Skip to Content

China's new cybersecurity law raises questions and concerns

Article 2 min read
The new Cybersecurity Law is meant to improve data security for China and its citizens but has businesses within the country unsure about several requirements and the potential costs of compliance


China, the world’s second largest economy, recently implemented its new Cybersecurity Law (CSL). Designed to combat ever-growing information security threats and create a safer internet environment, the CSL calls for mandatory information security maintenance by businesses with computer systems linked to China.

The CSL, which went into effect on June 1, 2017, introduces major changes to the global cybersecurity landscape. The law is part of a new initiative to protect Chinese data from the prying eyes of foreign companies, an issue directly related to leaks from local governments in multinational organizations.
The CSL is intended to protect China and its citizens but, globally, the law has raised some real concerns. Vague provisions, broadly-defined terms, and the potential for new security risks and significant additional expense — these have a broad range of companies concerned about how the law will impact their IT systems, and therefore their operations, in China and elsewhere.

The CSL calls for mandatory information security maintenance by businesses with computer systems linked to China.

Protecting and accessing personal information

The CSL requires companies doing business in China to standardize and store their data in China and to provide the government with information about the business' network infrastructure. The law also requires controls for identifying and protecting personal and other sensitive information.

Specifically, the law focuses on how information is protected and how sensitive information about Chinese citizens is used. Such information must be stored on domestic servers, and companies using or requesting that information must undergo security checks before the data can leave the country. If companies store or retrieve the data in an unauthorized manner, they’re subject to fines and criminal charges.

Cost concerns

Many businesses also are concerned about the costs to improve the robustness of their IT systems and to implement newer technologies that better support data security. In addition, penalties for noncompliance can reach up to 1,000,000 RMB, (or nearly $150,000 USD) and, since China is trying to take precautions against foreign espionage with the law, failure to comply may also result in criminal charges.

The bottom line

The table below outlines key aspects of the new CSL in comparison to U.S. data compliance standards. Organizations should review their critical infrastructure and identify where individual private information lies. If all goes well and this new law is practiced and followed properly, sensitive data should be protected and have less risk of being exposed in the wrong hands.

Related Thinking

Two business professionals in casual clothing using a handheld tablet device together while standing.
June 18, 2024

Cybersecurity essentials for franchises: Prevent, respond, comply

Article 7 min read
Food and beverage cookie manufacturer equipment using smart manufacturing processes.
June 3, 2024

Cybersecurity in food manufacturing: Ransomware threats

Article 3 min read
Cybersecurity professional on their laptop in a server room.
April 29, 2024

Bridging the widening cybersecurity skills gap

Article 5 min read