Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Cybersecurity Law of the People's Republic of China
The Cybersecurity Law of the People's Republic of China was adopted by the Standing Committee of the National People's Congress on November 7, 2016 and took effect on June 1, 2017. The official Chinese text is published at npc.gov.cn and gov.cn. CSL is the first national-level statute that establishes a horizontal cybersecurity regime for China and sits at the top of a three-statute stack alongside the Data Security Law (DSL, effective September 1, 2021) and the Personal Information Protection Law (PIPL, effective November 1, 2021). All three are administered jointly by the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), the Ministry of Industry and Information Technology (MIIT), and other sector ministries depending on the industry. The statute creates two main subject categories: network operators (a very broad term covering any entity that owns or manages a network or provides services through a network) and Critical Information Infrastructure Operators (CIIOs). CIIO designation is made by sector regulators under the 2021 Regulations on the Security Protection of Critical Information Infrastructure and covers public communications, energy, transportation, water, finance, public services, e-government, defense industry, and other industries where damage could endanger national security or public interest. CIIO status triggers the strictest obligations: data localization for personal information and important data, government-led security review of network product and service procurement, annual self-assessment, and CAC-led security assessment for cross-border transfers. The Multi-Level Protection Scheme version 2.0 (MLPS 2.0, often called Classified Protection) is the technical control framework that all network operators must follow. MLPS 2.0 classifies systems into five protection levels based on damage to national security and public interest if compromised, and prescribes specific technical and management controls for each level. CIIO systems are generally Level 3 or higher. The scheme is documented in GB/T 22239-2019, GB/T 25070-2019, and GB/T 28448-2019 national standards. Cross-border data transfer rules sit at the intersection of CSL, DSL, and PIPL. The current operational regime is set by the CAC Measures for Security Assessment of Outbound Data Transfers (effective September 1, 2022), the Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (effective June 1, 2023), and the Provisions on Promoting and Regulating Cross-Border Data Flows (issued March 22, 2024) which created carve-outs for low-volume transfers and for free-trade-zone negative lists. Enforcement is active. CAC fined Didi Global RMB 8.026 billion (approximately USD 1.19 billion) on July 21, 2022 for violations across CSL, DSL, and PIPL. CAC has issued public determinations against ride-sharing, recruitment, mapping, and AI-service providers. Network products that fail the CAC Cybersecurity Review have been removed from app stores. Foreign vendors selling to CIIOs face the CAC Cybersecurity Review under the 2022 Measures on Cybersecurity Reviews when transactions affect national security. For any multinational that touches China, the operational reality is three parallel programs (CSL technical controls and MLPS 2.0 grading, DSL data classification and important-data identification, PIPL personal information handling and cross-border transfer), administered by CAC as the lead regulator with sector ministries as co-regulators. Foreign companies cannot solve compliance by hosting data outside China because the statutes attach to processing activities of network operators inside China.
Quick Reference
Key Requirements
CSL Article 21 (MLPS 2.0)
Implement Multi-Level Protection Scheme version 2.0 grading under GB/T 22239-2019. File the grading with the Ministry of Public Security, complete the corresponding technical and management controls, and conduct annual self-assessment plus a third-party assessment at Level 3 or above.
CSL Article 21 (Logging)
Retain network logs for at least six months. Logs must capture security incidents, user authentication, and system events sufficient for incident investigation.
CSL Article 24 (Real-name identification)
Verify the real identity of users before providing internet access, domain registration, instant messaging, or other listed services. Refuse service when the user does not provide valid identification.
CSL Article 25 (Incident response)
Maintain a written cybersecurity incident response plan. Report material incidents to MPS and the relevant sector regulator. Cooperate with investigation requests.
CSL Article 27 (No unauthorized access)
Do not engage in unauthorized intrusion, interference, or theft of network data. Prohibit employees from doing the same. Use this rule to ground internal acceptable-use policies and red-team rules of engagement.
CSL Articles 31, 35 (CIIO designation and procurement review)
When designated a CIIO, register with the sector regulator, complete annual security self-assessment, and submit network products and services that may affect national security to the CAC Cybersecurity Review before procurement.
CSL Article 37 (Data localization for CIIOs)
Store personal information and important data collected and generated during operations in China inside China. Pass a CAC security assessment before any necessary outbound transfer.
DSL Articles 21, 27 (Data classification)
Classify data by importance to national security, the public interest, and the legitimate rights of individuals and organizations. Identify important data under the relevant national or sector catalogue. Implement category-specific protection.
PIPL Articles 13 to 14 (Lawful basis)
Process personal information only under a lawful basis: separate consent, contract performance, statutory obligation, vital interests, public-interest journalism, public information, or other listed conditions. Consent must be voluntary, explicit, and informed.
PIPL Article 28 (Sensitive personal information)
Obtain separate consent and a specific purpose justification before processing sensitive information (biometric, religious belief, specific identity, medical health, financial accounts, location tracking, and data of minors under 14).
PIPL Article 38 (Cross-border transfer mechanism)
For outbound transfers of personal information, complete one of three mechanisms: CAC security assessment (mandatory for CIIOs, important data, and high-volume transfers), CAC-issued Standard Contract filing, or CAC-recognized personal information protection certification.
PIPL Article 52 (Personal Information Protection Officer)
Appoint a Personal Information Protection Officer when processing exceeds the volume specified by CAC. Publish the PIPO's contact information and file the appointment with the relevant authority.
PIPL Article 55 (Personal Information Protection Impact Assessment)
Conduct a PIPIA before processing sensitive information, automated decision-making, entrusted processing by a processor, provision to third parties, public disclosure, or any outbound transfer. Retain the PIPIA for at least three years.
PIPL Article 57 (Breach notification)
Notify the relevant authority and affected individuals when personal information is leaked, tampered with, or lost, unless the controller has taken effective measures that prevent harm. Include event categories, time, cause, possible harm, and remediation in the notification.
2024 Provisions on Cross-Border Data Flows (Articles 4 to 7)
Apply the 2024 carve-outs: low-volume transfers (under 100,000 individuals per year, non-sensitive) may be exempt from the three mechanisms. Free-trade zones may issue negative lists that exempt covered data. Track CAC interpretation updates because thresholds change.
How Does China CSL Affect Cybersecurity Careers?
Multinationals operating in China run three parallel compliance programs (CSL plus MLPS 2.0, DSL plus important-data classification, PIPL plus cross-border transfer mechanism). GRC analysts manage CIIO designation, sector regulator filings, annual self-assessment, Standard Contract filings, and CAC security assessment submissions. Security architects own MLPS 2.0 grading and the corresponding technical control build per GB/T 22239-2019. Security engineers stand up the China-hosted infrastructure (in-region cloud regions, in-region SIEM, in-region key management) required for CIIO data localization. Privacy engineers build consent gating that handles separate consent under PIPL, sensitive-information explicit purpose disclosures, and the PIPIA workflow. Compared to GDPR, the China stack is broader in scope (network security, data security, personal information) and tighter on data localization and government access. Compared to CCPA, China is far broader. Compared to NIST CSF 2.0, China's MLPS 2.0 is a parallel and prescriptive controls framework, often mapped against NIST CSF 2.0 for global programs to allow one set of evidence to satisfy both. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers CSL plus DSL plus PIPL as a single APAC unit.
How Does China CSL Affect Cybersecurity Sales?
Foreign vendors selling to CIIOs face the CAC Cybersecurity Review for any network product or service that may affect national security, and the 2022 Review Measures explicitly include data-handling activities. Sellers should plan for an in-region delivery option (China-hosted cloud, China-hosted SIEM, China-hosted key management) and a Standard Contract filing playbook for any outbound personal information. The Didi 2022 fine (RMB 8.026 billion) is a hard enforcement story for buyer urgency. Vendors with MLPS 2.0 mappings and a Chinese-resident DPO offering close deals faster.
Cybersecurity Roles That Work With China CSL
Related Cybersecurity Certifications
Related Cybersecurity Laws
Read the full text of China CSL at the official source: http://www.npc.gov.cn/npc/c30834/201611/270befb390fd4505b3c3e0758f01e28a.shtml
Frequently Asked Questions
What is China CSL in cybersecurity?
The Cybersecurity Law of the People's Republic of China was adopted by the Standing Committee of the National People's Congress on November 7, 2016 and took effect on June 1, 2017. The official Chinese text is published at npc.gov.cn and gov.cn. CSL is the first national-level statute that establishes a horizontal cybersecurity regime for China and sits at the top of a three-statute stack alongside the Data Security Law (DSL, effective September 1, 2021) and the Personal Information Protection Law (PIPL, effective November 1, 2021). All three are administered jointly by the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS), the Ministry of Industry and Information Technology (MIIT), and other sector ministries depending on the industry. The statute creates two main subject categories: network operators (a very broad term covering any entity that owns or manages a network or provides services through a network) and Critical Information Infrastructure Operators (CIIOs). CIIO designation is made by sector regulators under the 2021 Regulations on the Security Protection of Critical Information Infrastructure and covers public communications, energy, transportation, water, finance, public services, e-government, defense industry, and other industries where damage could endanger national security or public interest. CIIO status triggers the strictest obligations: data localization for personal information and important data, government-led security review of network product and service procurement, annual self-assessment, and CAC-led security assessment for cross-border transfers. The Multi-Level Protection Scheme version 2.0 (MLPS 2.0, often called Classified Protection) is the technical control framework that all network operators must follow. MLPS 2.0 classifies systems into five protection levels based on damage to national security and public interest if compromised, and prescribes specific technical and management controls for each level. CIIO systems are generally Level 3 or higher. The scheme is documented in GB/T 22239-2019, GB/T 25070-2019, and GB/T 28448-2019 national standards. Cross-border data transfer rules sit at the intersection of CSL, DSL, and PIPL. The current operational regime is set by the CAC Measures for Security Assessment of Outbound Data Transfers (effective September 1, 2022), the Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (effective June 1, 2023), and the Provisions on Promoting and Regulating Cross-Border Data Flows (issued March 22, 2024) which created carve-outs for low-volume transfers and for free-trade-zone negative lists. Enforcement is active. CAC fined Didi Global RMB 8.026 billion (approximately USD 1.19 billion) on July 21, 2022 for violations across CSL, DSL, and PIPL. CAC has issued public determinations against ride-sharing, recruitment, mapping, and AI-service providers. Network products that fail the CAC Cybersecurity Review have been removed from app stores. Foreign vendors selling to CIIOs face the CAC Cybersecurity Review under the 2022 Measures on Cybersecurity Reviews when transactions affect national security. For any multinational that touches China, the operational reality is three parallel programs (CSL technical controls and MLPS 2.0 grading, DSL data classification and important-data identification, PIPL personal information handling and cross-border transfer), administered by CAC as the lead regulator with sector ministries as co-regulators. Foreign companies cannot solve compliance by hosting data outside China because the statutes attach to processing activities of network operators inside China.
How does China CSL affect cybersecurity careers?
Multinationals operating in China run three parallel compliance programs (CSL plus MLPS 2.0, DSL plus important-data classification, PIPL plus cross-border transfer mechanism). GRC analysts manage CIIO designation, sector regulator filings, annual self-assessment, Standard Contract filings, and CAC security assessment submissions. Security architects own MLPS 2.0 grading and the corresponding technical control build per GB/T 22239-2019. Security engineers stand up the China-hosted infrastructure (in-region cloud regions, in-region SIEM, in-region key management) required for CIIO data localization. Privacy engineers build consent gating that handles separate consent under PIPL, sensitive-information explicit purpose disclosures, and the PIPIA workflow. Compared to GDPR, the China stack is broader in scope (network security, data security, personal information) and tighter on data localization and government access. Compared to CCPA, China is far broader. Compared to NIST CSF 2.0, China's MLPS 2.0 is a parallel and prescriptive controls framework, often mapped against NIST CSF 2.0 for global programs to allow one set of evidence to satisfy both. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers CSL plus DSL plus PIPL as a single APAC unit.
What are the penalties for China CSL non-compliance?
Under CSL, administrative fines up to RMB 1,000,000 for network operators and RMB 10,000 to RMB 100,000 for directly responsible persons. Under DSL, fines up to RMB 10,000,000 plus suspension of business. Under PIPL, fines up to the greater of RMB 50,000,000 or 5% of prior-year revenue for serious violations. Criminal liability is available under Articles 285 and 286 of the Criminal Law for serious infringements. CAC fined Didi Global RMB 8.026 billion in 2022 under the combined regime.
Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Sources
Explore Related Cybersecurity Resources
Was this page helpful?
Cybersecurity law and regulation summaries are educational plain-language descriptions, not legal advice. Statutes, regulations, and enforcement guidance change frequently. Consult qualified legal counsel and verify against the official published text before relying on any summary for compliance or career decisions.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.