Cybersecurity Law of the People's Republic of China

China's Cybersecurity Law (CSL), effective June 1, 2017, is the cornerstone of China's cybersecurity regulatory framework. The CSL establishes requirements for network operators, critical information infrastructure (CII) operators, and personal information processors. Key provisions include: mandatory data localization for CII operators (personal information and important data must be stored within China); security review requirements for network products and services used in CII; real-name registration requirements for internet users; network security graded protection (MLPS 2.0) compliance; and incident reporting obligations. The CSL defines "network operators" broadly to include any organization that owns or administers a network, making it applicable to virtually all businesses operating in China. CII operators face enhanced obligations including annual security assessments, security officer appointments, and emergency response plan testing. The CSL works in conjunction with the Data Security Law (2021) and Personal Information Protection Law (2021) to form China's comprehensive data governance framework. Non-compliance can result in fines up to RMB 1 million and criminal liability for responsible individuals.