China Cybersecurity Law Compliance 2025: Data Localization, Cross-Border Rules and Enterprise Impact

China's cybersecurity regulatory framework has matured into a three-pillar system comprising the Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL). Together, these laws mandate data localization for critical information infrastructure operators, require security assessments for cross-border data transfers, and impose significant penalties for non-compliance. The Cyberspace Administration of China (CAC) has issued detailed implementation rules in 2024-2025, clarifying obligations for multinational enterprises, cloud providers and data processors operating in the Chinese market.

TL;DR

China's three-pillar data governance framework (CSL, DSL, PIPL) requires data localization for critical infrastructure, mandatory security assessments for cross-border transfers involving significant personal data, and data protection impact assessments for large processors. Non-compliance penalties can reach up to CNY 50 million or five percent of annual revenue. Over 200 cross-border data transfer security assessments were filed with the CAC in 2024.

Key Insights

Cross-Border Assessments Filed

200+

Over 200 cross-border data transfer security assessments were filed with the CAC in 2024, with financial services, healthcare and technology companies comprising the majority of applicants.

Maximum Penalty

CNY 50M

The PIPL sets maximum penalties at CNY 50 million or five percent of the previous year's annual revenue, among the highest data protection fines globally, with responsible individuals also facing personal liability.

Critical Infrastructure Sectors

18 sectors

The government designates eighteen sectors as critical information infrastructure, including telecommunications, finance, energy, transportation and healthcare, requiring enhanced data security measures and mandatory data localization.

Compliance Cost Estimate

$2M+

Multinational enterprises typically spend over USD 2 million annually on China data compliance, including legal counsel, technical audits, data mapping exercises and local data storage infrastructure.

Side-by-Side Comparison

Requirement	CSL	DSL	PIPL
Scope	Network operators and CII	All data handlers	Personal information processors
Data localization	Required for CII	Required for important data	Required above thresholds
Cross-border transfer	Security assessment required	Security assessment required	Assessment, standard contract or certification
Maximum penalty	CNY 1M + business suspension	CNY 10M + revocation	CNY 50M + 5% revenue
Personal liability	CNY 100K	CNY 1M	CNY 1M + industry ban

Frequently Asked Questions

What triggers a mandatory security assessment for cross-border data transfers?

A security assessment is required when a data processor transfers personal information of over one million individuals, cumulative transfers exceed 100,000 individuals, or transfers involve sensitive personal information of over 10,000 individuals. CII operators must also undergo assessments regardless of volume.

Can foreign companies use standard contracts instead of security assessments?

Yes, for transfers below the security assessment thresholds, companies may use CAC-approved standard contractual clauses, obtain certification from an accredited institution, or rely on other legally permitted mechanisms. The standard contract must be filed with the local Cyberspace Administration within ten working days of signing.

How does China define critical information infrastructure?

The CAC defines CII as facilities whose damage or malfunction would seriously endanger national security, the economy or public welfare. Eighteen sectors are designated, including public communications, energy, finance, transportation, healthcare and large-scale online platforms. Operators are identified by sector regulators and must comply with enhanced security requirements.

What are the key compliance steps for a new market entrant?

New entrants should: conduct a data mapping exercise to classify all personal and important data, evaluate whether they qualify as a CII operator, implement data localization for required categories, establish a personal information protection impact assessment process, appoint a local data protection officer, and file necessary cross-border transfer mechanisms with the CAC before initiating any data flows abroad.