MERICS Press releases, China Flash header


Stricter regulations for companies, greater powers for the state


Despite criticism from abroad, China has passed its controversial Cybersecurity Law. The new law will come into effect in June 2017 and gives the government broad powers to protect and control so-called critical information infrastructure. However, the law is vague and lacks detail on specific security measures. Foreign companies are concerned that they may have to share their source code with Chinese authorities. They also worry that data localisation requirements might increase the danger of industrial espionage and intellectual property violations. 

MERICS cybersecurity expert Nabil Alsabah explains what is at stake.

What is the Cybersecurity Law all about?

The Cybersecurity Law is the latest addition to a series of laws and regulations aimed at strengthening network security and tightening information control and censorship in China. The law introduces measures to ensure the protection of “critical information infrastructure” – such as energy and water supply – from hackers and cyber sabotage. It also confirms previous censorship rules in the name of “protecting political stability” and “national security”. The law gives the government the right to shut down the internet during crises, as it once did during the unrest in Xinjiang in 2009. In 2015 China passed a Counter-Terrorism Law which requires companies to provide access to the data of terror suspects. The National Security Law, also adopted last year, laid down the principle of “cyber sovereignty” — the notion that China can regulate “its” internet as it wishes. The Cybersecurity Law is part of this broader framework.

How does the cybersecurity law affect foreign companies doing business in China?

The law affects foreign companies that sell hardware and software solutions to China’s critical infrastructure operators. Those operators are in the future only allowed to purchase IT products that have passed a cybersecurity review, probably administered by the Cyberspace Administration of China. It is unclear whether foreign companies must reveal software source code during the review process.The new law classifies the following areas as critical: communication infrastructure, energy, transport, water supply, finance, public utilities and e-government services. The law also mentions unspecified areas that might affect “national security”, the “citizens’ well-being” or “public interest”. Such vague language could allow authorities to arbitrarily classify more and more areas as “critical”. The data localisation requirement is another challenge for foreign companies. The law stipulates that data, such as user data, collected by critical infrastructure operators must be stored within China’s borders. Foreign businesses are concerned that this requirement increases the risk of industrial espionage and intellectual property theft.

Foreign companies have criticized the draft law for months. Have their concerns been addressed?

The legislator did not compromise on the data localisation requirement or the cybersecurity review for IT products sold to critical infrastructure operators. These two issues were the biggest concerns for foreign companies. However, under certain circumstances companies may be exempted from the data localisation requirement. However, details are not clear. Showing strength can pay off too. Apple, for example, has successfully refused to share source code with the Chinese state - without any repercussions. Overall, the new law lacks transparency and creates uncertainty. Its precise effects remain to be seen and depend on implementation.


You are welcome to use this interview or individual answers by stating the source. For interview requests please contact: