Cybersecurity - China

The Cybersecurity Law, effective 1 June 2017, is the cornerstone statute governing network operations, network product/service security, the Multi-Level Protection Scheme (MLPS) and protection of Critical Information Infrastructure (CII). It applies to all 'network operators' building or operating networks within China.

On 28 October 2025 the NPC Standing Committee adopted the most significant amendment since 2017, effective 1 January 2026. It adds an AI-development/safety framework, sharply increases fines (up to RMB 10 million), introduces tiered penalties, and broadens extraterritorial enforcement to overseas activities endangering China's cybersecurity.

Beyond the CSL, the Data Security Law (effective 1 Sept 2021) governs data classification and 'important data', while the PIPL (effective 1 Nov 2021) governs personal information processing. The Network Data Security Management Regulations (State Council, effective 1 Jan 2025) operationalize all three with detailed compliance rules.

The CAC's National Cybersecurity Incident Reporting Management Measures took effect 1 November 2025. CII operators must report 'significant or higher' incidents to authorities and the Public Security Bureau within one hour; other network operators must report to the provincial CAC within four hours, with a follow-up handling report within 30 days of resolution.

Under PIPL Article 57, where personal information is leaked, altered or lost (or risk thereof), the handler must immediately take remedial measures and notify the competent authorities and affected individuals; individual notice may be omitted only where measures effectively prevent harm.

CII operators face enhanced security obligations including security assessments, and personal information and important data collected within China must be stored domestically, with cross-border transfers subject to CAC security review.