China’s Amended Cybersecurity Law and Implications for Businesses

Executive summary

China’s amended Cybersecurity Law went into effect on Jan1, 2026, increasing the penalties for individuals and companies. The Cybersecurity Law and related laws including the Data Security Law and the Personal Information Protection Law have been strictly enforced.  Recent hefty penalties imposed on various companies and their management have demonstrated the robust enforcement approach taken by the regulators. Businesses should be aware of their compliance obligations in order to avoid enforcement actions.

‍

Obligations for companies

The Cybersecurity Law imposes data security requirements on "network operators". However, the term "network operators" is very broadly defined to include owners, managers, and "service providers" of networks, i.e. "systems comprised of computers and other information terminals and related equipment" that gather, store, transmit, exchange, and process information. This definition not only covers telecommunication, wireless communication, and internet service providers but could ostensibly cover every organisation or business that owns or operates an IT network in China.

‍

Technical and Organizational Measures (TOMs)

Companies are required to implement internal security management systems and operating rules, including adopting technical measures to prevent viruses and other intrusions; storing network logs for at least six months; adopting measures such as data classification systems; implementing security measures such as backup systems and encryption; and implementing incident response plans. These data security procedures must be implemented according to China's cybersecurity standard called Multi-Level Protection Scheme ("MLPS").

‍

Under MLPS, companies must conduct assessments of their information systems and the risks associated with them. MLPS have five network security levels based on the damage that would be caused in the event of network disruptions or cybersecurity incidents. Each information system is assigned a "level" based on the importance of the system and data and the potential impact of the exposure. Information systems categorised as level2 or higher must be independently evaluated by a professional, licensed Chinese information security assessment organisation, and their information systems must be recorded with the Chinese Public Security Bureau. (China has updated its MLPS cybersecurity standards and so the MLPS standards that companies need to work with is actually the updated MLPS system or MLPS 2.0.)

‍

Data Breach

The China National Cybersecurity Incident Reporting Measures require that a business must report an incident to the local provincial Cyberspace Administration of China (CAC)within four hours if any of the following situations occur:

• The data breach involving one million or more individuals;

‍

• The business’s website having been attacked, resulting in the widespread dissemination of illegal and harmful information; or

• The incident having caused direct economic losses of 5 million yuan (about Euro 600,000 ) or more.

If a crime is suspected, a report must also be made to the public security bureau.

‍

Businesses are required to use contracts or other means to obligate their data processors and other parties providing network security or system operation and maintenance services to promptly report any data breaches they discover and to assist in the reporting process.

‍

 When reporting an incident, the following information should be included:

• The name of the involved business and basic information about the affected system or facility;

• The time, location, type, and level of the incident, its impact and harm, and the measures taken and their effectiveness; for ransomware attacks, the amount, method, and date of the ransom demand must also be included;

• The incident's development trend and its potential further impact and harm;

• A preliminary analysis of the cause of the cybersecurity incident;

• Leads for tracing the source of the incident, including but not limited to information about possible attackers, attack paths, and existing vulnerabilities;

• Proposed further response measures and requests for support;

‍

• Technical and organizational measures (TOMs) of the incident site.

If not all information is available within the specified timeframe, the first and second items must be reported first, with other information to follow as soon as it becomes available.

‍

After resolving an incident, the business must, within 30 days, conduct a comprehensive analysis and summary of the incident's causes, emergency response measures, harm caused, accountability, rectification efforts, and lessons learned. A summary report must then be submitted to the regulator.

‍Data localisation

Outbound transfer of data from China is a key concern for multinational companies in all industries. The transfer of certain data outside of China requires prior Chinese government approval (which is called a" security assessment" under Chinese law). The consent of the data subject or data exporting organization is not sufficient. For example, security assessment is required under the following circumstances:

‍

(1)           the transfer of personal data outside of China by any ClI operator;

(2)           the transfer of "important data" outside of China by any data controller(including one that is not a CII operator) ("Important data" is broadly defined as data that may endanger national security, economic operation, social stability, public health, and safety once they are tampered with, destroyed, leaked, or illegally obtained or used illegally. However, if the data are not notified or publicly released as important data by the Chinese government, government approval for outbound transfer is not required.).

If government approval for outbound transfer is not required, businesses may utilise one of the following permissible mechanisms to transfer personal information outside of China:

‍

·               Certification by a certification organisation appointed by the Chinese regulator; or

·               Entering into a standard contract ("Chinese SCCs") issued by the Chinese regulator with the overseas recipient

In addition, prior to outbound transfer of personal data from China, companies need to: ensure that the outbound transfer is necessary; conduct an impact assessment (records of which must be retained for at least three years); provide proper notice to the individual (including name and contact information of the overseas recipient, purpose and method of processing, type of personal information and process for how the individual may exercise his/her rights); and obtain proper, not bundled, consent (which is called" Separate Consent" under Chinese law) from the individual.

‍

In addition, the transfer of personal or other data from China to a foreign law enforcement or judicial body requires prior government approval.

‍

Handling of personal information

The Cybersecurity Law, the Data Security Law and the Personal Information Protection Law impose a host of data protection requirements on companies, including abiding by the principles of legality, propriety, and necessity in data handling and also making publicly available privacy notices that explicitly state the purpose, means, and scope for collecting and using information Companies have been penalised for not complying with these requirements. Individuals, furthermore, are afforded the right to access, modify, and delete their personal information.

‍

Companies are prohibited from transferring personal information without the consent of the individual unless such information has been processed so that the specific individual is unidentifiable and cannot be recovered. Businesses have voiced concerns that such a legal requirement can bean insurmountable obstacle to the transferring of personal information as itis, in practice, difficult to obtain consent from all relevant individuals.

‍

Identity verification of internet users and instant messaging service users

The Cybersecurity Law has imposed on service providers the responsibility of verifying users' real identification prior to providing services.

‍

Additional obligations for critical information infrastructure operators

The Cybersecurity Law imposes additional data security requirements on "critical information infrastructure operators"("CII operators"). Critical Information Infrastructure("CII") is defined as important network facilities and information systems in the industries of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology as well as those that may seriously endanger national security, national economy and the livelihood of the general public, and public interests in case of damage, loss of function or data leakage. Industry regulators are responsible for giving guidance and issuing detailed catalogues of Clls within their own industries.

‍

CII operators must:

‍

·               Undertake additional security measures including conducting security background checks on responsible personnel in critical positions, carry out network security education and technical training, and implement disaster recovery backups;

 ·               Undergo a national security review by the Chinese authorities when purchasing network products or services that might impact national security; and

 ·               Conduct inspections of their network security on at least an annual basis.

‍

Investigations and penalties

Companies can expect the increased regulatory oversight to continue and intensify as the laws provide regulatory authorities with more explicit and wider monitoring, investigative, and enforcement powers. Companies are required to cooperate with the authorities. Failure to cooperate with the authorities would attract penalties against the companies as well as the responsible individuals.

‍

Non-compliance triggers a wide range of potential penalties for companies, including warnings, suspension of operations, imprisonment, and fines. The fines against companies can be as high as RMB 10 million (approx.US$1.4 million).In addition, individuals may also be blacklisted from holding important positions for a certain period of time. The Cybersecurity Law also imposes penalties (such as the freezing of assets) against foreign organisations or individuals who attack or otherwise endanger China's CII.

‍

Potential implications

China’s enforcement of data privacy and security laws remains very robust. For example, the ride-hailing platform Didi was fined $1.2billion, and two of its senior executives were also penalized. Chinese police announced the arrest of 17,000 people for data violations in 2021 alone. French multinational luxury goods company Dior was recently penalized by the Chinese regulator for failing to proceed with the outbound data transfer process.  The French hotel group and other organizations have also lost related court cases, and the highest court in China (the Chinese Supreme People's Court) also just published its first two landmark data privacy cases.  

‍

Multinational companies across all industries and sectors therefore need to closely review their data security systems and privacy policies for compliance. Special care must be taken to meet the data localisation requirements, including mapping data for outbound transfer from China, assessing whether Chinese government approval is needed, conducting cross-border data transfer assessments and utilising the permissible mechanisms for outbound data transfer.

‍