The National Energy Administration (NEA) has recently issued the Guide for Data Classification and Grading in the Energy Industry (2026 Edition) (hereafter referred to as the Guide), establishing systematic provisions for classifying and grading non-confidential data in the energy sector. The Guide consists of 4 chapters and 15 articles.
Central to the Guide are the rules for identifying important data and core data. The criteria are based on the degree of harm to national security if the data is leaked or tampered with. Precise geographic coordinates of key energy facilities, real-time control instructions, and power consumption data of a certain scale are all included within the scope of protection. Specifically, raw power consumption data of 10 million or more power users is classified as important data, while that of 100 million or more is classified as core data.
The issuance of the Guide aims to implement the Data Security Law of the People's Republic of China, standardize data processing activities in the energy industry, and, together with the Administrative Measures for Data Security in the Energy Industry (for Trial Implementation), form the basic management framework, with supporting systems to follow.
For entities processing energy industry data, the Guide requires them to assume primary responsibility and carry out the following tasks: identify and compile a directory of important data based on the rules, and submit it to the provincial energy authority where the data carrier is located—resubmission is required within three months if significant changes occur; establish a data security management system covering the full data lifecycle; adopt technical measures and implement systems such as classified network security protection; conduct a risk assessment at least once a year, which may be carried out by a qualified third-party assessor, and submit the report to the provincial energy authority; apply for a risk assessment for cross-border transfer of important data or cross-entity transfer of core data; upon discovering security flaws or vulnerabilities, take immediate remedial measures, and in the event of a data security incident, promptly inform users and report to the provincial energy authority.
An NEA official emphasized that even for data not meeting the threshold of important or core data, processors should still strengthen protection to prevent the illegal use of leaked data through accumulation. Moreover, state secrets, important data stipulated by other industry regulators, and large-scale personal information not covered by the Guide must still comply with relevant laws and regulations. The NEA will continue to revise and improve the Guide in light of national security developments.