chaos.
With chaos comes risk — not just security risk, but regulatory risk for the companies involved.
The Guidelines provide systematic, targeted, and operable instructions that companies can actually implement.
They’re anchored in existing Chinese law: the “Data Security Law of the People’s Republic of China” and the “Regulations on Network Data Security Management.”
—
ExpatInvest China
Grow Your RMB in China:
- Invest Your RMB Locally
- Buy & Sell Online in CN¥
- No Lock-In Periods
- English Service & Data
- Start with Only ¥1,000
How Companies Actually Implement This: The Six-Step Process
- Phase 1: Sorting – Comprehensive inventory of data resources.
- Phase 2: Classification – Mapping data to the 67 specific sub-categories.
- Phase 3: Grading – Determining the security level based on impact assessments.
- Phase 4: Documentation – Establishing internal classification and grading catalogs.
- Phase 5: Reporting – Submitting reports on designated “Important Data” to regulators.
- Phase 6: Updates – Continual dynamic adjustment of the list as services change.
The Guidelines don’t just throw companies a framework and wish them luck.
They include a concrete, step-by-step implementation process:
- Data resource sorting — Inventory all the data you have.
- Data classification — Assign each data set to one of the 67 tertiary categories.
- Data grading — Rank it on the four-tier sensitivity scale.
- Formation of a data classification and grading list — Document your framework internally.
- Reporting the catalog of Important Data — Submit your “Important Data” to relevant authorities.
- Dynamic update management — Keep everything current as your business evolves.
The document even includes Appendix A with descriptions and examples for all 67 categories.
That’s the scaffolding companies need to actually get this done.
—
Resume Captain
Your AI Career Toolkit:
- AI Resume Optimization
- Custom Cover Letters
- LinkedIn Profile Boost
- Interview Question Prep
- Salary Negotiation Agent
Key Takeaways From the Official Q&A
After the Guidelines dropped, officials from the CAC fielded questions about implementation.
Here’s what investors and builders should extract from that:
1. This Applies to Everyone Doing Financial Information Services in China
The Guidelines apply to all financial information service providers operating within the People’s Republic of China.
The one carve-out: data involving state secrets or military data is excluded from these Guidelines (it has different handling).
But if you’re processing anything else in the financial information space, you need to comply.
2. The “Sensitive General Data” Category Is Intentional
Officials were explicit about why they created this middle-tier category.
Financial data that looks “general” often impacts market stability and social order if leaked.
Macroeconomic indicators, agricultural data, trade statistics — this stuff matters at scale.
So the regulators deliberately set the bar higher for financial services than you might expect.
3. “Important Data” Must Be Reported
This is a critical enforcement mechanism.
Companies don’t just classify their own data internally — they have to report which data they’ve designated as “Important Data” to authorities.
This creates accountability and visibility.
4. Implementation Support Is Coming
The CAC said it will work with relevant departments to promote implementation through publicity, training, and guidance.
That means more resources, workshops, and technical assistance are coming.
The regulators aren’t just dropping guidelines and disappearing — they’re actually trying to help companies succeed.
—
What This Signals About China’s Data Governance Direction
This isn’t an isolated move.
It’s part of a larger pattern where Beijing is systematically building out data governance infrastructure.
You’re seeing:
- Standardized frameworks for different sectors (national standards like GB/T 43697-2024)
- Centralized oversight from multiple regulatory bodies working in coordination
- Practical implementation tools (67 categories, clear processes, examples)
- Enforcement mechanisms (mandatory reporting of Important Data)
This looks like mature regulatory thinking.
It’s not heavy-handed; it’s organized.
—
The Bottom Line on Financial Data Classification Guidelines
If you’re building a fintech company in China, you need to understand this framework now, not later.
If you’re investing in Chinese financial tech, this is part of your compliance due diligence.
If you’re working in data security or governance, this is how your government clients will expect you to operate.
The Guidelines for Data Classification and Hierarchy of Financial Information Services aren’t optional.
They’re the new baseline for how financial information services handle data in China.
—
References
- Securities Times (Zhengquan Shibao 证券时报)
- Official Website of the Cyberspace Administration of China (Guojia Hulianwang Xinxi Bangongshi 国家互联网信息办公室)
- People’s Bank of China (Zhongguo Renmin Yinhang 中国人民银行) Regulatory Updates
- Data Security Technology—Data Classification and Grading Rules (GB/T 43697-2024) – State Council of China
