Navigate China's mandatory security assessment for cross-border data transfers. Understand triggers, thresholds, the application process, and realistic timeline expectations.
The CAC (Cyberspace Administration of China) Security Assessment is a mandatory government review process for certain cross-border data transfers from China. Introduced under the Measures for Security Assessment of Outbound Data Transfers (effective September 1, 2022), it represents the most stringent mechanism for legally transferring personal information and "important data" outside China.
Unlike the other two mechanisms (Standard Contractual Clauses and certification), CAC security assessment is a government approval process—meaning you need explicit regulatory sign-off before transferring data.
For companies operating in China with global data flows, CAC assessment can be:
CAC security assessment is required when any of the following conditions apply:
CIIOs are operators in key sectors whose disruption could impact national security, economy, or public welfare:
| Sector | Examples |
|---|---|
| Public Communications | Telecom operators, internet service providers |
| Information Services | Major platforms, cloud service providers |
| Energy | Power grid, oil & gas, nuclear facilities |
| Transportation | Railways, aviation, ports, public transit |
| Water & Utilities | Water supply, sewage treatment |
| Finance | Banks, securities, insurance companies |
| Public Services | Healthcare, education, social security |
| E-Government | Government service platforms |
| Defense | Defense industry suppliers |
"Important data" (重要数据) is a critical concept that extends beyond personal information:
| Threshold | Required Mechanism | Government Approval? |
|---|---|---|
| CIIO (any volume) | CAC Security Assessment | Yes - mandatory approval |
| 1M+ personal info subjects processed | CAC Security Assessment | Yes - mandatory approval |
| 100K+ personal info subjects transferred abroad (cumulative since Jan 1) | CAC Security Assessment | Yes - mandatory approval |
| 10K+ sensitive info subjects transferred abroad (cumulative since Jan 1) | CAC Security Assessment | Yes - mandatory approval |
| Important data (any volume) | CAC Security Assessment | Yes - mandatory approval |
| Below CAC thresholds, above 10K transfers | Standard Contractual Clauses + filing | No - file after signing |
| Smaller volumes | Certification OR SCCs | No - third-party certification |
Accurate threshold calculation is crucial:
Before applying, conduct thorough internal assessment:
Draft comprehensive self-assessment covering:
Execute binding agreements with overseas recipients:
File your application with the provincial CAC where your entity is registered:
Provincial CAC conducts preliminary review:
National CAC conducts substantive security assessment:
Receive final determination:
Prepare these documents before starting your application:
| Document | Description |
|---|---|
| Declaration Form (申报书) | Official application form with company information, data transfer overview, and declarations |
| Self-Assessment Report | Comprehensive analysis of transfer legality, necessity, risks, and safeguards (typically 30-50+ pages) |
| Data Transfer Agreement | Legally binding contract between Chinese entity and overseas recipient |
| PIPIA Report | Personal Information Protection Impact Assessment for affected processing activities |
| Document | Purpose |
|---|---|
| Business license copy | Verify applicant entity identity |
| Data flow diagrams | Visualize how data moves across borders |
| System architecture documentation | Technical context for security review |
| Security measure specifications | Detail encryption, access controls, monitoring |
| Overseas recipient credentials | Prove recipient's data protection capabilities |
| Privacy policies (Chinese) | Demonstrate user disclosure compliance |
| Consent mechanisms screenshots | Show how consent is obtained |
| Internal policies and procedures | Evidence of organizational measures |
The regulations specify official timeframes, but actual experience often differs significantly:
Internal assessment, documentation preparation, legal agreement negotiation, gap remediation
Provincial CAC verifies submission completeness; often requires supplementary materials
Preliminary review; may include multiple rounds of Q&A and document updates
Substantive security assessment; can be extended for complex cases; expert panels may be convened
Notification of result; if conditionally approved, additional time to address conditions
Many companies don't fully understand their own data flows. If your application doesn't match what regulators find during investigation, credibility is damaged. Conduct thorough data discovery before applying—don't just document what you think happens.
"Business needs" is not sufficient justification. You must specifically explain why this data must leave China, why local processing isn't feasible, and how you minimize transferred data. Regulatory reviewers push back hard on weak necessity arguments.
Generic data processing agreements don't satisfy CAC requirements. Overseas recipients must make specific commitments aligned with Chinese law standards, including audit rights, data localization upon termination, and response to Chinese individual rights requests.
Companies focus on personal information thresholds but overlook that any "important data" triggers assessment regardless of volume. If you're unsure whether your data qualifies, proactively consult with sector regulators or legal counsel.
Starting the process 3 months before a business deadline is a recipe for problems. The process takes 6-18 months. Build assessment into project planning from the beginning, not as an afterthought.
Some companies continue transfers while the assessment is pending, reasoning that they're "in the process." This is a violation. If assessment is required, you must halt transfers until approval is received. Plan interim solutions.
Approvals are valid for only 2 years. Companies that celebrate approval often forget to calendar the renewal. Start the renewal process 6+ months before expiration to avoid gaps in authorization.
CAC security assessment is mandatory if you: (1) are a Critical Information Infrastructure Operator (CIIO), (2) process personal information of 1 million+ individuals, (3) have cumulatively transferred data of 100,000+ individuals abroad since January 1 of the prior year, or (4) have transferred sensitive personal information of 10,000+ individuals abroad.
The official timeline is 45-60 working days after acceptance, but in practice, the full process typically takes 6-18 months. This includes preparation time, multiple rounds of supplementary questions, and potential revisions. Complex cases or those involving critical infrastructure can take longer.
Required documents include: (1) Security assessment declaration form, (2) Self-assessment report covering data types, purposes, and security measures, (3) Legal documents between Chinese entity and overseas recipient, (4) Technical security measures documentation, (5) Personal information protection impact assessment (PIPIA), and (6) Overseas recipient's data protection commitments.
If your application is rejected, you cannot legally transfer data abroad. You may revise and resubmit, but transferring data without approval can result in penalties up to 50 million RMB or 5% of revenue, business suspension, and personal liability for responsible managers. Some companies restructure their data architecture to avoid cross-border transfers.
No. If CAC assessment is required, you must wait for approval before transferring data abroad. Transferring data during the assessment period is a violation. Companies should plan for this timeline and may need to implement interim local data processing solutions.
CAC security assessment applies to personal information and "important data" being transferred abroad. The definition of "important data" varies by industry—each sector regulator may define categories specific to their industry. If uncertain whether your data qualifies, consult with legal experts or the relevant industry regulator.
CAC security assessment approvals are valid for 2 years. You must reapply before expiration to continue transfers. Additionally, reassessment is required if there are significant changes to data categories, purposes, overseas recipient, or the security environment.
Our data compliance experts have successfully guided companies through the CAC assessment process. Get a preliminary evaluation of your requirements and timeline.
Get Free Consultation →