Cybersecurity Laws and Regulations Report 2026 China - ICLG

China - Cybersecurity Laws and Regulations 2026 Cybersecurity Laws and Regulations 2026 covers common issues in cybersecurity laws and regulations, including cybercrime, applicable laws, preventing attacks, specific sectors, corporate governance, litigation, insurance, and investigatory and police powers – in 22 jurisdictions. Published on: 21/11/2025 Share Latest Events 15 June, 2026 IP Litigation Summit 2026 21 July, 2026 Corporate Counsel & Compliance Exchange USA 2026 17 June, 2026 ECTA Annual Conference 2026 View All Areas of law covered include 1 Cybercrime 2 Cybersecurity Laws 3 Preventing Attacks 4 Specific Sectors 5 Corporate Governance 6 Litigation 7 Insurance 8 Investigatory and Police Powers 9 International Compliance 10 Future Developments Expert analysis chapters Free Access Chapters Jurisdiction chapters 1. Cybercrime 1.1 Would any of the following activities constitute a criminal or administrative offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction: Hacking (i.e. unauthorised access) Under the Criminal Law of the People’s Republic of China (the “Criminal Law”), cybercrimes are mainly provided in the section: “Crimes of Disturbing Public Order”.  Articles 285, 286, and 287 are the three major Articles that directly relate to cybercrimes.  Moreover, Article 253(1) indirectly relates to cybersecurity and applies to cases involving internet-related personal information infringement acts.  Hacking activities may constitute the “crime of invading a computer information system”, the “crime of illegally obtaining data from a computer information system” and the “crime of providing program[s] or tools for invading or unlawfully controlling computer information systems” under Article 285 of the Criminal Law. It is worth noting that Articles 286 and 287 set up the principle that if a person commits traditional crimes – such as financial fraud, theft, embezzlement, misappropriation of public funds, or theft of state secrets – using computer-related means (e.g., hacking or phishing), they shall be convicted and punished under the provision with the heavier penalty. The punishments for violating Articles 285, 286, and 287 include imprisonment, detention, and fines.  Pursuant to Article 285, activities that involve invading a computer information system in the areas of State affairs, national defence or advanced science and technology constitute the “crime of invading a computer information system”.  The offender shall be sentenced to a fixed-term imprisonment of not more than three years or detention.  Activities that involve: invading a computer information system, other than those in the above-mentioned areas; employing any other technical means to obtain the data stored in, processed in, or transmitted via such a computer information system; or implementing unlawful control of such a computer information system, in serious circumstances, may constitute a “crime of obtaining data from a computer information system and controlling a computer information system”, and the offender shall be sentenced to fixed-term imprisonment of not more than three years or detention, or imprisonment for three to seven years in especially serious cases.  If an entity commits those crimes, such entities shall be fined, and the persons who are directly in charge and the other persons who are directly liable for the offences shall be punished accordingly. For example, in the criminal case of Zhang, Huang and others, regarding the illegal obtainment of data in a computer information system and illegal control over a computer system, the defendant Zhang obtained the data by using hacker technology, and illegally obtained foreign citizens’ credit card information, including the country, name, region, mailbox, phone number, credit card number, security code, validity period and other information from foreign shopping websites.  Zhang then passed it on to Huang to sell online.  According to the final decision of Jinhua Intermediate People’s Court in Zhejiang Province in September 2020, the defendant Zhang was sentenced to five years’ imprisonment and fined RMB 140,000 for illegally obtaining computer information system data.  Defendant Huang was sentenced to four years and 11 months in prison and fined RMB 135,000 for illegally obtaining computer information system data. It is noteworthy that the use of web crawlers may be regarded as invading conduct in violation of Article 285 if a technical method is adopted to crack anti-crawling measures set by websites or to bypass identity check processes set in a computer server.  This is supported by various criminal cases in China.  According to the ruling of the Yancheng Intermediate People’s Court of Jiangsu Province on the Cheng Mao case, the defendant Cheng Mao hired programmers to register batches of accounts of an online shopping website by using proxy pools or broadband dialling and changing IP addresses constantly to avoid the website’s anti-crawling strategies and bypass the verification mechanism used in the account registration process.  Then, the defendant sold such accounts and obtained illegal gains of RMB 3,277,735.  The court found that Cheng Mao was guilty of illegally obtaining data from a computer information system and sentenced them to four years in prison and a fine of RMB 500,000. Pursuant to Article 29(1) of the Public Security Administration Punishments Law of the People’s Republic of China (the “Public Security Administration Punishments Law”), if a person, in violation of national regulations, invades a computer information system that causes harm to such system, he/she will be detained for not more than five days, and will be detained for more than five days but less than 10 days if the circumstances are serious. Article 27 of the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) prohibits any person from endangering network security, such as illegally intruding into any other person’s network, interfering with the normal functions of any other person’s network, and stealing network data.  According to Article 63, any violation of the provision, if not regarded as committing a crime, will be subject to administrative penalties, including confiscation of illegal income, detention of no more than five days, and a fine between RMB 50,000 and RMB 500,000.  If the circumstances are relatively serious, the violator shall be detained for not less than five days but not more than 15 days, and may be fined between RMB 100,000 and RMB 1 million.  Where an entity carries out any of the above conduct, the public security authority shall confiscate its illegal income, impose a fine of between RMB 100,000 and RMB 1 million, and punish its directly responsible person in charge and other directly liable persons in accordance with the provisions of the preceding paragraph.  Article 63 of the Cybersecurity Law further provides that the persons who receive public security administrative sanctions must not engage in cybersecurity management or key network operations positions for five years; those receiving criminal punishments will be subject to a lifetime ban on engaging in such positions. Denial-of-service attacks Pursuant to Article 286 of the Criminal Law, denial-of-service attacks could constitute the “crime of sabotaging [a] computer information system”, and the offender may be sentenced to fixed-term imprisonment of not less than five years in particularly serious cases. Denial-of-service attacks may also lead to administrative penalties.  Pursuant to Article 29(2) of the Public Security Administration Punishments Law, if a person, in violation of national regulations, deletes, changes, increases or interferes with the functions of a computer information system, making it impossible for the system to operate normally, an administrative penalty of detention of less than five days, or in serious cases, detention of more than five days but less than 10 days, will be imposed. In terms of the Cybersecurity Law, a denial-of-service attack will also be regarded as endangering network security and will also be subject to penalties under Article 63. Phishing Phishing is usually performed to steal or otherwise acquire the personal information of citizens, which is considered the “crime of infringing a citizen’s personal information” provided in Article 253(1) of the Criminal Law; up to seven years’ imprisonment may be sentenced in serious cases.  In addition, those who engage in fraudulent activities by way of phishing may also commit the crime of “fraud”.  If the amount involved is relatively large, the offender will be sentenced to three years or fewer in prison or put under limited incarceration or surveillance, in addition to being fined.  Those who defraud extraordinarily large amounts of money and property, or who are involved in especially serious cases, are to be sentenced to either fixed-term imprisonment of not less than 10 years or life imprisonment, and concurrently, a fine or confiscation of property. In the case of Liang and Wang, the defendants engaged in mass SMS messaging, purchased Trojan programs, and utilised phishing websites to fabricate HPV vaccination appointments to commit telecom network fraud against unspecified individuals, ultimately causing substantial financial losses to 55 victims.  In March 2024, the Yangzhou Intermediate People’s Court found principal offender Liang guilty of fraud and infringement of citizens’ personal information, sentenced him to 12 years’ imprisonment and imposed a fine of RMB 150,000. Furthermore, as most phishing is conducted by spreading a computer virus, the administrative penalty for this is for detention of less than five days or, in serious cases, detention of more than five days but less than 10 days, pursuant to Article 29 of the Public Security Administration Punishments Law.  Article 63 of the Cybersecurity Law may also apply. Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses) In the case of intentional creation or dissemination of a computer virus or other destructive programs, including, but not limited to, ransomware, spyware, worms, trojans and viruses, which affect the normal operation of a computer information system, if serious consequences are caused, such activities constitute the “crime of sabotaging a computer information system” under Article 286 of the Criminal Law.  The offender may be sentenced to five years’ imprisonment in extremely serious cases. In addition, anyone who installs the above destructive programs in order to control others’ computers may commit the crime of illegally controlling the computer information system under Paragraph 2 of Article 285 of the Criminal Law.  If the circumstances are serious, he/she will be sentenced to imprisonment of not more than three years or limited incarceration, and/or be fined; or, if the circumstances are extremely serious, he/she shall be sentenced to imprisonment of not less than three years but not more than seven years, and be fined. For instance, in the case of Chen and Huang, the defendants disseminated a large number of files containing remote control Trojan viruses, illegally controlling merchants’ computers and making profits from them.  The Zaoyang People’s Court convicted principal defendant Chen of the crime of illegally controlling computer information systems, sentencing him to one year and four months’ imprisonment (suspended for one year and six months) and imposing a fine of RMB 5,000. In addition, intentionally making up or transmitting such destructive programs that adversely affect the normal operation of a computer information system is illegal, pursuant to Article 29 of the Public Security Administration Punishments Law.  The violator may be subject to detention of less than five days or, in serious cases, detention of more than five days but less than 10 days.  Article 63 of the Cybersecurity Law may also apply. Moreover, Article 48 of the Cybersecurity Law provides that electronic information sent by an application software provided by any individual or organisation shall not be installed with malware, and the violator, according to Article 60 of the Cybersecurity Law, will be ordered to take corrective action and be given a warning by the competent authorities.  If the violator refuses to take corrective action, or such consequences as endangering cybersecurity are caused, it shall be fined between RMB 50,000 and RMB 500,000, and the directly responsible person in charge shall be fined between RMB 10,000 and RMB 100,000. Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime If a person provides hardware, software or other tools specially used for invading or illegally controlling computer information systems, or if the person knows that any other person is committing the criminal act of invading or illegally controlling a computer information system and still provides programs or tools for such a person, he/she shall commit the crime of “providing program[s] or tools for invading or illegally controlling computer information systems”, pursuant to Article 285 of the Criminal Law.  In the criminal case of Weng and Zhen, the defendant Zhen obtained and modified the “Black Pupil” software capable of cracking network camera account passwords, then sold and maintained it to Weng and others at a monthly price of RMB 100.  In November 2022, after purchasing the software, Weng used it to illegally control others’ network surveillance cameras for personal viewing.  In January 2025, the Cangshan District People’s Court of Fuzhou City sentenced Weng to two years’ imprisonment (with a three-year probation) plus a fine of RMB 5,000 for the crime of illegally controlling computer information systems, and sentenced Zhen to one year’s imprisonment (with a two-year probation) plus a fine of RMB 3,000 for the crime of providing programs or tools for the intrusion into or illegal control of computer information systems. In addition, if a person intentionally makes up or transmits destructive programs such as computer viruses that adversely affect the normal operation of a computer information system, and if not severe enough to constitute a crime, he/she will be penalised according to Article 29 of the Public Security Administration Punishments Law.  Furthermore, Articles 27 and 63 of the Cybersecurity Law also prohibit provision of programs or tools specifically used for conducting any activity endangering cybersecurity, or provision of technical support, advertising promotions, payments and settlement services or any other assistance to any person conducting any activity endangering cybersecurity. Possession or use of hardware, software or other tools used to commit cybercrime If a person possesses or uses hardware, software or other tools to commit cybercrime as prescribed under the Criminal Law, depending on the crime committed, the offender may be convicted in accordance with the corresponding Article under the Criminal Law, such as the “crime of invading a computer information system”. There is also an offence, i.e., “illegal use of information networks”, that involves activities that take advantage of an information network to establish websites and communication groups for criminal activities, such as defrauding, teaching criminal methods, producing or selling prohibited items and controlled substances.  If the criminal activity also constitutes another offence, the offender shall be convicted of the crime that imposes a heavier penalty. Identity theft or identity fraud (e.g. in connection with access devices) Under the Criminal Law, for identity theft, if the offender obtains identities by stealing or otherwise illegally acquires the personal information of citizens, such activity may constitute the “crime of infringing a citizen’s personal information” under Article 253(1) and the “crime of identity theft” under Article 280(1).  In the case of defendant Wu and others, the defendants unlawfully obtained victims’ ID numbers, mobile phone numbers, bank details, and verification codes through phishing websites, subsequently stealing over RMB 40,000 from victims’ bank accounts.  On 29 July 2022, the Gangcheng District People’s Court of Jinan City, Shandong Province convicted principal defendant Wu of theft and infringement of citizens’ personal information, imposing a combined punishment for multiple offences.  Wu was sentenced to four years and four months’ imprisonment and fined RMB 60,000. The Cybersecurity Law protects network information security, including the security of personal information.  Stealing or illegally acquiring the personal information of citizens may also cause administrative penalties if the violation is not severe enough to constitute a crime. Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement) If a current or former employee breaches confidentiality obligations and causes infringement of personal information, trade secrets, or state secrets, etc., the offender will be convicted pursuant to Article 287 and punished in accordance with the relevant provisions of the Criminal Law, such as the “crime of infringing trade secrets”. In the case of Company Bo and others, the defendant company and its legal representative, He, abused their position in developing the hospital’s registration system to illegally collect patients’ personal data (including names, phone numbers and ID numbers), storing it in a company database for intended dark web sales.  In April 2024, the Wuxi Intermediate People’s Court of Jiangsu Province ruled that the defendant company was guilty of infringing citizens’ personal information rights and imposed a fine of RMB 300,000; defendant He was convicted of the same crime and sentenced to five years and six months imprisonment plus a fine of RMB 100,000. Furthermore, the infringement of trade secrets, under the Anti-unfair Competition Law of the People’s Republic of China (the “Anti-unfair Competition Law”), will be subject to administrative penalties, including being ordered to cease the infringing conduct, the confiscation of illegal income, a fine ranging from RMB 100,000 to RMB 1 million, and a fine ranging from RMB 1 million to RMB 5 million if the circumstances are serious. Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points) Unsolicited penetration testing could be seen as an illegal invasion of another person’s computer information system, without having prior permission or consent. Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data If a person, in violation of laws and regulations, deletes, amends, adds or disturbs the functions of a computer information system and causes the computer information system’s inability to work normally, or conducts operations of deletion, amendment or addition towards the data or application programs that are stored, disposed of or transmitted in a computer information system, and serious consequences result, such activities constitute the “crime of sabotaging [a] computer information system” under Article 286 of the Criminal Law.  The offender shall be sentenced to a fixed-term imprisonment of more than five years if extremely serious consequences result. If a person, in violation of national regulations, deletes, changes, or increases the stored, processed, or transmitted data and the application program of a computer information system, the person shall be detained for less than five days, or in serious cases, detained for more than five days but less than 10 days, pursuant to Article 29 of the Public Security Administration Punishments Law.  Furthermore, any conduct, in addition to what is described above, that endangers network security will be regulated under Articles 27 and 63 of the Cybersecurity Law. 1.2 Do any of the above-mentioned offences have extraterritorial application? All of the above-mentioned crimes have extraterritorial application.  First, if the criminal act or its consequences take place within the territory of China, the crime shall be deemed to have been committed within the territory of China.  Second, the Criminal Law is applicable to citizens of China who commit crimes prescribed in the Criminal Law outside the territory of China; however, if the maximum penalty of such crime prescribed in the Criminal Law is a fixed-term imprisonment of not more than three years, the offender could be exempted from punishment.  Third, if a foreigner commits a crime outside the territory of China against the State or against Chinese citizens, the offender may be convicted pursuant to the Criminal Law if the Criminal Law prescribes a minimum punishment of fixed-term imprisonment of not less than three years; however, the Criminal Law shall not apply if it is not punishable according to the law of the place where it was committed. The Public Security Administration Punishments Law is applicable within the territory of China (except where specially provided for by other laws), or to acts against the administration of public security committed aboard ships or aircrafts of China (except where specially provided for by other laws). The Cybersecurity Law generally applies to the construction, operation, maintenance and use of the network within the territory of China.  Where any overseas institution, organisation or individual attacks, intrudes into, disturbs, destroys or otherwise damages the critical information infrastructure (“CII”) of China, causing any serious consequence, the violator shall be subject to legal liability; and the public security department of the State Council and relevant authorities may decide to freeze the property of or take any other necessary sanctions measure against the institution, organisation or individual. The Anti-unfair Competition Law does not explicitly provide that it has extra-terrestrial application.  In principle, any conduct that disrupts market competition or harms the legitimate rights and interests of business operators or consumers will be regulated under this law. 2. Cybersecurity Laws 2.1 Applicable Laws: Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, for example, data protection and e-privacy laws, trade secret protection laws, data breach notification laws, confidentiality laws, and information security laws, among others. The Cybersecurity Law, which came into force on 1 June 2017, is the law covering various aspects of network security and has laid the foundation for a comprehensive cybersecurity regulatory regime in China.  So far, a series of specific measures aimed at facilitating the implementation of the Cybersecurity Law have already been enacted, such as the Measures for Cybersecurity Review (the “Review Measures”), the Regulations on the Security Protection Regulations of Critical Information Infrastructure (the “CII Regulations”), and the Administrative Measures for Cybersecurity Incident Reporting (Exposure Draft). The Cybersecurity Law recognises the graded cybersecurity protection as the basic legal system to ensure network security in China.  While the Regulation on Graded Protection of Cybersecurity is still seeking opinions, relevant authorities have officially been promulgating recommended national standards regarding graded cybersecurity protection since May 2019 for guiding the graded protection.  These national standards include, but are not limited to: the Information Security Technology-Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019); the Information Security Technology-Evaluation Requirement for Classified Protection of Cybersecurity (GB/T 28448-2019); the Information Security Technology-Technical Requirement of Security Design for Classified Protection of Cybersecurity (GB/T 25070-2019); the Implementation Guide for Classified Protection Of Cybersecurity (GB/T 25058-2019); and the Classification Guide for Classified Protection Of Cybersecurity (GB/T 22240-2020). Meanwhile, regulations and guidelines on the protection of CII have been released, including the CII Regulations, effective since September 2021, the Review Measures, effective since February 2022, and the Regulations on the Security Protection of Railroad Critical Information Infrastructure, effective since February 2024. It is worth noting that, in June 2021, China promulgated the Data Security Law of the People’s Republic of China (the “Data Security Law”), which governs the collection, storage, processing, use, supply, transaction and disclosure of various types of data.  The Data Security Law has established a data classification and grading system, and relevant authorities will formulate catalogues of “important data” within their jurisdictions and implement enhanced security measures to protect such important data.  For instance, as a specific industry regulation under the Data Security Law, five government agencies, including but not limited to the Cyberspace Administration of China (the “CAC”), and the National Development and Reform Commission, issued the Several Provisions on the Management of Automobile Data Security (Trial Implementation) on 16 August 2021, which define the basic concepts related to automobile data processing and clarifies the legal obligations of automobile data handlers as well as the security standards for important data and sensitive personal information protection.  Additionally, to regulate online data-processing activities, safeguard data security, promote the rational use of data, and protect the legitimate rights and interests of individuals and organisations, the Regulations on Network Data Security Management (the “NDSM Regulations”) came into effect on 1 January 2025.  The introduction of the NDSM Regulations further refines China’s legal framework for data security management.  It plays a significant role in clarifying network data security management requirements and enhancing governance capabilities, while also providing robust legal safeguards to fully unlock the value of data as a key production factor and support the high-quality development of the digital economy. Furthermore, China has strengthened the regulations of personal information protection.  On 20 August 2021, the Personal Information Protection Law of the People’s Republic of China (the “Personal Information Protection Law”) was released, which contained comprehensive rules on various matters in personal information processing.  In terms of governance over the cross-border data transfer, China has released the Cross-border Data Transfer Security Assessment Measures and the Guide to Applications for Security Assessment of Cross-border Data Transfers (Third Edition), which provide the detailed requirements, templates, and instructions for the security assessment.  In addition, China has issued the Cross-border Transfer of Personal Information Standard Contract Measures, the Guide to the Filing of the Standard Contract for Cross Border Transfer of Personal Information (First Edition), and the Measures for Certification of Personal Information Protection for Cross Border Transfer of Personal Information (Exposure Draft) to further establish compliance mechanisms for cross-border data transfer activities.  Nevertheless, the CAC issued the Provisions on Promoting and Regulating Cross-border Data Flows on 22 March 2024, which adjust the thresholds to go through the aforementioned compliance procedures and provide exemptions.  As the basic law in the field of civil law, the Civil Code of the People’s Republic of China (the “Civil Code”) also helps to maintain a safe cyber-environment, especially provided from Article 1194 to Article 1197, which lays down rules for tortuous liability concerning conducts endanger safe cyber-environments.  Specifically, these Articles regulate rights and obligations of users as well as network service providers, providing that network users are entitled to notify service providers and ask the latter to take necessary measures to protect the users’ rights when their legal interests are infringed via the network. Moreover, several other laws also provide safeguards to ensure cybersecurity.  For instance, the newly revised Counterespionage Law in 2023 defines data relating to national security and interests as the target of theft, and classifies cyberattacks against state organs, secret-involved entities or CII as espionage.  The Cryptography Law of the People’s Republic of China (the “Cryptography Law”) came into effect in January 2020 and provides regulations on the management and use of cryptography. 2.2 Critical or essential infrastructure and services: Are there any cybersecurity requirements under Applicable Laws (in addition to those outlined above) applicable specifically to critical infrastructure, operators of essential services, or similar, in your jurisdiction? The Cybersecurity Law includes provisions on the security protection of the CII.  For instance, Article 37 of the Cybersecurity Law stipulates that personal information and important data collected or generated by CII operators (“CIIOs”) during their operations within the territory of the PRC shall be stored within the PRC.  Under Article 31 of the Cybersecurity Law, the state shall, based on the rules for graded protection of cybersecurity, focus on protecting the CII in important industries such as: public communications and information services; energy; transport; water conservancy; finance; public services; and e-government affairs, as serious damage to state security, the national economy and people’s livelihoods and public interests would arise if such CII was destroyed, lost functions or encountered data leakage. In addition, the CII Regulations further set out requirements on the security protection of the CII.  For example, CIIOs shall set up special security management departments, prepare contingency plans, and conduct regular contingency drills, network security inspections and risk assessments, etc. Also, Article 27 of the Cryptography Law provides that for CIIOs, laws, administrative regulations, and relevant national regulations require protection by commercial cryptography; thus, the CIIOs thereof shall use commercial cryptography for protection and conduct a security assessment of commercial cryptography applications. It is noteworthy that the Review Measures require that CIIOs purchasing network products and services, either of which affects or may affect national security, shall carry out a cybersecurity review according to the Measures.  Specifically, Article 5 of the Review Measures further requires that in the event that a CIIO purchases network products and services, it shall anticipate the potential national security risks that may arise from the use of such products and services, and report the ones that may affect national security to the Cybersecurity Review Office for a cybersecurity review.  Moreover, as indicated in Article 1 of the Review Measures, one of the purposes of the newly established version of the Review Measures is “to ensure the security of the CII supply chain”.  On 11 June 2025, the National Cryptography Administration, the CAC, and the Ministry of Public Security jointly issued the Regulations on the Commercial Cryptography Use in Critical Information Infrastructure, which came into effect on 1 August 2025.  They aim to standardise the use of commercial cryptography in CII, applying to its management as defined by the Cybersecurity Law and other relevant laws and regulations, as well as safeguard CII security. The Information Security Technology – Critical Information Infrastructure Security Protection Requirements (GB/T39204-2022) (the “CII Requirements”), effective since 1 May 2023, refine the security requirements and improve operability based on the CII Regulations, with a total of 111 security requirements proposed.  Such requirements are applicable to guiding operators to protect the security of CII in the whole survival cycle and can also be referred to and used by other parties involved in the security protection of CII.  Specifically, the CII Requirements divide the security protection of the CII into six aspects, namely: analysis and identification; security protection; detection and evaluation; monitoring and early warning; active protection; and Incident disposal. 2.3 Security measures: Are organisations required under Applicable Laws to take specific security measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken. Yes.  The Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, the Several Provisions on the Management of Automobile Data Security (Trial Implementation), the NDSM Regulations, the Administrative Measures of the People’s Bank of China for Data Security in Business Fields, the Administrative Measures on Data Security in the Field of Industry and Information Technology (Trial Implementation), and other relevant laws and regulations have provided specific obligations for monitoring, detecting, preventing or mitigating Incidents.  These obligations could be categorised into the following: Regular preventive work: network operators must adopt regular measures to prevent cybersecurity Incidents, including adopting technical measures to prevent cybersecurity violations such as computer viruses, cyberattacks and network intrusions, monitoring and recording the network operation status and cybersecurity events, and maintaining cyber-related logs for no less than six months.  Furthermore, network operators shall provide early warnings of abnormalities such as data leakage, damage, loss and tampering, etc.  Important data handlers and sensitive personal data handlers shall also carry out regular risk assessments. Moreover, under Article 58 of the Personal Information Protection Law, personal information handlers that provide important internet platform services involving a huge number of users and complicated business types shall perform the following obligations: (a) establishing and improving the system of personal information protection compliance rules in accordance with the provisions issued by the state, forming independent institutions mainly consisting of external personnel to supervise personal information protection; (b) following the principles of openness, fairness and impartiality, developing platform rules, and clarifying the norms for the processing of personal information by product or service providers on platforms and the obligations to protect personal information; (c) stopping providing services to product or service providers on platforms that process personal information in severe violation of laws and administrative regulations; and (d) issuing social responsibility reports on personal information protection on a regular basis to be subject to public supervision. Emergency measures for security Incidents: network operators must develop an emergency plan for cybersecurity Incidents in order to promptly respond to security risks, to take remedial actions immediately, to notify affected data subjects, and to report the case to the competent authorities as required. After-action review: to keep communication with and assist the authorities in finishing their investigation and review after an Incident, such as providing a summary of the cause, nature, and influence of the security Incident and improvement measures. Industry regulations provide more specific security measures.  For instance, the Administrative Measures of the People’s Bank of China for Data Security in Business Fields require data handlers not only to monitor the risk of their own data-processing activities, but also to monitor the risk information on data security, such as the negative public opinions on the data security of the data receiving party cooperating with such data handlers or the entrusted party for data processing. 2.4 Reporting to authorities: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents (including cyber threat information, such as malware signatures, network vulnerabilities and other technical characteristics identifying a cyber attack or attack methodology) to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) the nature and scope of information that is required to be reported; and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information. In general, there are two types of reporting obligations.  Information regarding Incidents must be reported to the relevant authorities in accordance with the applicable regulations.  Additionally, there is a standalone regulation that requires organisations to report vulnerabilities to the Ministry of Industry and Information Technology (“MIIT”).  In both cases, the reporting obligation is mandatory, with no defences or exemptions. The Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law stipulate a general obligation for relevant organisations to promptly notify the responsible authorities about an Incident that has occurred or may have occurred.  Recently, industry regulators (notably, the MIIT and the People’s Bank of China) have issued more specific regulations that detail the timeframe for reporting, the information that needs to be reported, and other more detailed obligations.  Under these regulations, Incidents are classified into four levels based on their impact on public interest and national security.  Relevant organisations typically must immediately report the Incident to industry regulators for Incidents classified as at least major (i.e., level three in the classification system).  However, for Incidents classified as ordinary (i.e., level four in the classification system), these regulations do not specify a clear reporting timeframe.  In addition, pursuant to the Regulations of the People’s Republic of China on the Security Protection of Computer Information Systems, any criminal case arising from computer information systems must be reported to the public security authority within 24 hours. At a minimum, the following content is required to be reported: information of the notifying party; description of the network security Incident; detailed information about the Incident; nature of the Incident; affected properties (if any); personal information being affected/breached (if any); preliminary containment measures that have been taken; and preliminary assessment of the severity of the Incident. Furthermore, the Regulations on the Management of Network Product Security Vulnerabilities stipulate that network product providers must notify the MIIT two days after discovering the security vulnerabilities.  The reporting information should include the name, model, and version of the network product with security vulnerabilities, as well as the technical characteristics, risks, and impact scope of the vulnerabilities. 2.5 Reporting to affected individuals or third parties: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the nature and scope of information that is required to be reported. Yes, the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law all require relevant organisations to report information related to actual or potential Incidents to affected parties.  In addition, the NDSM Regulations made clear that the affected parties not only include individuals but also business entities that may be affected by the Incident. With respect to personal information, the personal information handlers shall at least inform data subjects of the following information: the categories of personal information involved in the Incident, the cause of the Incident, and the potential harm that may result; the remedial actions taken by the personal information handler and the measures data subjects can adopt to mitigate the harm; and the contact information of the personal information handler. 2.6 Responsible authority(ies): Please provide contact details of the regulator(s) or authority(ies) responsible for the above-mentioned requirements. Any regulators identified under question 2.4 above to which network operators are required to report an Incident shall have the authority to enforce the requirements identified under questions 2.3 to 2.5 above.  Specifically, the enforcement authorities include the CAC, the MIIT, the Ministry of Public Security (“MPS”) (+86 (0) 10 6626 2550), the State Secrecy Bureau, the National Administration of Financial Regulation (“NAFR”), the State Encryption Administration (+86 (0) 10 5970 3789) and industry regulators.  For certain authorities, the contact details are provided on the local level, which are published through the official websites and/or official accounts on social media, respectively. 2.7 Penalties: What are the penalties for not complying with the above-mentioned requirements? Pursuant to the Cybersecurity Law, in the case of non-compliance, network operators may be given a warning, ordered to take rectification measures, and/or imposed fines by the relevant authorities.  In the case of refusal to make rectifications or in severe circumstances, further penalties such as suspension of related business, winding up for rectification, shutdown of websites, and revocation of a business licence may be imposed by the competent authorities. Furthermore, under the Personal Information Protection Law, where a personal information handler processes personal information in violation of this law or fails to fulfil the personal information protection obligations as provided in this Law, the department performing personal information protection functions shall also confiscate its or his/her illegal income.  Moreover, where any violation of laws as prescribed in this Law is committed, it shall be entered into the relevant credit record and be published in accordance with the provisions of the relevant laws and administrative regulations. 2.8 Enforcement: Please cite any specific examples of enforcement action taken in cases of non-compliance with the above-mentioned requirements. On 16 August 2023, Nanchang’s Public Security Bureau’s cybersecurity department revealed a significant data breach Incident.  The personal information of over 30,000 students and faculty members from Nanchang University was discovered to have been sold openly on international online platforms.  Investigations unveiled that the University had not set up an all-encompassing data security management system and neglected their duty in ensuring data protection.  Pursuant to Article 45 of the Data Security Law, the University faced multiple penalties, including corrective actions, a warning, and a hefty fine of RMB 800,000.  The primary individual responsible was also fined RMB 50,000. In 2024, the normalisation of cybersecurity enforcement has become increasingly evident, as regulatory authorities at all levels and across regions continue to intensify penalties for cybersecurity violations, with heightened scrutiny focusing on sectors including finance, telecommunications, and local enterprises. Within the financial industry, the National Financial Regulatory Administration (“NFRA”) and its local branches have consistently issued administrative penalties against financial institutions for information security breaches.  Violations commonly involve incomplete identification of critical information systems, non-compliant disaster recovery infrastructure and capabilities, untimely patching of system vulnerabilities leading to potential risks, and deficiencies in information security management. At the local level, cybersecurity departments have similarly strengthened enforcement against enterprises failing to fulfil cybersecurity obligations.  Public security cybersecurity units in Inner Mongolia publicised seven cases involving failures to implement cybersecurity protections, imposing penalties on enterprises for violations such as lacking established management systems, neglecting information security duties, refusing to perform cybersecurity protection obligations, and exposing high-risk vulnerabilities, including phishing flaws in externally provided security products.  Meanwhile, the Shanghai Communications Administration established a specialised task force led by its Network Security Management Department.  Through progress briefings, compliance record reviews, and interactive sessions, the group conducted targeted governance of cloud service security throughout 2024.  Their inspections focused on the implementation of network and cloud security systems, management of risk inventories, platform monitoring and redundancy protection capabilities, and emergency response drills for operational Incidents.  Enterprises received specific improvement requirements based on gaps identified in submitted materials, reinforcing foundational safeguards for stable and secure cloud services. 3. Preventing Attacks 3.1 Are organisations permitted to use any of the following measures to protect their IT systems in your jurisdiction (including to detect and deflect Incidents on their IT systems)? Beacons (i.e. imperceptible, remotely hosted graphics inserted into content to trigger a contact with a remote server that will reveal the IP address of a computer that is viewing such content) The use of Beacons may result in the collection and use of users’ personal information.  Pursuant to the Cybersecurity Law and the Personal Information Protection Law, organisations shall notify users and obtain their consent before collecting information. Honeypots (i.e. digital traps designed to trick cyber threat actors into taking action against a synthetic network, thereby allowing an organisation to detect and counteract attempts to attack its network without causing any damage to the organisation’s real network or data) Relevant laws and regulations do not explicitly prohibit organisations from using Honeypots to detect and deflect Incidents in their own network. Sinkholes (i.e. measures to re-direct malicious traffic away from an organisation’s own IP addresses and servers, commonly used to prevent DDoS attacks) Relevant laws and regulations do not explicitly prohibit organisations from using Sinkholes to detect and deflect Incidents in their own network. 3.2 Are organisations permitted to monitor or intercept electronic communications on their networks (e.g. email and internet usage of employees) in order to prevent or mitigate the impact of cyber attacks? Monitoring or intercepting electronic communications may trigger privacy issues, as they usually involve a collection of private or personal communication information.  For instance, the Civil Code explicitly prohibits individuals or organisations from infringing upon a natural person’s right to privacy.  Specifically, Article 1033 of the Civil Code provides that unless otherwise prescribed by the law or specifically agreed by the right holders, no organisation or individuals are allowed to deal with the private information of others; not to mention that it is also enshrined in Article 40 of the Constitution that the freedom and privacy of correspondence of citizens are protected by law. Furthermore, Article 65 of the Telecommunications Regulations of the People’s Republic of China (the “Telecommunications Regulations”) provide that except for the inspection of telecommunications contents by the public security authorities, the national security authorities, or the People’s Procuratorates in accordance with the procedures stipulated by the law for the purposes of national security or a criminal investigation, no organisation or individual shall inspect telecommunications contents for any reason. Lastly, if the technology deployed to monitor or intercept electronic communications is classified as a Critical Network Equipment and Specialized Network Security Product, the equipment or product must go through a requisite inspection or certification procedures to be lawfully distributed in China. 3.3 Does your jurisdiction restrict the import or export of technology (e.g. encryption software and hardware) designed to prevent or mitigate the impact of cyber attacks? Pursuant to Article 28 of the Cryptography Law, the commerce department of the State Council and the State Cryptography Administration shall implement import licensing for commercial cryptography that involves State Security and public interest and that have encryption protection functions.  They shall implement export controls on commercial cryptography that involves State security and public interest or that involves the international obligations of China. 4. Specif