China Cybersecurity Law 2025: Compliance Guide for Foreign Companies
China's cybersecurity regulatory framework has matured significantly by 2025, with the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) forming a comprehensive three-pillar system. Foreign companies operating in China face complex compliance requirements including data localization, cross-border data transfer restrictions, security assessments, and mandatory certifications. Understanding and complying with these regulations is essential for any business with operations, customers, or data processing activities in China.
TL;DR
China's three-pillar cybersecurity framework (CSL + DSL + PIPL) has been fully enforced with increased penalties and enforcement actions in 2025. Key compliance requirements include: data localization for Critical Information Infrastructure operators, mandatory security assessments for cross-border data transfers exceeding 100,000 person records or 1TB of data, appointment of local data protection officers, and CAC certification for tech platforms. Penalties for violations can reach up to 50 million RMB or 5% of annual revenue.
Key Insights
Maximum Penalty for Violations
Maximum penalties under PIPL can reach 50 million RMB or 5% of the previous year's annual revenue, whichever is higher. In 2025, enforcement actions resulted in cumulative fines exceeding 300 million RMB across all three laws, with several high-profile cases involving major foreign tech companies.
Cross-Border Data Transfer Approvals
Over 200 cross-border data transfer applications were approved through the three available pathways (security assessment, standard contractual clauses, and CAC certification) in 2025, providing clearer compliance pathways for multinational companies needing to transfer data out of China.
Critical Information Infrastructure Sectors
18 sectors are designated as Critical Information Infrastructure (CII) including public communications, energy, transportation, finance, public services, e-government, and national defense. CII operators face the strictest requirements including mandatory data localization and regular security assessments.
Compliance Investment Increase
Foreign companies in China increased cybersecurity and data compliance spending by approximately 40% year-over-year in 2025, driven by expanded regulatory scope, increased enforcement actions, and growing board-level awareness of China data risks as part of global data governance strategies.
Side-by-Side Comparison
| Regulation | Effective | Scope | Key Requirement | Penalty |
|---|---|---|---|---|
| Cybersecurity Law | Jun 2017 | Network operators | Data security + CII protection | Up to 10M RMB |
| Data Security Law | Sep 2021 | All data handlers | Data classification + risk assess | Up to 100M RMB |
| PIPL | Nov 2021 | Personal info processors | Consent + data minimization | Up to 50M RMB / 5% |
| CSL Implementing Rules | 2023-2025 | CII operators | Data localization + security audit | Operational restrictions |
| Cross-border Rules | Mar 2023 | Data exporters | Transfer assessment + filing | Suspension of transfer |
| AI Regulation | Aug 2023 | AI service providers | Algorithm registration + labeling | Service suspension |
| Deepfake Rules | Jan 2023 | Content generators | Watermark + consent | Content takedown |
Frequently Asked Questions
Data localization requirements apply to two categories: Critical Information Infrastructure (CII) operators must store all personal information and important data collected in China within the country. Non-CII companies can transfer personal data overseas but must first complete one of three compliance pathways: government security assessment (required for transfers exceeding 100,000 person records, 10,000 sensitive records, or 1TB total data), Standard Contractual Clauses (SCC) with the overseas recipient, or CAC certification. Companies should conduct a data mapping exercise to determine which requirements apply to their specific operations.
Both PIPL and GDPR share similar principles including consent requirements, purpose limitation, data minimization, right to erasure, and data protection officer requirements. Key differences include: PIPL has stricter cross-border data transfer rules requiring government approval (GDPR allows adequacy decisions and BCRs without government pre-approval), PIPL has broader grounds for processing including 'national security' and 'public interest' which can override individual consent, PIPL requires data localization for CII operators (GDPR does not mandate localization), PIPL has higher maximum penalties (5% of revenue vs GDPR 4%), and PIPL applies extraterritorially to processing of Chinese citizens' data even by foreign entities.