
The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.
By Hui Xu and Bianca H. Lee
On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.
The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.
The Regulations also address gaps and provide clarity where the existing laws may be broad or ambiguous, introduce entirely new obligations, and outline requirements on the conduct and responsibilities of data regulators.
Network Data Processors subject to the CSL, DSL, and/or PIPL should promptly review their data security and personal information protection practices to ensure compliance with the new Regulations.
Read the Client Alert.