Cybersecurity in China: New Rules, Certifications, and Vendor Risk for Global Companies

November 25, 2025 YC Cybersecurity 0

Cybersecurity in China

China has rapidly developed one of the world’s most demanding regulatory ecosystems for cybersecurity and data governance. For multinational companies (MNCs), operating securely in China now requires more than traditional corporate controls. Success increasingly depends on building a localized compliance strategy—one that aligns with China’s laws, product certification schemes, procurement rules, and strict vendor risk standards.

This updated guide breaks down recent regulatory changes, how the different rules connect, and the steps global CISOs, privacy leaders, and procurement teams should prioritize over the next year.

1. China’s Core Cyber and Data Laws: What MNCs Must Understand

China’s regulatory framework is built on three main laws:

Cybersecurity Law (CSL)

Introduced in 2017, the CSL established foundational security requirements and introduced the Multi-Level Protection Scheme 2.0 (MLPS 2.0). Under MLPS, every information system in China must be classified from Level 1 to Level 5 based on risk to national security or public interest.

Typical obligations include:

  • Level 1–2: Basic security controls, incident management, vulnerability patching, and routine assessments.

  • Level 3 and above: Formal filings with local Public Security Bureaus (PSBs), annual audits, mandatory use of compliant security products, and heightened monitoring.

Many MNC systems—such as ERP, CRM, ecommerce platforms, and manufacturing systems—often fall into Level 2–3, making MLPS a required part of IT planning.

Data Security Law (DSL)

Effective 2021, the DSL requires organizations to classify, grade, and protect data based on its importance. It also introduces specialized rules for “important data,” which may include industrial information, mapping data, vehicle telemetry, health information, and sector-specific datasets.

If your operations touch important data, expect:

  • Stricter storage and localization requirements

  • Additional export controls

  • Mandatory risk assessments

Personal Information Protection Law (PIPL)

China’s primary privacy law also took effect in 2021. PIPL resembles the EU’s GDPR but includes unique requirements:

  • Clear lawful basis for processing

  • Transparency and purpose limitation

  • Strict rules for sensitive data (e.g., biometrics, health, precise location)

  • Defined data-subject rights

  • Mandatory DPIAs for high-risk processing

  • Specific rules for cross-border transfers

Together, CSL, DSL, and PIPL form the backbone of China’s cybersecurity and privacy obligations for MNCs.

2. Cross-Border Data Transfers: Complex but More Flexible Than Before

Transferring data outside China is heavily regulated. Organizations must follow one of three legal paths:

a) CAC Security Assessment

Required for:

  • High volumes of personal data

  • Any export involving important data

  • Firms designated as Critical Information Infrastructure Operators (CIIOs)

This involves submitting documentation to the Cyberspace Administration of China (CAC) for formal review.

b) China Standard Contract (SCC)

This is China’s version of a model contract and can be used for low-risk or low-volume transfers. Organizations must file the SCC with provincial CAC authorities.

c) Certification

Approved institutions can certify a company’s foreign transfer practices—useful for multinational groups transferring data internally.

2024 Updates: Easing Low-Risk Transfers

New provisions introduced in March 2024 allow certain everyday transfers to proceed with fewer burdens—for example:

  • Cross-border payments

  • Travel bookings

  • Routine HR transfers

  • Emergency scenarios

  • Small-volume personal data exports

However, these exemptions do not apply to important data, CIIOs, or high-volume personal information processing.

3. Product Compliance: Certifications, Filings, and Technical Requirements

Operating in China often requires additional certifications and product approvals.

MLPS 2.0 Audits

Systems identified as MLPS Level 3+ require:

  • Registration with local PSBs

  • Annual third-party testing

  • Use of security products compliant with Chinese standards

Critical Network Equipment & Cybersecurity Products

China maintains catalogs of equipment that need mandatory testing or certification before use. These can include:

  • Routers, firewalls, core switches

  • VPN gateways and secure network appliances

  • SIEM platforms

  • Industrial cybersecurity devices

This can directly affect the architecture, bill of materials, and potential vendor selection.

Commercial Cryptography Law

Encryption is tightly regulated in China. Requirements may include:

  • Use of approved cryptographic algorithms

  • Filing or certification of products using commercial encryption

  • Restrictions on importing or exporting certain cryptographic items

This applies especially to VPNs, encrypted apps, HSMs, and secure communications.

IoT, Telecom, and Wireless Approvals

Connected hardware may require:

  • NAL (Network Access License)

  • SRRC certification for wireless devices

These run parallel to cybersecurity obligations.

4. Cybersecurity Review and Procurement Risk

Organizations in Critical Information Infrastructure sectors—such as finance, energy, telecom, transportation, and healthcare—face heightened oversight. CII operators must:

  • Localize certain data

  • Perform security assessments for data exports

  • Undergo cybersecurity reviews when procuring network-related products or services that could affect national security

For MNCs, this means:

  • Procurement cycles may lengthen

  • Certain global solutions may not be allowed

  • Additional documentation and supply-chain transparency may be required

5. Vendor Risk: Why MNCs Need a China-Specific Approach

Traditional global vendor risk frameworks are not enough for China. MNCs should evaluate vendors across categories such as:

  • Legal compliance with PIPL, DSL, and MLPS

  • Product certifications (cryptography, catalog equipment, MLPS compatibility)

  • Data localization and cross-border mechanics

  • Use of subprocessors within China

  • Evidence of MLPS filings or certifications

  • Ability to support Chinese regulatory inquiries

  • Local service capability and incident-response support

China-focused vendor questionnaires, contractual addenda, and ongoing monitoring are essential.

6. Implementation Roadmap for MNCs

0–90 Days

  • Map China data flows

  • Identify MLPS levels for each system

  • Freeze high-risk transfers pending legal route selection

  • Determine whether the China entity qualifies as a CII operator

90–180 Days

  • Formalize outbound transfer mechanisms (SCC, CAC assessment, certification, or exemptions)

  • Update contracts with China-specific terms

  • Begin required product certifications or filings

  • Strengthen DPIAs and logging mechanisms

6–12 Months

  • Complete MLPS registration and annual audits

  • Automate monitoring for transfer thresholds

  • Run tabletop exercises simulating regulator inquiries

  • Optimize architecture to reduce sensitive PI processing and rely more on compliant transfer exemptions

Conclusion

Cybersecurity compliance in China has matured into a structured yet demanding discipline. With the right strategy—MLPS classification, China-specific product certifications, lawful data-transfer mechanisms, and localized vendor risk management—MNCs can operate securely and confidently.

Building a tailored compliance model not only reduces regulatory risk but also supports long-term, sustainable business growth in one of the world’s most important markets.

Be the first to comment

Leave a Reply

Your email address will not be published.


*