Sticks and Stones for foreign businesses: The second draft of China’s Cyber Security Law is out

Last month, the second draft of China’s Cybersecurity Law has been released. This law is the first attempt to coordinate the safeguarding of the internet and the drafts are supposed to outline a rough direction of where the law is heading what the possible implications would be. Although the second draft narrowed the room for interpretation, many blurred lines and open questions remain. But one thing is clear: Companies will face new challenges.

As a part of China’s National Security Initiative, the Standing Committee of the National People’s Congress is currently working on a Cyber Security Law, the first one of its kind in the People’s Republic. It aims, among other things, at preserving cyberspace sovereignty, network security and at promoting a healthy development of economic and social informatization.

The law’s main target group are network operators. These are broadly defined as network owners, managers, and network service providers (Art. 72 (3)). However, this definition is very vague and could cover big telecommunication companies as well as e-commerce platforms

The Cybersecurity Law can be categorised into three target areas, technology regulation, cooperation with the authorities and data localisation.

Article 22 states that “critical network equipment” and “specialised cyber security products” have to be inspected and certified before they may be sold in China. This is especially problematic for foreign companies, which rely on their own software to conduct business. The inspection of the software or technology by the authorities might expose intellectual property and security mechanisms. For example, global banks might have difficulties using the software they use in the rest of the world in their Chinese branches.

Another possible outcome is the preference by the authorities of Chinese products or companies over their foreign competitors. Exclusive licenses granted to domestic companies or a faster approval process can result in an uneven playing field and grant Chinese competitive advantage.

The second main aspect concerns the cooperation with Chinese authorities (Article 27). It obliges “network operators” to provide information and assistance to regional and national security organs. Although the main objective is the protection of national security and the investigation of crimes, it is not clear how broad the cooperation has to be, especially since there is little judicial oversight. So far, the Law will require those network operators to keep a log record for six months and to inform the authorities if any security defects are discovered within their security system.

Data localisation laws are not new to China and are common in the West, too. It refers to the practice of keeping data within a jurisdiction where is has been collected or generated. Article 31 of the previous draft already imposed an obligation on network operators to store personal information that has been collected or generated in Mainland China within its borders. But whereas the first draft required only the storage of personal data on mainland China, the second draft also includes business data and does not mention the option of storing these data outside of China anymore.

It is clear that the second draft is not a complete new document but an evolution of the first draft and the main conclusion to draw is: uncertainty. The scope and definitions remain vague, lines have been blurred and access for the authorities broadened. Companies have to grant authorities more access to their core technology, are obligated to cooperate closer with law enforcement and accept less freedom regarding the storage location of data.

However, there is a beacon of hope. Since the second draft has been made available to the public, it is possible that lawmakers are open to suggestions and engagement for the final law and that some of the business impeding aspects might be lightened in the end.

If you want to learn more about EU General Data Protection Regulation, you can watch our presentation VIDEO given by Mr.Hoffmann.

ECOVIS Beijing is a consultancy specialized in accounting, audit, tax and legal advisory. Our experienced team has also advised several foreign companies on e-commerce and e-business in China. For further information, please consult our E-Commerce brochure or contact:


 Richard2017 150x225   Richard Hoffmann

Richard Hoffmann is a partner at ECOVIS Beijing China. Richard obtained an honors degree in law and worked in Germany, the United States, and China for various prestigious law firms prior to joining ECOVIS. In addition to being a member of the board of ECOVIS International, he is Supervisor for the China business of a respected German company and shares his extensive knowledge to students by teaching commercial law in China at SRH Hochschule Heidelberg. He has published more than fifty articles in international magazines, frequently speaks at high profile events in China and abroad and is often invited as a legal expert by international TV stations. Contact:


Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. It specializes in mid-sized international companies and is focused on tax & legal advisory, accounting and auditing. If you’re interested in finding out more about tax and legal, don’t hesitate to sign up for our Newsletter, give us a call +86 (10) 6561 6609 or contact us directly via