Management, compliance & auditing

China’s New Cyber Security Law

Daniel Dimov
April 19, 2017 by
Daniel Dimov

1Section 1. Introduction

Regional regulations on data transfers, such as the U.S.-E.U. Privacy Shield framework, have a significant impact on the cross-border moving, use, and protection of personal data. In Asia, one of the major players in the field of ICT, China, is moving towards a more comprehensive regulation of its cyberspace. On 1st of June 2017, the second largest economy in the world will implement its new Cyber Security Law. The law aims to introduce security maintenance obligations to a wide variety of businesses using computer systems linked to China and better combat information security threats.

The law applies to network operators and critical information infrastructure operators, electronic information distribution service providers, and software download service providers. Thus, most Chinese businesses using computer infrastructure fall within the scope of the law. The new legislation will also have implications for multinational companies operating in China and foreign businesses having data centers in the country.

Before the adoption of the Cyber Security Law, Chinese regulations governing cyberspace were spread over a number of separate laws (e.g., Telecommunications Regulations of the People's Republic of China 2016 and Administrative Measures on Internet Information Services 2011). The new law addresses the long-existing need for a consolidated legal act.

This article aims to overview the key aspects of the new Chinese cybersecurity framework (Section 2). Further, it will briefly summarize the main obligations to business providers as outlined in the new law (Section 3). At the end of the article, a conclusion is drawn (Section 4).

Section 2. The main provisions of the new Chinese Cyber Security Law

The two main pillars on which the new Chinese Cyber Security Law is based are (1) protection of personal information and individual privacy and (2) an overall standardization of collection and use practices of personal information. Although a comprehensive analysis of the new Chinese Cyber Security Law and its implementation practices have not yet been made available to the global public, the key aspects of the new cyber security regulations are known. According to the currently available information, the new Chinese Cyber Security Law will include nine main types of provisions. They are briefly overviewed below.

  1. Data localization. The new law stipulates that the personal data of Chinese citizens should be kept within the territory of China. If the key information infrastructure operators who collect or process such data would like to transfer the data outside the country, they will need to undergo a security assessment and get approval from the National Cyberspace Administration and State Council.
  2. Handling of personal data. Similarly to the EU data protection laws, the Chinese Cyber Security Law states that the collection, usage, and storage of personal and sensitive data can be done only in specified cases. Individuals are also provided with the right to access, modify, and delete their personal data if such data is handled in an improper or erroneous manner.
  3. Setting requirements for network operators. In the new Chinese Cyber Security Law, the definition of a network operator is very broad and encompasses a big portion of Chinese businesses that own and operate IT networks. The law obliges network operators to obtain users' consent for data collection and processing, publish privacy notices, and implement comprehensive technical safeguards for data protection.
  4. Network security requirements. Businesses are obliged to employ network security safeguards, such as preparing and implementing contingency plans for mitigating network security incidents, reporting possible security risks, and assisting Chinese authorities in investigating and combating cyber crimes.
  5. Term for security maintenance. Chinese businesses selling network-related services and products are required to provide maintenance of their products and services for as long as the contract with a customer lasts. The provision of security maintenance cannot be terminated earlier than the expiration date of the contract.
  6. Prior certification. The new law states that cyber security-related products and services have to be certified in advance and meet safety inspection requirements before they can be put on the market in China. The certification process is conducted by the Chinese government.
  7. Personal liability and identity registration. Individuals have to provide their identity information when purchasing or using certain types of products and services online (e.g., domain names and social network accounts). This requirement aims to assist the Chinese government in halting the spread of rumors and filtering fake information in the cyberspace.
  8. Online protection of minors. The Chinese government aims to strengthen the protection of minors in the cyberspace by obliging entities that collect personal data from minors to (1) place a warning label on their websites; (2) obtain a consent for data collection from the minors or their guardians; and (3) set rules for minors' personal data processing.
  9. Legal liabilities. The entities failing to meet the requirements mentioned above will be blacklisted by the Chinese government and may face administrative and monetary penalties. The maximum monetary penalty stipulated in the law is ten times the income derived by illegal means or RMB 1 million (about USD 145.000) if no illegal income is received. Serious infringements may result in the obligations to suspend business activities, shut down websites, and revoke business licenses.

Section 3. Obligations to businesses

As it was mentioned above, local and international businesses operating in China will face a number of obligations stipulated in the new law. The wording of the law focuses on "network operators," a definition which refers to network service providers and administrators. This definition also includes enterprises and institutions that conduct business using networks. Therefore, not only traditional telecommunications operators, such as telecom and Internet providers, will fall within the provisions of the law, but also a number of other business types collecting and processing personal information, such as financial institutions (e.g., banks and insurance companies), online service providers, website operators, cyber security-related firms, and network providers. It is important to note that the definition of "network operators" applies not necessarily to large enterprises. Until more precise criteria are provided, the definition may theoretically include small enterprises. In this section, we will look into the obligations applicable to network operators in more detail.

3.1 General security requirements

Articles 10 and 21 of the law contain general security requirements for network operators. These articles prioritize creating and maintaining security administration systems and expanding data protection capabilities of network operators. The law includes the obligations of businesses to:

  • Safeguard network operations.
  • Respond to cyber security incidents.
  • Prevent cybercrimes.
  • Maintain integrity, accessibility, and confidentiality of network data according to national standards.
  • Follow procedures for safeguarding networks from unauthorized access and destruction of data.

3.2 Specific security requirements

In addition to general security requirements, network operators are subject to specific security requirements.

3.2.1 Obligation to respond to cyber threats.

To prevent cyber security risks, network operators are required by law to respond quickly and effectively to security flaws that are discovered in the products and services provided by them. Also, they have to assure continuous security maintenance of such products and services that cannot be terminated earlier than it is outlined in the agreement between the provider and the customer (Art. 22).

3.2.2 Obligations for critical information infrastructure providers.

Some network operators may be qualified as critical information infrastructure providers. According to the law, critical infrastructure comprises several categories, namely: (1) websites, e.g., governmental websites, key new websites, and websites visited by more than 1 million visitors on daily basis; (2) platforms, e.g., platforms where the number of registered users exceeds 10 million, platforms having daily transactions exceeding RMB 10 million (about USD 1.4 million); and (3) production service category, e.g., public service operational systems and data centers having more than 1500 standard racks. Although the scope of such enterprises has not yet been specified officially, it can be predicted that the qualifying companies will include public communications and information service providers, as well as finance, energy, transport, public services, and e-governance providers. Since data leakage and cyber security flaws detected in the networks of such types of enterprises and institutions can pose a serious risk to the public security of China, the Chinese government aims to assure the highest possible level of security. Article 38 of the law stipulates that the qualifying businesses are obliged to regularly (i.e., at least once per year) assess their cyber risks. Moreover, such critical information infrastructure operators have to report the results of such assessments to the governmental authorities.

3.3.3 Obligation to store collected data domestically.

Article 37 of the law points out that all personal information collected in China should remain within Mainland China. The transfer of such information abroad is possible only if the Chinese authorities conduct security assessments. For example, Chinese companies that would like to transfer personal data to their business partners located abroad will need to obtain a cyber security assessment certificate. Servers storing personal data and other critical data should also be physically located in the country. The Chinese cyberspace administrative bodies and regulatory authorities are expected to explain the practical implementation of Article 37 in the future.

3.3.4 Obligations for critical network equipment.

Articles 23 and 35 of the law stipulate that critical network equipment can be brought to the market only by qualified providers and only if the security certification for those products has been completed. Consequently, critical information infrastructure operators must pass a national security review before purchasing critical network equipment products. To clarify this requirement, the Chinese authorities will draft a classifying catalog of critical network equipment products in the future.

A newly established body, namely, the Chinese Network Security Inspection Committee, in cooperation with the Cyber Administration of China and the existent supervisory bodies for separate industries (e.g., finances and advertising) will be responsible for ensuring compliance of businesses with the obligations mentioned above, administrating inspection policies, and conducting network security inspections.

Section 4. Conclusion

The new Chinese Cyber Security Law focuses on addressing the growing need to protect current global and regional cyberspaces and their users better.
Following data protection standards that have already been established in the the EU and other countries, the Chinese government implements a set of rules for ensuring a strong protection of personal data, limiting uncontrolled data transfers outside the country, and obliging businesses and institutions to provide a safe, maintained and malware-free informational network infrastructure.

On the other hand, the new law seems to introduce challenges to businesses, especially to cross-border IT-related enterprises. Due to the new obligations to store and process personal data within the country and an increased interference of the Chinese government in the digital domain, the new legislative move may result in limiting innovation and preventing non-Chinese businesses from accessing China's market.

The Chinese government is expected to publish further clarifications and practical guidance on the new law in the near future. Despite the current unclarities, the new law seems to be an instrument for contributing to a safer and user-friendlier global cyberspace.


Cheng, R., China Reveals More Details on Its Impending Cyber Security Law', Forbes, 13 February 2017. Available at

Cheng, R., 'China Passes Long-Awaited Cyber Security Law', Forbes, 9 November 2016. Available at

Chin, J., and Dou, E., 'China's New Cybersecurity Law Rattles Foreign Tech Firms', The Wall Street Journal, 7 November 2016. Available at

Haour, G., 'Why China's New Cybersecurity Law Is Bad News for Business', Fortune, 1 December 2016. Available at

Ismail, N., 'How businesses should prepare for China's new Cyber Security Law', Information Age, 10 January 2017. Available at

O'Donoghue, C., Dong, Z., 'The new Cybersecurity Law of China: What does it mean for the International Market?', Lexology, 17 January 2017. Available at

'Overview of China's Cybersecurity Law', KPMG, February 2017. Available at

Ruan, L., 'What Does China's New Cybersecurity Law Mean for Chinese Internet Companies?', 10 November 2016. Available at

Wong, S., and Martina, M., 'China adopts cyber security law in face of overseas opposition', 7 November 2016. Available at


Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.