国家能源局：存储处理能源行业重要数据的信息网络应落实三级及以上网络安全等级保护要求

Core Points - The National Energy Administration has issued the "Energy Industry Data Security Management Measures (Trial)" to enhance data security management in the energy sector, effective from July 1, 2026 [1][21] - The measures aim to regulate data processing activities, prevent data security risks, and protect the legitimate rights and interests of individuals and organizations [3][4] Group 1: Data Classification and Responsibilities - Energy industry data is classified into three levels: general, important, and core, based on importance, precision, scale, and security risks [6][7] - The National Energy Administration is responsible for overseeing data security in the energy sector and guiding provincial energy authorities in their supervisory roles [6][8] - Energy data processors must identify and compile a directory of important data and report it to the relevant provincial energy authorities [9][10] Group 2: Data Protection Requirements - Data processors must establish a comprehensive data security management system and conduct regular training on data security [12][13] - Important and core data must be stored and processed with at least a level three network security protection requirement, with additional protections for critical information infrastructure [10][11] - Data processors are required to conduct annual risk assessments of their data processing activities and report findings to provincial energy authorities [14][15] Group 3: Monitoring and Emergency Response - Provincial energy authorities and state-owned enterprises must enhance their monitoring and emergency response capabilities for data security incidents [27][28] - In the event of a data security incident, immediate remedial actions must be taken, and relevant authorities must be notified [16][17] - Major data security risks must be reported to the National Energy Administration within one working day [30][31] Group 4: Legal Compliance and Enforcement - The National Energy Administration and provincial authorities will supervise compliance with data security regulations and can impose penalties for violations [32][34] - Violations of the measures may lead to administrative penalties or criminal prosecution if they constitute a crime [34]