European Chamber Commented on Cyber Security Law Go back »

2016-11-07 | All chapters

European Chamber Commented on Cyber Security Law

The European Chamber welcomes the positive changes contained in the final draft of the Cyber Security Law, such as the strengthened measures against cyber fraud and the further clarification of the sectors that will fall under the scope of ‘critical information infrastructure’.

However, it is also very concerned that many controversial provisions that the European Chamber already commented on remain unchanged from the previous draft, such as the requirements for strict data residency and restrictions on cross-border data flow. Furthermore, what exactly constitutes ‘critical information infrastructure’ is unclear and there is a lack of detail on the specific security protection measures that will be required. Details are also lacking on the several security review and protection schemes, such as the cybersecurity multi-level protection system.

The overall lack of transparency over the last year surrounding this significant and wide-reaching piece of legislation has created a great deal of uncertainty and negativity in the business environment. The European Chamber remains concerned that the new law will hinder foreign investment and businesses operating in and with China. The Chamber will continue monitoring developments and their possible impact, and hopes the law’s application will be limited to what is strictly necessary to ensure cyber security. Clarifying implementing regulations should be issued as soon as possible and before the effective date.


Legislation Development 

Cyber Security Law of China was passed on Nov. 7, 2016 by National People’s Congress. The law was reviewed and approved by the 24th Session of the 12th Standing Committee meeting of NPC and will be effective from June 1, 2017.

The European Chamber commented actively in both its first public consultation in July/Aug 2015 and second public consultation in Aug 2016. Chamber’s major concerns focused on data localization requirements as well as critical information infrastructure. The Chamber engaged with China Administration of Cybersecurity (CAC) and NPC to voice concerns from the industry.

For more information please contact

Xinhe Fan