ESA Playbook
Governance

Governance, Risk & Legal

Navigating the "Regulatory Jungle". From the Constitution to Financial Standards (JR/T).

China Regulatory Landscape

The "Three Pillars" of China's cybersecurity law interact to form a complex compliance matrix.

Select a law to view specific compliance requirements and technical controls.

Cybersecurity Law

Focus: Critical Information Infrastructure (CII)

1
Network Real-name Identity
2
Log Retention (> 6 months)
3
CII Protection Levels
4
Incident Reporting
Regulatory Authority: CAC (Cyberspace Administration of China)

The Policy Pyramid

Strategy
Policy
Standard
Procedure
Guideline

Policies are "Laws" (Mandatory). Guidelines are "Advice" (Optional).
Don't mix them up.

Data Privacy vs. Data Security

Privacy (Legal)

Focuses on the Individual's Rights.
Key questions: "Do we have consent?", "Can they delete it?"
Tool: PIPL, GDPR

Security (Technical)

Focuses on the Asset's Confidentiality.
Key questions: "Is it encrypted?", "Who has access?"
Tool: AES-256, IAM

"You can have security without privacy, but you cannot have privacy without security."

Financial Industry Standards (JR/T)

Beyond national laws (CSL), financial institutions face stricter constraints defined by the PBOC (People's Bank of China) via JR/T standards.

JR/T 0071

Financial Industry Information System Security Protection Guidelines.

JR/T 0197

Financial Data Security Guidelines (Data Lifecycle focus).

Payment Tech

PCI-DSS equivalent standards for payment processing systems.