China’s cybersecurity strategy combines national security, economic development and citizen protection through a multi-layered regulatory framework. Its primary purposes are threefold:

• To safeguard national sovereignty by mandating stringent protections for critical infrastructure, enforcing data localisation for sensitive information, and countering external threats through severe penalties for security breaches.
• To drive the growth of the digital economy by classifying data by risk tiers under the Data Security Law (DSL), enabling secure data markets and integrating security into national projects such as “Eastern Data, Western Computing” to foster innovation in AI and quantum technologies.
• To ensure citizen and organisational rights via strict consent requirements under the Personal Information Protection Law (PIPL), breach disclosure rules and public awareness campaigns.

The Cybersecurity Law (CSL) acts as the overarching construct of the cybersecurity regime in China and sets forth specific requirements in various cybersecurity segments. The CSL took effect on 1 June 2017, establishing a comprehensive regulatory framework for network security. To support its implementation, a number of specific regulations have been introduced, including the Measures for Cybersecurity Review (the “Review Measures”), the Security Protection Regulations for Critical Information Infrastructure (the “CII Regulations”) and the Regulations on the Management of National Cybersecurity Incident Reporting.

A cornerstone of this framework is the graded cybersecurity protection system. While the overarching regulation is still in development, relevant authorities have issued a suite of recommended national standards since May 2019 to guide its application. These standards encompass documents such as Information Security Technology – Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019), Information Security Technology – Evaluation Requirement for Classified Protection of Cybersecurity (GB/T 28448-2019), and several others providing technical design specifications, implementation guidance and classification criteria.

Parallel to this, specific regulations for protecting Critical Information Infrastructure (CII) have been released. These include the CII Regulations (effective from September 2021), the Review Measures (effective from February 2022) and industry-specific rules such as the Regulations on the Security Protection of Railway Critical Information Infrastructure (effective from February 2024).

Significantly, China augmented this framework with the DSL in June 2021. This law governs the entire data life cycle – from collection and storage to use and disclosure – and institutes a system for classifying data based on its importance. Sector-specific regulators are tasked with identifying “important data” within their purview, which will be subject to stricter protection. An example is the Automobile Data Security Provisions issued in August 2021, which detail obligations for handling automotive data. Further refining data governance, the Network Data Security Management Regulations, effective from 1 January 2025, aim to secure online data processing and facilitate its lawful use.

In the realm of personal information, the PIPL was enacted in August 2021. For cross-border data transfers, a multi-layered compliance system has been established through measures such as the Security Assessment Measures and the Standard Contract Measures. These were recently adjusted by the March 2024 Provisions on Promoting and Regulating Cross-Border Data Flows, which modified compliance thresholds and introduced exemptions.

Beyond these dedicated laws, other legislation also contributes to cybersecurity. The Civil Code outlines the tort liabilities of network users and service providers. The 2023 revised Counterespionage Law categorises cyber-attacks on state entities and CII as espionage, and the Cryptography Law, effective since January 2020, regulates the management and use of encryption technologies. The Cyberspace Administration of China (CAC) released proposed revisions to the CSL on 28 March 2025. The revisions expanded the range of administrative penalties and added punitive measures, including temporary employment prohibition.

All the key regulators of cybersecurity in China – namely the CAC, the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) and the State Administration for Market Regulation (SAMR) – have regulatory authority at the national level, and branch agencies at county level or above that exercise their authority within their respective geographic jurisdictions, including audits and investigations of network operators regarding violation of cybersecurity-related laws and regulations.

The CAC has the overarching responsibility for planning and co-ordinating cybersecurity regulation. It is the most active regulator in terms of issuing cybersecurity regulatory documents, and its enforcement focuses on the governance of the “internet ecology” and network information content.

The MPS is the key regulator and enforcement authority of the (Multi-Level Protection Scheme and network operation security, and is responsible for investigating and preventing crimes related to infringement of computing systems and personal information.

The MIIT oversees the telecommunications and information technology industry and thus administers the licences of market participants in this industry. Its enforcement focuses on protection of personal information, especially value-added telecommunications services.

The SAMR is responsible for the protection of consumer rights, including consumer rights relating to personal information, and fair market competition.

The National Data Administration (NDA) was officially launched in Beijing in 2023, which is administered by the National Development and Reform Commission, the country’s top economic regulator. The NDA is tasked with various responsibilities, such as promoting the development of data-related fundamental institutions; co-ordinating the integration, sharing, development and application of data resources; and pushing forward the “Digital China” strategy and the establishment of the digital economy and a digital society.

The requirements for the identification, inspection, evaluation and security of CII are set forth in the following national standards:

• Information Security Technology – Guide to Security Inspection and Evaluation of Critical Information Infrastructure (20173587-T-469);
• Information Security Technology – Indicator System of Critical Information Infrastructure Security Assurance (20173586-T-469); and

• Information Security Technology – Cybersecurity Requirements for Critical Information Infrastructure Protection (GB/T 39204-2022).

The competent authorities and administration departments of CII, referred to as “protection departments”, are responsible for CII security protection. The protection departments are in charge of CII identification and reporting their findings to the public security department under the State Council. Factors which help to identify CII include its importance to the smooth operation of core businesses in the industry concerned, the possible damage which would be caused by incidents such as data leakage, and its influence on other industries and fields.

The CSL establishes foundational requirements for the security protection of CII. Specifically, Article 31 mandates a focused state protection effort on CII in vital sectors – including public communications, energy, finance and e-government – where any compromise could severely impact national security, the economy or public welfare. Furthermore, Article 37 stipulates that personal information and other important data collected by CII operators within China must be stored domestically.

Building on this foundation, the CII Regulations detail specific obligations for CII operators. These include establishing dedicated security management departments, developing contingency plans and conducting regular drills, inspections and risk assessments.

The regulatory scope also extends to encryption. Article 27 of the Cryptography Law requires CII operators to use commercial cryptography for protection where mandated by national regulations and to conduct corresponding security assessments. This focus has been further reinforced by the newly issued Regulations on Commercial Cryptography Use in Critical Information Infrastructure (effective from 1 August 2025), which aim to standardise such use to enhance CII security.

Additionally, the Review Measures impose supply chain security obligations. CII operators must assess the national security risks of purchasing network products or services. As stated in Article 5, if such a purchase may affect national security, it must be submitted for a cybersecurity review. A key objective of these Measures, as per Article 1, is to ensure the security of the CII supply chain.

At a more technical level, the national standard Information Security Technology – Critical Information Infrastructure Security Protection Requirements provides detailed implementation guidance. Effective from 1 May 2023, it outlines 111 specific security requirements, organising the protection life cycle into six key aspects: analysis and identification, security protection, detection and evaluation, monitoring and early warning, active protection, and incident disposal. This standard serves as a practical guide for operators and other involved parties.

Generally, reporting obligations fall into two categories. The first requires information about cybersecurity incidents to be reported to the relevant authorities under applicable laws. The second, governed by a separate regulation, mandates that organisations report discovered vulnerabilities to the MIIT. The obligations in both categories are compulsory and do not permit any defences or exemptions.

A general duty to report incidents is established by the CSL, the DSL and the PIPL, which require organisations to promptly inform responsible authorities of actual or potential incidents. More detailed requirements have recently been specified by industry regulators such as the MIIT and the People’s Bank of China (PBC). These regulations classify incidents into four levels based on their impact on public interest and national security. Typically, incidents classified as “major” (Level 3) or above must be reported to industry regulators immediately. However, for “ordinary” incidents (Level 4), a specific reporting timeframe is often not clearly defined. Separately, the Regulations of the People’s Republic of China on the Security Protection of Computer Information Systems require that any criminal cases involving computer information systems be reported to public security authorities within 24 hours.

The minimum required content for an incident report includes the notifying party’s information, a description and details of the incident, any affected properties, any compromised personal information, preliminary containment measures taken and an initial severity assessment.

Additionally, the Network Products Security Vulnerabilities Security Administrative Measures impose a separate obligation requiring network product providers to report any security vulnerabilities that are discovered to the MIIT within two days. This report must include the product’s name, model and version, along with the vulnerabilities’ technical characteristics, the associated risks and the potential scope of any impact. Furthermore, the Regulation on the Management of National Cybersecurity Incident Reporting stipulates more specific requirements on the reporting timeline in accordance with the classification of the cybersecurity incidents.

The CSL requires relevant government authorities to formulate emergency response plans for their respective industries and fields. Such emergency response plans must comply with the National Cybersecurity Incident Emergency Response Plan, which classifies cybersecurity incidents into four categories according to their severity and articulates the respective responses to each level. Consistent with the CSL, the DSL requires the competent authority to initiate the incident response plan, take the corresponding emergency response measures and inform the public in a timely manner in the event of a data security incident.

Comprehensive financial regulatory reforms were initiated in March 2023, involving related regulators including the PBC and the National Financial Regulatory Administration (NFRA), alongside the China Securities Regulatory Commission (CSRC).

The CSRC administers a series of securities-related financial activities in China, including initial public offerings (IPOs), corporate restructuring and related transactions. Data compliance of listing companies seeking listing has become one of the key factors in whether the CSRC approves such activities, and contributes to the CSRC’s rejection of IPO listing applications in some cases.

The NFRA oversees the financial industry, excluding securities, focusing on lawful and stable operations through various forms of supervision.

The PBC and its branches conduct data security supervision and administration in accordance with these activities, proactively support other appropriate authorities in conducting data security supervision and administration according to their duties, and may enter into co-operation agreements with other appropriate authorities when necessary to further agree on the modes of co-operation in data security supervision and administration.

The aforementioned regulatory authorities have issued a series of regulations to enhance the operational resilience of the financial sector. For example, in May 2025, the PBC issued the Measures for the Administration of Cybersecurity Incident Reporting in the Banking Sector, which is the latest cybersecurity-related regulation in the financial sector, aiming at implementing a reporting mechanism for cybersecurity incidents in that sector.

The scope of these regulations is broad, covering a wide array of financial institutions and entities under the supervision of both the PBC and the NFRA. For instance, the above-mentioned PBC Measures apply to business areas such as monetary credit, macro prudential supervision, payment and clearing systems, and credit services. Similarly, the NFRA’s Measures for the Data Security Management of Banking and Insurance Institutions issued in December 2024 establish a comprehensive governance framework for data security within banking and insurance institutions. This integrated approach provides comprehensive and specialised supervision for emerging financial institutions and cross-industry financial innovations.

Territorially, these regulations primarily apply to entities and data processing activities conducted within the People’s Republic of China. Cross-border data transfers are subject to specific, more stringent requirements.

In China, ICT service providers can be recognised as providers of network products and services under the CSL. Under the CSL and the CII Regulations, ICT services supporting CII are classified as critical. Not all cloud service providers are automatically deemed critical; only those servicing CII sectors (eg, finance, energy, transportation) are subject to stricter contractual requirements, including security assessments, requirements on cross-border data transfer and compliance with national standards. Contracts must also specify incident response obligations and audit rights for regulators.

The primary objectives of China’s digital operational resilience regulations are to ensure the continuity of critical financial services and mitigate systemic risks. Key obligations include: (1) conducting regular risk assessments, (2) implementing robust cybersecurity measures (eg, encryption, access controls), (3) maintaining backup systems, and (4) establishing incident response plans. Incident reporting obligations require financial institutions to notify the PBC or China Banking and Insurance Regulatory Commission within two hours of discovering a severe cybersecurity incident (eg, data breach, system failure). Detailed post-incident analysis and remediation reports must be submitted within a certain period.

Enforcement is carried out by the CAC, the PBC and other banking and insurance regulatory agencies through audits, inspections and penalties. Critical ICT service providers must undergo mandatory security reviews and obtain certifications (eg, a Cloud Service Security Assessment). Non-compliance can result in fines (up to CNY1 million under the CSL), operational restrictions or revocation of licences. Regulators also require providers to participate in simulated cyber-attack drills to test resilience. Repeat violations may lead to blacklisting or criminal liability under the CSL and DSL.

The DSL and PIPL impose strict controls on cross-border data transfers. Regarding the financial sector, financial institutions must store “important data” and personal information domestically; transfers require a security assessment by the CAC or approval from sectoral regulators (eg, the PBC). Critical data transfers additionally necessitate a government-led review. Contracts with foreign recipients must include data protection clauses aligned with Chinese standards. Non-compliance may trigger fines or operational bans.

Threat-led penetration testing (TLPT) is considered a critical part of cybersecurity in the financial sector. In addition to the macro-level CSL, financial regulators have specified the obligations and requirements of TLPT through industry standards and other means, including “Guidelines for internet penetration test in bank” (JR/T0232–2021) issued by the PBC, “Guidelines for penetration testing of information systems in the securities and futures industry” (JR/T0276–2023) issued by the CSRC, etc.

Although Chinese legislation does not directly use the term “cyber-resilience”, the relevant concepts and rationale are set out in various regulations. See 4.2 Key Obligations Under Legislation for details.

The CSL requires operators to formulate emergency response plans for cybersecurity incidents and to immediately initiate remedial measures upon their occurrence. Regarding the protection of CII, it mandates that such infrastructure must be designed to ensure stable and uninterrupted business operations.

The DSL requires the state to establish a data security emergency response mechanism. In the event of a data security incident, the relevant competent authority shall activate the emergency response plan in accordance with the law, take the corresponding emergency response measures, prevent the spread of harm, eliminate potential security risks, and timely publicise the relevant warning information to the public. Risk monitoring shall be strengthened when carrying out data processing activities, and remedial measures shall be taken immediately upon discovery of any data security defect or bug. Disposal measures shall be taken immediately upon occurrence of a data security incident, users shall be timely notified in accordance with the relevant provisions, and reports shall be made to the relevant competent authority.

The CII Regulations further stipulate that security safeguards shall advance in parallel with CII – through synchronised planning, construction and operation. In the event of the occurrence of any major cybersecurity incident or the discovery of any major cybersecurity threat to the CII, the operator shall report this to the protection authorities and the public security authorities as required.

China’s cybersecurity certification framework is governed by the CSL, which mandates Multi-Level Protection Scheme compliance for all network operators. Based on this, network operators are required to register for graded cybersecurity protection, participate in evaluation and obtain corresponding grade certifications. Under the MLPS, network operators must be classified in one of five levels according to their security impact if the system is damaged, with classification levels ranging from one to five. Progressively stringent requirements for network security and filing obligations with authorities are imposed on network operators at higher MLPS classification levels.

In particular, key network equipment and specialised cybersecurity products shall, in accordance with the compulsory requirements of relevant national standards, pass the security certification test conducted by qualified institutions or meet the requirements of security detection before being sold or provided. On this basis, the CAC and other regulatory authorities publish product catalogues and relevant national standards to regulate the aforementioned cybersecurity products.

Specifications encompassing the MLPS classification and evaluation process and the respective requirements for systems at each MLPS classification level are set forth in:

• the Information Security Technology – Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019) (MLPS Baseline Standards); and
• the Information Security Technology – Classification Guide for Classified Protection of Cybersecurity.

Cybersecurity obligations in China are profoundly intertwined with data protection, forming a cohesive regulatory ecosystem primarily governed by the three major laws: the CSL, the DSL) and the PIPL. These laws, along with numerous implementing measures and national standards, establish a comprehensive and increasingly stringent framework for data security and personal information protection across various sectors.

The DSL, which was passed on 10 June 2021 and came into effect on 1 September 2021, articulates specific security requirements for data processing. The DSL clarifies extraterritorial jurisdiction in the Chinese data regulation regime for the first time, applying to overseas data processing activities that jeopardise China’s national security or the interests of the state or citizens. The DSL contemplates a variety of state data protection mechanisms from an overarching architecture perspective, such as a classified data protection system, state data security certification and standardisation, a data transaction system and others, with implementation measures to be later promulgated by state and municipal regulatory authorities.

The DSL complies with CSL requirements and strengthens regulations on network security. For example, data processors are required to fulfil data security protection obligations based on the network security level protection system.

The cybersecurity obligations relating to AI are governed by a comprehensive regulatory framework that includes laws, administrative regulations and national standards. These obligations aim to ensure the security, transparency and accountability of AI systems while mitigating risks such as data breaches, algorithmic bias and misuse of AI-generated content.

In addition to the CSL, DSL and PIPL, China’s regulatory framework for AI is rapidly evolving, including Provisions on the Administration of Deep Synthesis of Internet-Based Information Services, Interim Measures for the Administration of Generative Artificial Intelligence Services, etc. The above regulations require AI service providers to complete algorithm and large model filings and carry out security assessment. Also, according to the Measures for the Labelling of AI-Generated and Synthesised Content which took effect on 1 September 2025, the services provider shall add explicit labels to AI-generated or synthesised content and provide materials concerning those labels.

In August 2022, the National Health Commission, the National Administration of Traditional Chinese Medicine and the National Administration of Disease Control and Prevention issued the Measures for the Administration of Cybersecurity of Medical and Healthcare Institutions.

These Measures have been developed in accordance with relevant laws and regulations, including the CSL, and aim to strengthen the administration of cybersecurity of healthcare institutions and prevent the occurrence of cybersecurity incidents. The Measures stipulate that healthcare institutions shall follow the scheme of graded protection, recordation, evaluation, security construction and other work within the scope of their business operation, establish an emergency response mechanism and carry out self-inspection of security, to meet a range of cybersecurity requirements. In addition, the Guiding Opinions on Information Security Level Protection in the health industry specify that the core business information systems of Grade A tertiary hospitals and national-level data centres for maternal and child healthcare should generally not be graded a level lower than Level 3 under the MLPS scheme.

In addition, medical data, especially personal health and physiological information, is also regulated by laws and regulations such as the PIPL. Healthcare institutions must protect such data.