General Guides
Regional Guides
Starter Guides
Key Takeaways
- China’s cybersecurity law enforces stringent data protection and network security regulations.
- Compliance obligations under the law affect both domestic and international entities.
- Regulatory authorities have a significant role in monitoring and implementing cybersecurity measures
Here we set out the core requirements of the China Cybersecurity Law and explain what companies need to do to comply.
Overview of the Cybersecurity Law
China’s Cybersecurity Law is a comprehensive law designed to regulate cyberspace. It focuses on network security, data protection, and the obligations of various stakeholders.
Legislative Background
In 2017, China enacted its Cybersecurity Law, a cornerstone legal framework to bolster the nation’s cyber infrastructure against threats. It consolidates previous laws and regulations related to information technology and cybersecurity.
Purpose and Scope
The law’s primary purpose is to ensure safety, safeguard cyberspace sovereignty, and protect the rights of citizens and organizations. It applies to network operators and service providers and has a wide scope that affects both Chinese and international entities operating within China.
Key Principles
- Cybersecurity as a National Priority: Emphasizes the strategic position of cybersecurity in national defense and economic development.
- Data Localization: Mandates that critical data collected and generated by key information infrastructure operators during operations within China be stored domestically.
- Network Operator Responsibilities include network security management, user data protection, and cooperation with government oversight.
Legal Framework
China’s cybersecurity law framework has several components. We consider each in turn:
1. National Cybersecurity Strategy
China’s National Cybersecurity Strategy emphasizes the Chinese government’s intent to safeguard the country against threats and to promote stability within the digital domain. The strategy champions the idea of a “cyber Great Wall” defending the country’s IT infrastructure.
2. Data Governance
Under China’s Data Governance, there is a strong emphasis on managing data collection, storage, and transfer. The Personal Information Protection Law (PIPL) and the Cybersecurity Law (CSL) are both pivotal in setting the boundaries and standards for handling personal data. While the PIPL Establishes rules for personal data handling and consent requirements, the Cybersecurity Law is focused on data localization and data transfer restrictions.
3. Critical Information Infrastructure Protection
Protecting Critical Information Infrastructure (CII) is a cornerstone of China’s cybersecurity legal framework. Institutions under the CII category are subject to enhanced regulatory scrutiny and must meet higher security standards. Key protections enacted under this principle include mandatory security reviews and incident response obligations
Entities within sectors such as finance, energy, transportation, and public services are identified as CII operators and must adhere to these regulations to maintain national cyber and operational security.
Compliance Obligations
China’s cybersecurity law places specific requirements on operators and users of information. These entities must adhere to stringent cybersecurity and data handling protocols.
1. Cybersecurity Obligations
Under the Cybersecurity Law, network operators must implement robust measures to safeguard the system from threats. This includes:
- System Security: Establishment and maintenance of security protocols.
- Real-name Identification: Verify user identity before providing services.
- Incident Reporting: Prompt reporting of cybersecurity incidents to relevant authorities.
2. Data Localization Requirements
The Data Localization mandate stipulates that critical data must be stored domestically:
- Critical Information Infrastructure Operators (CIIO) must store personal information and important data within China.
- Conduct Security Assessments: A security assessment is mandatory when cross-border data transfer is necessary.
3. Cross-Border Data Transfer
The law imposes conditions on the international transfer of data:
- The authorities conduct security assessments for CIIOs transferring data overseas.
- Data Transfer Agreements: Adherence to legal agreements, ensuring data protection equivalent to China’s standard.
These compliance obligations reinforce China’s stance on controlling the flow and security of data within China’s jurisdiction, reflecting broad concerns about China’s security and information sovereignty.
The Regulatory Authority is the primary regulatory body that enforces China’s cybersecurity legislation alongside various sector-specific agencies. These bodies oversee the implementation of laws and guidelines in their respective domains.
4. Cybersecurity Administration of China
The Cybersecurity Administration of China (CAC) coordinates and integrates cybersecurity and information technology work across various government entities. It formulates policies, legal norms, and strategic plans for national cybersecurity, advancing information infrastructure’s secure and reliable operation. Its responsibilities include:
- Drafting and implementing important cybersecurity strategies, policies, and regulations.
- Promoting national cybersecurity awareness and education.
5. Sector-Specific Regulatory Bodies
Several sector-specific regulatory bodies operate under their respective ministries, ensuring adherence to China’s cybersecurity standards within various industries. Examples include:
- The Ministry of Industry and Information Technology (MIIT). This focuses on the IT and industrial sectors.
- The People’s Bank of China (PBOC): Regulates cybersecurity in the financial sector.
Each of these bodies enforces regulations aligned with the CAC’s central tenets, tailoring oversight to the industry’s contextual needs.
Legal Implications
China’s cybersecurity law includes structured legal ramifications for non-compliance and specific enforcement distribution mechanisms.
1. Penalties and Enforcement
Under China’s cybersecurity legislation, entities may face monetary fines, operational restrictions, or shutdowns of cybersecurity systems. For serious infringements, responsible individuals could face criminal charges. Enforcement is primarily conducted by the Cyberspace Administration of China (CAC) and other sector-specific regulators.
- Fines: Up to ten times the illegal gains or, in their absence, up to RMB 1 million.
- Restrictions: Temporary service suspension, business permit revocation, or license.
- Criminal charges can be applied to personal data breaches or endangering cybersecurity.
2. Liability for Non-compliance
Entities are responsible for ensuring the security of their networks and protecting personal information, which means implementing mandatory security measures and reporting incidents to authorities.
- Security Measures include multi-level protection schemes (MLPS) and real-name registration.
- Incident Reporting: Mandatory for serious cybersecurity incidents and breaches involving personal data.
3. Dispute Resolution Mechanisms
They provide channels for entities and individuals to challenge or argue against orders or sanctions relating to cybersecurity. This typically involves submitting complaints through formal legal processes.
- Administrative Reconsideration: The first step in challenging a ruling made by a regulatory body.
- Judicial Review: Entities may appeal to the judiciary system if administrative reconsideration fails.
Cybersecurity Practices
Organizations must adopt rigorous practices in various domains to ensure compliance with China’s cybersecurity laws, from compliance strategies to effectively handling incidents.
1. Best Practices for Compliance
Organizations operating in China should thoroughly understand the Cybersecurity Law that came into effect in June 2017. This requires implementing practical measures that include, but are not limited to:
- Data Localization: Storing critical data within China and passing security assessments before transferring data abroad.
- Network Security: Ensuring network systems are secure against attacks by following the Multi-Level Protection Scheme (MLPS) 2.0.
2. Risk Management and Assessment
Risk management is a continuous process emphasized by the Chinese cybersecurity framework, which mandates regular assessments to identify vulnerabilities:
- Conduct Regular Audits: Organizations must assess their IT infrastructure against cybersecurity threats.
- Identify Risks: They should maintain updated risk profiles for all critical assets, ensuring compliance with national standards such as GB/T 22239-2019.
3. Incident Reporting and Response
Timely and efficient handling of cybersecurity incidents is crucial under China’s cybersecurity law. Organizations must:
- Establish Response Plans: Have incident response plans rehearsed routinely to ensure preparedness.
- Report incidents: Report cybersecurity incidents to the relevant authorities as stipulated by local regulations, typically within 24 hours or less.
MSA works with IT and legal teams to map your systems against the Cybersecurity Law and MLPS standards, identify gaps, and build a practical remediation roadmap that your business can implement without disrupting operations. Message →
International Implications
China’s Cybersecurity Law has ramifications that extend well beyond its borders, affecting multinational companies and international trade relations. Complying with China’s regulations is crucial for foreign firms operating in China.
1. Global Impact and Responses
The introduction of China’s Cybersecurity Law has compelled companies worldwide to reassess their data governance strategies. In particular, EU and US businesses have had to ensure that Chinese corporations align with the new Chinese legal framework. Many nations have vocally expressed their concerns, stating that these laws could act as trade barriers and potentially lead to retaliatory legal actions.
| Country | Response to China’s Cybersecurity Law |
|---|---|
| United States | Raised issues on trade and the potential for intellectual property infringement |
| European Union | Expressed concerns over data transfer restrictions and impact on global companies |
| Japan | Called for clarity on implementation and scope of regulations |
Moreover, the laws potentially affect international cyber norms and cybersecurity collaboration. Some argue they could influence the power dynamics in setting global cyber standards.
2. Comparisons with International Regulations
Compared with international norms, China’s Cybersecurity Law is often seen as more prescriptive and stringent. For example, it mandates data localization and real-name registration, which are not universally required in China, unlike the EU’s General Data Protection Regulation (GDPR).
The table below illustrates some comparisons:
| Principle | China’s Cybersecurity Law | EU’s GDPR |
|---|---|---|
| Data Localization | Mandatory for certain data types | Not explicitly required, but data transfer to some locations strictly regulated |
| Real-name Registration | Required for network services | Not required |
| Consent to Processing | Requires stringent conditions | Required with flexibility in certain contexts |
While these comparisons highlight variances in approach, they also underscore companies’ complex challenges when navigating the intersection of international cybersecurity measures.
The Cybersecurity Law’s data localization requirements and encryption restrictions create compliance obligations for tech and data-intensive businesses that can require substantial infrastructure investment. China company setup advisors at MSA Asia help assess your cybersecurity compliance posture and required controls. Contact our team to evaluate your data security requirements.
