You are here


Survey Answer:

China has recently adopted the Cybersecurity Law of the People’s Republic of China, which became effective in 2017 and incorporates provisions from a number of earlier State Council decisions, administrative regulations and ministerial rules. The PRC government is now in the process of issuing new regulations and rules to implement the Cybersecurity Law, which we will discuss below.
In addition, there are certain regulations and rules pre-dating the Cybersecurity Law which are still in effect. Notable among these are the Measures for Administration of Classified Protection of Information Security, which comprise a basic framework for information system security. The Measures are being updated in the form of an administrative regulation, the Regulations on Classified Protection of Cybersecurity. A list of these legal authorities is provided below.
Note 1: The Cybersecurity Law governs the use of computer networks within China. Generally speaking, all operators of networks within China are subject to the Cybersecurity Law, and a subset of those operators may further be classified as “critical information infrastructure” (“CII”) operators, which are subject to additional legal obligations.
Note 1: The hierarchy of laws in the People’s Republic of China that we primarily cite in this questionnaire are as follows: 1) laws and National People’s Congress (NPC) Standing Committee decisions, 2) State Council administrative regulations, 3) ministerial rules, 4) national standards.
1. Laws and NPC Standing Committee Decisions
1.1. 《中华人民共和国网络安全法》[Cybersecurity Law of the People’s Republic of China] (Standing Comm. Nat’l People’s Cong., Pres. Order 53; promulgated Nov. 7, 2016, effective Jun. 1, 2017) 2016 STANDING COMM. NAT’L PEOPLE’S CONG. GAZ. 6.
1.2. 《全国人大常委会关于加强网络信息保护的决定》[Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection] (Standing Comm. Nat’l People’s Cong., promulgated and effective on Dec. 28, 2012)
2. Administrative Regulations
2.1. 《中华人民共和国计算机信息系统安全保护条例》[Regulations of the People’s Republic of China for Security Protection of Computer Information Systems] (as amended by St. Council, Decree No. 588; promulgated and effective Jan. 8, 2011) 2011 ST. COUNCIL GAZ. SUPP. 1.
2.2. [Proposed]《关键信息基础设施安全保护条例(征求意见稿)》[Regulations on Protection of Critical Information Infrastructures (Draft for Comment)] (Cyberspace Admin. of China, issued on July 11, 2017 for public comment until Aug. 10, 2017)
2.3. [Proposed]《网络安全等级保护条例(征求意见稿)》[Regulations on Classified Protection of Cybersecurity (Draft for Comment)] (Min. Publ. Sec., issued June 27, 2018, for public comment until July 27, 2018)
3. Ministerial Rules
3.1. 《信息安全等级保护管理办法》[Measures for Administration of Classified Protection of Information Security] (Min. of Public Sec. et al., Gong Tong Zi [2007] No. 43; promulgated June 22, 2007)
3.2. 《互联网安全保护技术措施规定》[Provisions on the Technical Methods for the Protection of Internet Security] (Min. of Public Sec., promulgated Dec. 13, 2005, effective Mar. 1, 2006)
4. National Standards and Other Regulatory Documents
4.1. 《信息安全技术 信息系统安全等级保护实施指南》[Information Security Technology – Implementation Guide for Classified Protection of Information Systems] (Standard. Admin. of P.R.C. et al., (GB/T 25058-2010), promulgated Sept. 2, 2010, effective Feb. 1, 2011)
4.2. 《信息安全技术 网络安全等级保护测试评估技术指南》[Information Security Technology – Testing and Evaluation Technical Guide for Classified Cybersecurity Protection] (Standard Admin. P.R.C. et al. (GB/T 36627-2018); promulgated Sept. 17, 2018, effective Apr. 1, 2019)
4.3. [Proposed]《信息安全技术 网络安全等级保护定级指南(征求意见稿)》[Information Security Technology – Guidelines for Grading of Classified Cybersecurity Protection (Draft for Comment)] (Nat’l Info. Sec. Standard. Tech. Comm. (GB/T 22240-20XX); issued Jan. 19, 2018, for public comment until Mar. 5, 2018), available at

Provided By:
David Tang, Han Kun Law Offices