The Cybersecurity Law of the People’s Republic of China, (Chinese: 中华人民共和国网络安全法) commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The law is part of wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included a Law on National Intelligence, the National Security of the People’s Republic of China (not to be confused with the Hong Kong National Security Law) and laws on counter-terrorism and foreign NGO management, all passed within successive short timeframes of each other.

China enacted the CSL on November 7, 2016. The CSL came into force on June 1, 2017, with the goal of establishing a uniform regulatory regime for cybersecurity and data protection in China.

The law:

• Created the principle of cyberspace sovereignty
• Defined the security obligations of internet products and services providers
• Detailed the security obligations of internet service providers.
• Further refined rules surrounding personal information protection
• Established a security system for key information infrastructure
• Instituted rules for the transnational transmission of data from critical information infrastructures.

The cybersecurity law is applicable to network operators and businesses in “critical sectors.” By critical sectors, China roughly divides the domestic businesses into networking businesses that are involved in telecommunications, information services, energy transport, water, financial services, public services, and electronic government services.