The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.
By Hui Xu and Bianca H. Lee
On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.
The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.
On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed 
On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of the law is to regulate data activities, safeguard data security, promote data development and usage, protect individuals and entities’ legitimate rights and interests, and