“There is no national security without cybersecurity,” declared President Xi Jinping at the inaugural meeting of the Central Leading Group for Cybersecurity and Informatization in February 2014. His words triggered the starter’s gun for a cyberspace regulation marathon in China. Since then, Chinese authorities have tightened the state’s control over everything cyber: from social media and online publishing to IT business models and cloud data centers.

The Chinese state is becoming ever more assertive in censoring the Internet, fighting cybercrime and proclaiming its Internet governance model in international forums. This assertive approach affects a multitude of actors, from netizens over enterprises to domestic state agencies. Among those affected, foreign enterprises have so far been among the loudest critics since compliance will sometimes require implementing critical and costly technical changes regarding how data is stored, encrypted and shared.

Looking at the cyberspace regulations issued to date, we can make out four concrete challenges for foreign businesses operating in China. First, the Cybersecurity Law obliges companies selling hardware and software solutions to so-called critical infrastructure operators (关键信息基础设施) to pass a state-administered cybersecurity review. It is unclear how far the review process will go and whether, for example, foreign companies must reveal software source code.

The law classifies the following areas as critical: communication infrastructure, energy, transport, water supply, finance, public utilities and e-government services. The law also mentions unspecified areas that might affect “national security,” the “citizens’ well-being” or “public interest.” Such vague language could allow authorities to arbitrarily classify more and more areas as “critical.”

The vetting requirement applies to all products that deal with digital data: from text processing applications over routers to cars with embedded systems. Foreign IT will be placed under special scrutiny. This, China feels, is particularly justified after the Snowden revelations of deliberate security loopholes (or, backdoors) that enable state-sponsored hacking.

Second, the data localization requirement stipulates that data, such as user data, collected by critical infrastructure operators must be stored within China’s borders. Foreign businesses are concerned that this requirement will increase the risk of industrial espionage and intellectual property theft. Also, the costs of relocating data centers to China is another factor to be considered. However, the Cybersecurity Law allows for exceptions. It is still unclear under which circumstances exceptions to the localization requirement would be granted. 

Third, the Counter-Terrorism Law from (2015) requires companies, if asked by state authorities, to hand over data of terror suspects. This provision could prove to be highly problematic. Companies using so-called end-to-end encryption, for example, would not be able to comply since they do not have the technical ability to pry into the encrypted data of their customers. Chinese laws do not provide for any exceptions here.

Fourth, the “Administrative Rules for the Commercial Use of Encryption” (1999) stipulate that companies are only permitted to use state-approved encryption technologies. The import of secure routers, firewalls and encryption software must be authorized by the Office of State Commercial Cryptography Administration (OSCCA).

This regulation strictly limits the import and sale of foreign encryption products in China. Given the heightening levels of cyberspace controls, we can expect the Chinese authorities to be more rigorous in enforcing this regulation that they have been in the past.

It is highly unlikely that China’s regulatory zeal in cyberspace will lose momentum anytime soon. Foreign businesses should not expect any major changes from future leaders either. In fact, Xi Jinping’s link between cybersecurity and national security reflects a widely accepted view in China. The direction Chinese leaders are taking is clear: strictly regulate untrustworthy foreign technologies and strive for developing national substitutes.