Cybersecurity · China
Cybersecurity regulation in China (2026)
China shaded by its cybersecurity status
China operates a comprehensive, multi-statute cybersecurity regime anchored by the Cybersecurity Law (CSL, in force since June 2017), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), all overseen primarily by the Cyberspace Administration of China. The framework imposes layered obligations including a Multi-Level Protection Scheme, heightened duties for Critical Information Infrastructure operators, and mandatory data localization and security review. A major CSL amendment took effect on 1 January 2026, raising penalties (fines up to RMB 10 million), broadening extraterritorial enforcement, and adding provisions on AI safety.
Key points
The Cybersecurity Law, effective 1 June 2017, is the cornerstone statute governing network operations, network product/service security, the Multi-Level Protection Scheme (MLPS) and protection of Critical Information Infrastructure (CII). It applies to all 'network operators' building or operating networks within China.
On 28 October 2025 the NPC Standing Committee adopted the most significant amendment since 2017, effective 1 January 2026. It adds an AI-development/safety framework, sharply increases fines (up to RMB 10 million), introduces tiered penalties, and broadens extraterritorial enforcement to overseas activities endangering China's cybersecurity.
Beyond the CSL, the Data Security Law (effective 1 Sept 2021) governs data classification and 'important data', while the PIPL (effective 1 Nov 2021) governs personal information processing. The Network Data Security Management Regulations (State Council, effective 1 Jan 2025) operationalize all three with detailed compliance rules.
The CAC's National Cybersecurity Incident Reporting Management Measures took effect 1 November 2025. CII operators must report 'significant or higher' incidents to authorities and the Public Security Bureau within one hour; other network operators must report to the provincial CAC within four hours, with a follow-up handling report within 30 days of resolution.
Under PIPL Article 57, where personal information is leaked, altered or lost (or risk thereof), the handler must immediately take remedial measures and notify the competent authorities and affected individuals; individual notice may be omitted only where measures effectively prevent harm.
CII operators face enhanced security obligations including security assessments, and personal information and important data collected within China must be stored domestically, with cross-border transfers subject to CAC security review.
Timeline - major decisions & events
Amendments adopted by the NPC Standing Committee on Oct. 28, 2025 raise maximum fines to RMB 10 million, allow immediate penalties without prior warning, and broaden extraterritorial enforcement to any overseas activity endangering China's cybersecurity. It significantly hardens the original 2017 framework.
Reed Smith ↗The State Council issued national-level regulations (effective Jan. 1, 2025) implementing the CSL, DSL and PIPL together, setting unified rules on important data, network data handlers, and cross-border transfers. It consolidates China's three core data laws into one operational framework.
China Briefing ↗The CAC released rules taking immediate effect that ease outbound data transfer requirements, exempting six scenarios from security assessment/certification and raising volume thresholds. It marked a notable relaxation of the strict 2022 cross-border regime.
Library of Congress ↗CAC measures finalized July 7, 2022 require a government security assessment before exporting important data, or personal information above set thresholds, out of China. It established the first mandatory state review gate for outbound data.
Library of Congress ↗After a year-long cybersecurity review, the CAC found 16 violations of the CSL, DSL and PIPL and fined Didi RMB 8.026 billion plus RMB 1 million each on its chairman and CEO. It was the landmark first major enforcement case under the new data laws.
DigiChina (CAC statement translation) ↗China's first comprehensive data privacy law, often compared to the GDPR, established consent rules, data subject rights, cross-border transfer conditions, and penalties up to 5% of annual turnover. It completed the trio of pillars governing personal data security obligations.
DLA Piper ↗Adopted June 10, 2021, the DSL created a national data classification and grading system, introduced 'important data' and 'national core data' regimes, and imposed data-handling security obligations across all sectors. It anchors data security alongside the CSL.
Skadden ↗The State Council's first administrative regulations on CII (released Aug. 17, 2021) defined critical sectors, designated protection authorities, and set operator obligations. They operationalized the CII concept introduced in the 2016 Cybersecurity Law.
The State Council (gov.cn) ↗Ministry of Public Security national standards (GB/T 22239-2019 and others) updated the classified protection regime, requiring operators to grade systems across five levels and obtain assessments for Level 2+ systems. It became the core technical compliance baseline under the CSL.
Inside Privacy (Covington) ↗China's foundational cybersecurity statute imposed network operator security duties, data localization for critical information infrastructure, real-name registration, and the multi-level protection scheme. It established the structural framework all later data laws build upon.
DigiChina (Stanford) ↗The National People's Congress Standing Committee passed China's first unified cybersecurity law, designating the Cyberspace Administration of China as lead regulator. Its passage marked the formal birth of China's modern cybersecurity legal regime.
NPC Observer ↗China - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →