= Cybersecurity Law of the People's Republic of China =

Infobox
- Long Title: Cybersecurity Law of the People's Republic of China
- Enacted By: Standing Committee of the National People's Congress
- Date Enacted: Nov 7, 2016
- Date Commenced: Jun 1, 2017
- Related Legislation: Data Security Law, National Intelligence Law, National Security Law (China)
- Summary: A law formulated in order to: ensure cybersecurity; safeguard cyberspace sovereignty and national security, social and public interests; the lawful rights and interests of citizens, legal persons, other organizations; and promote the healthy development of the informatization of the economy and society.
- Keywords: Cybersecurity, National Security, Cyber sovereignty
- Status: In force
- Citation: Cybersecurity Law (English)
- Territorial Extent: Mainland China
- Legislature: National People's Congress
- Amends: 2025

The Cybersecurity Law of the People's Republic of China (), commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People's Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of a wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included the data security law, the national intelligence law, the national security law, laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.

== History ==
Chinese policymakers became increasingly concerned about the risk of cyberattacks following the 2010s global surveillance disclosures by Edward Snowden, which demonstrated extensive United States intelligence activities in China. The Cybersecurity Law was part of China's response following policymakers' heightened concerns of foreign surveillance and data collection after these disclosures.

This law was enacted by the Standing Committee of the National People's Congress on November 7, 2016, and was implemented on June 1, 2017. It requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company's network operations.

Cybersecurity is recognized as a basic law. This puts the law at the top of the pyramid of cybersecurity legislation. The law is an evolution of the previously existing cybersecurity rules and regulations across various levels and fields, assimilating them to create a structured law at the macro-level. The law also offers principal norms on certain issues that are not immediately urgent but of long-term importance. These norms will serve as a legal reference when new issues arise.

On October 28, 2025, the 14th National People's Congress Standing Committee approved an amendment to the Cybersecurity Law, which took effect on January 1, 2026. The amendment mentioned AI-related governance and development.

== Provisions ==
The law is a significant pillar of the Chinese data regulatory framework. It:
- Created the principle of cyberspace sovereignty
- Defined the security obligations of internet products and services providers
- Detailed the security obligations of internet service providers.
- Further refined rules surrounding personal information protection
- Established a security system for key information infrastructure
- Instituted rules for the transnational transmission of data from critical information infrastructures.

The cybersecurity law is applicable to government agencies, network operators and businesses in critical sectors. By critical sectors, China roughly divides the domestic businesses into networking businesses that are involved in telecommunications, information services, energy, transport, water, financial services, public services, and electronic government services. Some of the most controversial sections of the law include articles 28, 35, and 37.

Article 24 provides that "network operators shall require users to provide real identity information when signing agreements with users or confirming the provision of services for network access, domain name registration services, and network entry procedures for fixed and mobile telephones, or providing information dissemination and instant messaging services for users. If users do not provide real identity information, the network operator shall not provide relevant services for them." This is the first time in China that the real-name system in was codified in the form of a law.

Article 28 compels vaguely defined "network operators" (interpreted to include: social media platforms, application creators and other technology companies), to cooperate with public security organs such as the Ministry of Public Security and hand over information when requested.

Article 35 is targeted at purchases of foreign software or hardware by government agencies or other "critical information infrastructure operators", requiring any hardware of software purchased to undergo review by agencies such as the Cyberspace Administration of China or State Cryptography Administration, involving the provision of source code and other sensitive proprietary information to government agencies. Above all, the article creates further regulatory burden for foreign technology companies operating in China, indirectly creating a more favourable playing field for domestic competitors which would naturally be more prepared to comply with the regulations.

The law establishes stringent data localization requirements.

The law is applicable to all businesses in China that manage their own servers or other data networks. Network operators are expected, among other things, to clarify cybersecurity responsibilities within their organizations, implement technical measures to safeguard network operations, prevent data leaks and theft, and report any cybersecurity incidents to both network users and the relevant implementing department for that sector.

The law is composed of supporting subdivisions of regulations that specify its purpose. For instance, the Core Infrastructure Initiative (CII) Security Protection Regulations and Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. However, the law is yet to be finalized as China's government authorities are occupied with defining additional contingent laws to better align with the cybersecurity law. By incorporating preexisting laws on VPNs and data security into the cybersecurity law, the Chinese government reinforces its control and underscores the need for foreign companies to comply with domestic regulations.

The cybersecurity law also provides regulations and definitions on legal liability. For different types of illegal conduct, the law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grants cybersecurity and administrative authorities with rights and guidelines to carry out law enforcement on illegal acts.

== Related regulations ==
In July 2021, the Cyberspace Administration of China issued "Regulations on the Management of Security Vulnerabilities in Network Products" requiring that all vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) and prohibiting the public disclosure of vulnerabilities, including to overseas organizations.

== Reactions ==

Along with the Great Firewall, restrictions stipulated in the law have raised concerns, especially from foreign technology companies operating in China. Regarding the requirements for spot-checks and certifications, international law firms have warned that companies could be asked to provide source code, encryption, or other crucial information for review by the authorities, increasing the risk of intellectual property theft, information being lost, passed on to local competitors, or being used by the authorities themselves. The Federal Bureau of Investigation warned that the law could force companies transmitting data through servers in China to submit to data surveillance and espionage.

Some analysts from Western backgrounds consider this law comparable to the European Union's General Data Protection Regulation (GDPR). They have suggested that the law could improve the Chinese government's ability to monitor the public, as well as give Chinese companies an advantage over foreign companies.

The law sparked concerns both domestically and internationally due to its phrasing and specific requirements. Foreign companies and businesses in China expressed concerns that this law might impede future investments in China, since the law requires them to "store their data on Chinese-law regulated local servers, and cooperate with Chinese national security agencies".

Since its inception, many foreign technology companies have already complied with the law. Apple, for example, announced in 2017 that it would invest $1 billion in partnership with local cloud computing company Guizhou Cloud Big Data or GCBD to construct a new data center located in China's Guizhou province for the purposes of compliance. Simultaneously, the company also announced that it would transfer the operation and storage of iCloud data to mainland China. Microsoft also announced an expansion of its Azure services in partnership with cloud computing company 21Vianet through investment in more servers. Meanwhile, online services, such as Skype and WhatsApp, refused to store their data locally and were either delisted from domestic app stores or restricted from further expansion.

The law requires foreign technology and other companies operating within China to either invest in new server infrastructure in order to comply with the law or partner with service providers such as Huawei, Tencent, or Alibaba, which already have server infrastructure on the ground, saving capital expenditure costs for companies. The law is widely seen to be in line with the 12th Five-Year Plan (2011–2015), which aims to create domestic champions in industries such as cloud computing and big data processing. The law is seen as a boon to domestic companies and has been criticized for creating an unfair playing ground against international technology companies such as Microsoft and Google.

Supporters of the law have stated that the intention of the law is not to prohibit foreign businesses from operating in China, or boost domestic Chinese competitiveness. A study by Matthias Bauer and Hosuk Lee-Makiyama in 2015, states that data localization causes minor damage to economic growth due to inefficiencies that arise from data transfer processes and the duplication of data between several jurisdictions. The requirement for data localization is also seen as a move by Beijing to bring data under Chinese jurisdiction and make it easier to prosecute entities seen as violating China's internet laws.

The president of AmCham South China, Harley Seyedin, claimed that foreign firms are facing "mass concerns" because the law has greatly increased operating costs and has had a big impact on how business is done in China. More specifically, he stated that the cybersecurity law continues to create "uncertainties within the investment community, and it's resulting in, at the minimum, postponement of some R&D investment."

The law was widely criticized for limiting freedom of speech. For example, the law explicitly requires most online services operating in China to collect and verify the identity of their users, and, when required to, surrender such information to law enforcement without a warrant. Activists have argued this policy dissuades people from freely expressing their thoughts online, further stifling dissent by making it easier to target and surveil dissidents.

== See also ==

- Data Security Law of the People's Republic of China
- Internet in China
- Personal Information Protection Law of the People's Republic of China
- Cyberwarfare and China
