How to Prepare for a CAC Security Assessment in China: 2026 Guide for Foreign Companies

Date:

Share post:

How to Prepare for a CAC Security Assessment in China: 2026 Guide for Foreign Companies

A CAC Security Assessment is a mandatory review by China’s 国家互联网信息办公室 (Cyberspace Administration of China, CAC, Zhōngguó Guójiā Hùliánwǎng Xìnxī Bàngōngshì) for companies that export personal information or important data out of China. As of 2026, any foreign company transferring over 100万 (1 million) personal information records annually or 10万 (100,000) sensitive personal information records must apply for this assessment before data can leave the country.

Since the 数据出境安全评估 (Data Export Security Assessment, shùjù chūjìng ānquán pínggū) rules took effect in 2022 and were updated in 2024, the CAC has conducted over 200 formal reviews, with an average approval time of 45–60 working days. Failure to comply can result in penalties of up to 5% of annual global revenue or 5000万 RMB (≈$7 million USD). This guide walks you through every step of the preparation process for 2026, including document requirements, data mapping, legal support, and common pitfalls.

What Is a CAC Security Assessment and Who Needs It?

A CAC Security Assessment is a government review to ensure that cross-border data transfers do not threaten China’s national security, public interest, or individual privacy. The assessment applies to two categories of companies:

First, 关键信息基础设施 (Critical Information Infrastructure, CII, guānjiàn xìnxī jīchǔ shèshī) operators who transfer personal information outside China. Second, companies that process personal information of more than 100万 individuals per year and need to export that data, or any company processing sensitive personal information of over 10万 individuals annually. Foreign companies in sectors such as automotive, healthcare, fintech, and e-commerce are most frequently affected.

The assessment evaluates data purpose, type, volume, recipient security, and the data-subject rights protection. It is a one-time review, but results may be valid for 2 years, after which a renewal assessment is required. The 2026 update also requires companies to maintain a 数据安全自评估报告 (Data Security Self-Assessment Report, shùjù ānquán zì pínggū bàogào) even if they fall below the formal threshold, as a backup during audits.

The 2026 Assessment Threshold: When Does Your Company Need to Apply?

Understanding the exact thresholds is critical. The table below summarizes the mandatory application triggers for a CAC Security Assessment in 2026:

Criteria Threshold Application Required?
Annual personal information export volume ≥100万 records Yes — mandatory
Annual sensitive personal information export volume ≥10万 records Yes — mandatory
Company designated as CII operator Any export of PI or important data Yes — mandatory
Annual PI export volume (non-CII, non-sensitive) 10万–100万 records Self-assessment only, but file report
Annual PI export volume (non-CII, non-sensitive) <10万 records No formal assessment, still maintain compliance

If your company falls into the first row, you must submit a formal application to the CAC through the 省级网信办 (provincial CAC branch, shěngjí wǎngxìnbàn). The review process typically involves a 45–60 working day evaluation, though complex cases may extend to 120 working days. The 2024 regulation update also introduced a fast-track process for renewals: if no material change in data volume or purpose, renewal can be completed within 20 working days.

Step-by-Step Preparation: Documents, Data Mapping, and Legal Support

Step 1: Data Mapping and Classification

You cannot apply for a CAC assessment without a complete 数据资产清单 (Data Asset Inventory, shùjù zīchǎn qīngdān). This inventory must classify each data field as personal information, sensitive personal information, or important data (such as industrial or technical data). Foreign companies often underestimate the complexity of this step — one auto manufacturer in Shanghai spent 4 months mapping 3,500 data fields across 12 business units. A best practice is to use automated data discovery tools and assign a dedicated data protection officer (DPO) for the project.

Step 2: Prepare the Self-Assessment Report

Even if you are applying for a formal CAC assessment, you must first complete a 数据安全自评估报告 (Data Security Self-Assessment Report). This report must include: data purpose and legality (e.g., is consent collected?); data recipient’s security measures (encryption, access controls, incident response); an impact analysis on national security and individual rights; and a data-subject rights response plan. The report is submitted alongside the formal application. Many foreign companies outsource this report to a licensed 网络安全服务机构 (cybersecurity service provider, wǎngluò wǎngluò ānquán fúwù jīgòu) to ensure it meets CAC expectations.

Step 3: Submit the Application and Supporting Documents

The formal application to the provincial CAC branch includes the self-assessment report, data asset inventory, data transfer agreement with the recipient, proof of data-subject consent mechanism, and a corporate commitment letter signed by the legal representative. Since 2024, the CAC requires all documents to be submitted through a dedicated online portal (数据出境安全评估申报平台, shùjù chūjìng ānquán pínggū shēnbào píngtái). After submission, the provincial CAC pre-reviews and forwards it to the CAC headquarters within 10 working days. If documents are incomplete, the applicant has 15 working days to resubmit.

Step 4: Respond to CAC Inquiries

During the review, CAC may request clarification or supplementary materials, such as a more detailed data flow diagram or a recipient security certification. The average review round is 2–3 cycles. Companies that prepared thoroughly in Step 1 and Step 2 typically clear these cycles in under 30 working days, while unprepared companies can face 60–90 days of back-and-forth. We recommend designating a single point of contact who can respond to CAC queries within 24 hours.

Common Pitfalls and How to Avoid Them

Pitfall: Underestimating the data mapping effort — one European pharmaceutical company missed 40% of its data fields, causing the CAC to reject the application. Cost: ¥2.8 million RMB in delayed market access (4 months later than planned). Fix: Conduct a full data inventory 6 months before application, using automated tools and a dedicated DPO, and cross-check with all business units.
Pitfall: Failing to update the data transfer agreement with recipients — the CAC requires the recipient to commit to specific security measures (e.g., encryption at rest, incident notification within 24 hours). A US tech company used a generic international DPA, which was rejected. Cost: ¥1.5 million RMB in legal rework and a 3-month resubmission delay. Fix: Use CAC-approved model clauses (标准合同条款, biāozhǔn hétóng tiáokuǎn) and have a Chinese-law-qualified lawyer review the recipient security appendix.
Pitfall: Ignoring the self-assessment report requirement — some companies assume that because they fall below the 100万 threshold, they don’t need any report. In 2026, CAC auditors have the right to request this report during any compliance inspection. A logistics firm was fined ¥500,000 RMB for not having the report on file. Cost: ¥500,000 RMB fine plus a $2,000 daily penalty until the report is submitted. Fix: Always maintain a current Data Security Self-Assessment Report regardless of data volume, and update it annually.

Decision Framework: DIY vs. Third-Party Support

The choice between preparing for the CAC assessment internally or hiring external specialists depends on your company’s data maturity and risk appetite.

If your data is well-organized (you already have a data inventory, a DPO, and an existing compliance framework) and your annual PI export volume is between 10万 and 100万 records (self-assessment only), choose internal preparation with minimal external legal review. This approach typically costs between ¥150,000–300,000 RMB in legal fees for document checking and portal submission support, and takes 6–8 weeks.

If your data is complex (multiple business lines, high-volume (over 100万 records), or you handle sensitive data), choose full third-party support from a specialized Chinese cybersecurity law firm and a licensed technical service provider. This path costs between ¥500,000–1,200,000 RMB (including data mapping tools and legal retainer) but reduces risk of rejection and typically shortens the review cycle by 30–50%. For CII operators, full third-party support is strongly recommended.

If your company is in a high-risk sector (banking, healthcare, transport) or has faced a prior data breach, choose a hybrid model: internal data mapping with external legal and technical audit. This balances cost and rigor at around ¥400,000–800,000 RMB.

NEXT STEPS

1. Conduct a data volume audit now — Use a data discovery tool (like BigID or OneTrust) to measure your annual personal information and sensitive personal information export volume. This will tell you whether you need a formal CAC assessment or just a self-assessment report. Read our Data Audit Guide for Foreign Companies

2. Engage a Chinese cybersecurity law firm — Only a firm with direct CAC submission experience (and who understands 2024–2026 updates) can ensure your documents meet the exact format and content expectations. See our recommended law firms for CAC assessments

3. Draft your data transfer agreement using CAC model clauses — Do not use a generic international DPA. Your contract with the recipient must include specific security commitments and a 24-hour incident notification clause. Download our CAC model clause template

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide In 2026, over 70% of foreign manufacturers entering China encounter le

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide In 2026, over 70% of foreign manufacturers entering China encounter le

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide

How to Negotiate a Factory Lease for Foreign Manufacturers in China: 2026 Guide In 2026, over 70% of foreign manufacturers entering China encounter le

How to Choose an Industrial Park for Foreign Manufacturers in China: 2026 Guide

How to Choose an Industrial Park for Foreign Manufacturers in China: 2026 Guide China now operates 2,547 national-level industrial parks (工业园区, gōngyè