somartin - Fotolia

A guide for businesses to China’s first cyber security law

Companies that break China’s new cyber security law may be fined or even have their licence to trade in the country removed

China’s first Cyber security law came into force this year. It is designed to improve IT security and protect citizens’ personal data – but it may prove an expensive headache for businesses operating in China.

The law passed by China’s government is broad. It stipulates general requirements for data protection and cyber security and will affect not just Chinese organisations, but also foreign businesses that supply services through networks to Chinese customers, device manufacturers and foreign businesses selling online services in China.

Companies that break the new law may be fined or even have their licence to trade in China removed. Businesses are nervous about the new law, parts of which are worded ambiguously or have yet to be finalised.

The cost of compliance for multinationals will probably range from millions to tens of millions of pounds, depending on their size, business models and the type and amount of data collected and stored.

The new law has three main parts: data protection, data localisation and requirements for cyber security (covering network operation, online service provision and device manufacture).

Consistent with GDPR

The legislation consolidates China’s data protection rules and adds new ones. The fundamental principles of the new rules are consistent with the General Data Protection Regulation (GDPR), which will apply in the European Union from May 2018. For example, both laws require businesses to inform people if they hold personal data on them, explain why the data is held, how it is collected, processed and used, and obtain consent.

Businesses are also required to take all necessary measures to make data secure and confidential.

China’s new law requires businesses operating critical information infrastructure (CII) − including public communication and information services, finance, healthcare and public services – to keep all personal data and important data collected in China within the country.

If a CII operator wants to transfer data overseas, it must pass a security assessment by China’s government.

China’s government plans to extend these data localisation regulations to cover other general network operators and online service providers. Although not yet announced, it is likely businesses will be given a grace period until the end of 2018 to comply with data localisation requirements.

Cyber security requirements

The third part of the new cyber security law is cyber security requirements for network operators, online service providers and network device manufacturers.

The rules include having internal security management systems, “operating rules” for IT security; taking technical measures to prevent computer viruses and network attacks and keeping a record of network security incidents. There are also mandatory standards, examinations and certifications for network devices.

Like other IT security/data protection rules, complying with China’s cyber security law is about more than IT. It is about a company’s organisational structures, its business, administration, its culture and adapting to the regulatory and political culture of another country.

A compliance project for China’s new law will therefore probably include IT directors, directors for compliance, risk and PR, as well as legal teams.

Compliance checklist

Most of the actions companies need to take to comply with China’s cyber security law will be familiar to CIOs: audit your company’s cyber security, highlight weaknesses and fix them.

Also, update your privacy policies. And don’t forget devices and equipment on the internet of things (IoT). In the last year, there have been warnings that medical devices connected to the web – including some pacemakers and insulin pumps – had lax security and could be targeted by hackers.

Organisations should create or update an incident response plan in the event of a cyber security breach in China. They should also monitor rules about the international transfer of data, which are still being amended.

Overlapping projects to prepare for Europe’s GDPR and China’s new cyber security law may save companies time and money. Complying with China’s law may be trickier than for other IT regulations − and more expensive. But the cost of being kicked out of the Chinese market could be far higher.


Nick Beckett is managing partner, Beijing office, for international law firm CMS.

Read more on Regulatory compliance and standard requirements