Cybersecurity Law

The Cybersecurity Law requires critical information infrastructure operators to store personal information and important data within China. Cross-border transfers require security assessments. Network operators must assist public security with technical support and decryption capabilities.

China’s Cybersecurity Law of 2017 establishes foundational requirements for network security. Critical Information Infrastructure Operators (CIIOs) in sectors like telecoms, energy, transport, and finance must localize personal information and ‘important data’ collected in China. Cross-border transfers require government security assessments. Network products and services used by CIIOs must undergo security reviews. The law requires network operators to maintain logs for at least six months and provide technical support to public security organs for investigations. Real-name registration is required for online accounts. The law’s broad definitions and vague language create compliance uncertainty. Combined with the National Intelligence Law, it means Chinese network operators must both assist intelligence work and implement technical capabilities for lawful access.