The Cybersecurity Law entered into force on 1 June 2017.

There are 79 articles in total. This is China’s first comprehensive law on cybersecurity.

This Law is applicable to owners, managers and network service providers (hereinafter referred to as “operators”) that construct, operate, maintain and use networks in China. The Cyberspace Administration of China is the regulator of cybersecurity.

Key points of this Law include:

1. The collection and use of personal information by operators shall be expressly consented by the person whose personal information is to be collected. No one shall illegally acquire, sell or provide personal information to others. The user may request operators to delete his/her personal information obtained illegally.

2. Operators shall verify the identity of the user when providing such services as network access, domain name registration, phone network access, or information release and instant messaging for the user.

3. Any purchase of network products and services by operators of critical information infrastructure shall be subject to regulator’s review.

4. Personal information and important data must be stored in China. Data exportation shall be subject to regulator’s review.

5. If operators find that the user publishes or transmits illegal information, they shall immediately suspend services and report to the relevant departments.

6. Operators shall provide technical support and assistance to public security organs and national security authorities.

7. Where any overseas institution, organization or individual attacks, intrudes into, disturbs, destroys or otherwise damages China’s critical information infrastructures, causing any serious consequence, the violator shall be subject to legal liability in accordance with law. The public security organs and relevant departments may decide to freeze the property of or take any other necessary sanction measure against the institution, organization or individual.