China Cybersecurity Law: 2024 Business Guide

China Cybersecurity Law

Consult an Expert

Learn how we can help you start, manage, and grow your business in China. 

Share this article

Key Takeaways

  • China’s cybersecurity law enforces stringent data protection and network security regulations.
  • Compliance obligations under the law affect both domestic and international entities.
  • Regulatory authorities have a significant role in monitoring and implementing cybersecurity measures
In recent years, the Chinese government has strongly emphasized controlling and securing the flow of information, directly impacting business operations within the country. This has led to the implementation a comprehensive cybersecurity law that became effective in June 2017. The law has far-reaching effects on domestic and foreign companies operating in China, mandating strict compliance and operational requirements.

Here we set out the core requirements of the China Cybersecurity Law and explan what companies need to do to comply. 

Overview of the Cybersecurity Law

China’s Cybersecurity Law is a comprehensive law designed to regulate cyberspace. It focuses on network security, data protection, and the obligations of various stakeholders.

Legislative Background

In 2017, China enacted its Cybersecurity Law, a cornerstone legal framework to bolster the nation’s cyber infrastructure against the country. It consolidates previous laws and regulations related to information technology and cybersecurity.

Purpose and Scope

The law’s primary purpose is to ensure safety, safeguard cyberspace sovereignty, and protect the rights of citizens and organizations. It applies to network operators and service providers and has a wide scope that affects both Chinese and international entities operating within China.

Key Principles

  1. Cybersecurity as a National Priority: Emphasizes the strategic position of cybersecurity in national defense and economic development.
  2. Data Localization: Mandates that critical data collected and generated by key information infrastructure operators during operations within China be stored domestically.
  3. Network Operator Responsibilities include network security management, user data protection, and cooperation with government oversight.

Legal Framework

China’s cybersecurity law framework has several components. We consider each in turn: 

1. National Cybersecurity Strategy

China’s National Cybersecurity Strategy emphasizes the Chinese government’s intent to safeguard the country against threats and to promote stability within the digital domain. The strategy champions the idea of a “cyber Great Wall” defending the country’s IT infrastructure.

2. Data Governance

Under China’s Data Governance, there is a strong emphasis on managing data collection, storage, and transfer. The Personal Information Protection Law (PIPL) and the Cybersecurity Law (CSL) are both pivotal in setting the boundaries and standards for handling personal data. While the PIPL Establishes rules for personal data handling and consent requirements, the Cybersecurity Law is focused on data localization and data transfer restrictions.

3. Critical Information Infrastructure Protection

Protecting Critical Information Infrastructure (CII) is a cornerstone of China’s cybersecurity legal framework. Institutions under the CII category are subject to enhanced regulatory scrutiny and must meet higher security standards. Key protections enacted under this principle include mandatory security reviews and incident response obligations

Entities within sectors such as finance, energy, transportation, and public services are identified as CII operators and must adhere to these regulations to maintain national cyber and operational security.

Compliance Obligations

China’s cybersecurity law places specific requirements on operators and users of information. These entities must adhere to stringent cybersecurity and data handling protocols.

1. Cybersecurity Obligations

Under the Cybersecurity Law, network operators must implement robust measures to safeguard the system from threats. This includes:

  • System Security: Establishment and maintenance of security protocols.
  • Real-name Identification: Verify user identity before providing services.
  • Incident Reporting: Prompt reporting of cybersecurity incidents to relevant authorities.

2. Data Localization Requirements

The Data Localization mandate stipulates that critical data must be stored domestically:

  • Critical Information Infrastructure Operators (CIIO) Must store personal information and important data within China.
  • Conduct Security Assessments: A security assessment is mandatory when cross-border data transfer is necessary.

3. Cross-Border Data Transfer

The law imposes conditions on the international transfer of data:

  • The authorities conduct security assessments for CIIOs transferring data overseas.
  • Data Transfer Agreements: Adherence to legal agreements, ensuring data protection equivalent to China’s standard.

These compliance obligations reinforce China’s stance on controlling the flow and security of data within China’s jurisdiction, reflecting broad concerns about China’s security and information sovereignty.

The Regulatory Authority is the primary regulatory body that enforces China’s cybersecurity legislation alongside various sector-specific agencies. China oversees the implementation of laws and guidelines in their respective domains.

4. Cybersecurity Administration of China

The Cybersecurity Administration of China (CAC) coordinates and integrates cybersecurity and information technology work across various government entities. It formulates policies, legal norms, and strategic plans for national cybersecurity, advancing information infrastructure’s secure and reliable operation. Its responsibilities include:

  • Drafting and implementing important cybersecurity strategies, policies, and regulations.
  • Promoting national cybersecurity awareness and education.

5. Sector-Specific Regulatory Bodies

Several sector-specific regulatory bodies operate under their respective ministries, ensuring adherence to China’s cybersecurity standards within various industries. Examples include:

  • The Ministry of Industry and Information Technology (MIIT). This Focuses on the IT and industrial sectors.
  • The People’s Bank of China (PBOC): Regulates cybersecurity in the financial sector.

Each of these bodies enforces regulations aligned with the CAC’s central tenets, tailoring oversight to the industry’s contextual needs.

Legal Implications

China’s cybersecurity law includes structured legal ramifications for non-compliance and specific enforcement distribution mechanisms.

1. Penalties and Enforcement

Under China’s cybersecurity legislation, entities may face monetary fines, operational restrictions, or shutdowns of cyber security. For serious infringements, responsible individuals could face criminal charges. Enforcement is primarily conducted by the Cyberspace Administration of China (CAC) and other sector-specific regulators.

  • Fines: Up to ten times the illegal gains or, in their absence, up to RMB 1 million.
  • Restrictions: Temporary service suspension, business permit revocation, or license.
  • Criminal charges can be applied to personal data breaches or endangering cybersecurity.

2. Liability for Non-compliance

Entities are responsible for ensuring the security of their networks and protecting personal information, which means implementing mandatory security measures and reporting incidents to authorities.

  • Security Measures include multi-level protection schemes (MLPS) and real-name registration.
  • Incident Reporting: Mandatory for serious cybersecurity incidents and breaches involving personal data.

3. Dispute Resolution Mechanisms

They provide channels for entities and individuals to challenge or argue against orders or sanctions relating to cybersecurity. This typically involves submitting complaints through formal legal processes.

  • Administrative Reconsideration: The first step in challenging a ruling made by a regulatory body.
  • Judicial Review: Entities may appeal to the judiciary system if administrative reconsideration fails.

Cybersecurity Practices

Organizations must adopt rigorous practices in various domains to ensure compliance with China’s cybersecurity laws, from compliance strategies to effectively handling incidents.

1. Best Practices for Compliance

Organizations operating in China should thoroughly understand the Cybersecurity Law that came into effect in June 2017. This requires implementing practical measures that include, but are not limited to:

  • Data Localization: Storing critical data within China and passing security assessments before transferring data abroad.
  • Network Security: Ensuring network systems are secure against attacks by following the Multi-Level Protection Scheme (MLPS) 2.0.

2. Risk Management and Assessment

Risk management is a continuous process emphasized by the Chinese cybersecurity framework, which mandates regular assessments to identify vulnerabilities:

  1. Conduct Regular Audits: Organizations must assess their IT infrastructure against cybersecurity threats.
  2. Identify Risks: They should maintain updated risk profiles for all critical assets, ensuring compliance with national standards such as GB/T 22239-2019.

3. Incident Reporting and Response

Timely and efficient handling of cybersecurity incidents is crucial under China’s cybersecurity law. Organizations must:

  • Establish Response Plans: Have incident response plans rehearsed routinely to ensure preparedness.
  • Report incidents: Report cybersecurity incidents to the relevant authorities as stipulated by local regulations, typically within 24 hours or less.

International Implications

China’s Cybersecurity Law has ramifications that extend well beyond its borders, affecting multinational companies and international trade relations. Complying with China’s regulations is crucial for foreign firms operating in China.

1. Global Impact and Responses

The introduction of China’s Cybersecurity Law has compelled companies worldwide to reassess their data governance strategies. In particular, EU and US businesses have had to ensure that Chinese corporations align with the new Chinese legal framework. Many nations have vocally expressed their concerns, stating that these laws could act as trade barriers and potentially lead to retaliatory legal actions.

CountryResponse to China’s Cybersecurity Law
United StatesRaised issues on trade and the potential for intellectual property infringement
European UnionExpressed concerns over data transferChina’sctions and impact on global companies
JapanCalled for clarity on implementation and scope of regulations

Moreover, the laws potentially affect international cyber norms and cybersecurity collaboration. Some argue they could influence the power dynamics in setting global cyber standards.

2. Comparisons with International Regulations

Compared with international norms, China’s Cybersecurity Law is often seen as more prescriptive and stringent. For example, it mandates data localization and real-name registration, which are not universally required in China, unlike the EU’s General Data Protection Regulation (GDPR).

The table below illustrates some comparisons:

PrincipleChina’s Cybersecurity LawEU’s GDPR
Data LocalizationMandatory for certain data typesNot explicitly required, but data transfer to some locations strictly regulated
Real-name RegistrationRequired for network servicesNot required
Consent to ProcessingRequires stringent conditionsRequired with flexibility in certain contexts

While these comparisons highlight variances in approach, they also underscore companies’ complex challenges when navigating the intersection of international cybersecurity measures.

Ensure Compliant Data Transfer with MSA 

MSA are experts in China business expansion and regulation. They can ensure that international businesses only transfer data in and out of China in full compliance with local laws.  For expert advice on your China data security, get in touch with our regulatory experts.