On 31 January 2026, the Ministry of Public Security of China (“MPS”) released the Draft Law on Cybercrime Prevention and Control (Draft for Comments) (“Draft Law”) for public consultation. This marks China’s first comprehensive legislation specifically targeting cybercrime prevention and control, aiming to establish an integrated system featuring “prevention, containment, and governance”. In terms of legal nature, the Draft Law embodies dual attributes of both an “administrative regulation law” and a “technical governance law”: on one hand, it grants extensive regulatory authority to the MPS and multiple other departments; on the other hand, it imposes specific technical prevention obligations on service providers in the telecommunications, financial, and internet sectors. If formally adopted, this Law will, together with the existing Cybersecurity Law, Data Security Law [ http://www.npc.gov.cn/npc/c2/c30834/202106/t20210610_311888.html ], and Personal Information Protection Law [ https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm ], constitute a more robust legal framework for China’s cyberspace governance, with more specific obligations and more stringent punitive measures.
Overview of the Draft Law
The Draft Law applies to cybercrime prevention and control activities conducted within the territory of China; it also holds liable Chinese citizens outside the territory and foreign entities providing services to users within China, where such acts endanger China’s national security, public interests, or the lawful rights and interests of citizens or organizations. The Draft Law consists of 7 chapters and 68 articles, with specific preventive requirements focusing on four key areas: management of basic cyber resources, governance of the cybercrime ecosystem, obligations for cybercrime prevention and control, and cross-border cybercrime prevention and control.
In terms of management of basic cyber resources, the Draft Law sets forth specific requirements regarding real-name registration and the management of devices and software, aiming to curb the rampant use of illicit cards, accounts, lines, and devices exploited by cybercriminals and the underground industry. The Draft Law introduces a two-tier real-name system combining “static registration” with “dynamic verification”. Beyond traditional account-opening real-name checks, it establishes a dynamic identity verification mechanism requiring service providers to increase verification frequency in “areas/periods with high incidence of cybercrime” or upon detecting “abnormal operations”. Failure to pass verification may result in service restrictions, suspensions, or terminations. This provision upgrades the real-name system from “one-time validation” to “continuous dynamic supervision”, fundamentally constricting the operational space of underground industries such as account trading and card hoarding by card dealers. The Draft Law prohibits any individual or organization from engaging in acts that interfere with or undermine the real-name system, and bans the illegal manufacture, sale, or provision of devices or software with functions including automatic repetitive dialing, batch control, number alteration, or virtual positioning. Additionally, Article 17 proposes the construction and provision of a “National Online Identity Authentication Public Service”. This signals that China is building a unified and authoritative digital identity infrastructure. If this public service is promoted, it could reduce costs for enterprises conducting complex identity verification independently, but it also implies that user identity verification will become more closely integrated with the national system.
Regarding governance of the cybercrime ecosystem, the Draft Law adopts a legislative model combining “abstract endangerment offenses” with “prohibitions by enumeration”, bringing within its regulatory scope acts such as providing technical support, financial support, fund transfers, or traffic direction while knowing that others are using the network to commit crimes. The Draft Law explicitly prohibits providing assistance for cybercrimes including technical support, financial support, fund transfers, personnel recruitment, and training; prohibits illegal collection, use, or provision of personal information or data; prohibits services such as withdrawal, transfer, or virtual currency conversion for criminal proceeds; prohibits publishing false information, controlling accounts for fraudulent engagement (brushing), or traffic fraud; prohibits promoting illegal websites or applications; prohibits illegal packaging or distribution of unlawful applications and unauthorized development of client software affecting service fairness; and prohibits fictitious transactions or subsidy fraud through fake orders. Notably, Article 26 regulates virtual currencies—explicitly prohibiting “using virtual currencies or other cyber virtual property to provide fund transfer services for others”. This reflects China’s strategy of precisely targeting the underground industry chain of cybercrime, extending governance reach to front-end supporting links of criminal activities. This provision may have profound implications for emerging fields such as Web3.0 and DeFi. It could substantially impede any commercial activities involving virtual currencies targeting Chinese users, forcing relevant projects to consider in their technical design how to completely avoid any fund interaction with users within China, potentially even affecting the geographical distribution of validation nodes on public chain projects.
Concerning obligations for cybercrime prevention and control, the Draft Law imposes corresponding obligations on various network service providers—including network operators, Internet access service providers, telecommunications service providers, domain name registration/hosting/content delivery service providers, Internet information service providers, mobile intelligent terminal manufacturers, and cybersecurity product/service providers—urging them to establish and improve systems and measures for preventing and detecting cybercrime, fully leveraging their role as the “first line of defense” in cybercrime prevention. Article 40 sets differentiated monitoring, prevention, and blocking obligations according to service types (information publication, online transactions, payment, search, gaming, blockchain, AI, etc.), forming a “scenario-based obligation list”. For example: blockchain service providers must prevent “the publication and dissemination of illegal information on the blockchain”; AI service providers must monitor abnormal behaviors such as “batch generation of malicious code”; data interface services must establish identity authentication and permission verification. This legislative approach, embodying an “exception to technological neutrality”, requires platforms to proactively design crime prevention mechanisms based on the technical characteristics of their services, essentially legalizing the principle of “technology for good” (requiring technology service providers to proactively prevent the risk of technology misuse during the design phase).
In cross-border cybercrime prevention and control, the Draft Law stipulates measures for preventing and controlling transnational and cross-border cybercrime, sanctions for cross-border cybercrime, supervision of cross-border network services, and restrictions on entry/exit of relevant personnel, providing legal support for source governance and blocking of cross-border cybercrime. The Draft Law grants competent authorities the power to seal, seize, and freeze assets derived from crimes committed overseas, and to restrict relevant entities from investing in China. For foreign entities that use the network to harm China’s sovereignty, security, or development interests, measures such as freezing assets and restricting entry may be taken. This reflects China’s legislative attempt to assert jurisdiction based on the “effects principle” in cyberspace.
Analysis of Key Provisions
1. Cross-border Jurisdiction and Compliance Risks: Article 2 of the Draft Law stipulates that foreign organizations or individuals providing services to users within China may be held accountable according to law if their illegal acts harm China’s interests. The jurisdictional principle established in this article implies that the Draft Law may bind foreign entities whose business involves Chinese users, whose products or services are used for criminal activities targeting China, or whose overseas conduct harms China’s national security or public interests. It is recommended that multinational technology companies, financial institutions, and cloud service providers immediately reassess their legal risk exposure regarding China-related businesses, particularly when their business models involve P2P transmission, end-to-end encryption, anonymization services, or decentralized applications, as these areas are highly susceptible to exploitation by criminals, potentially triggering the “long-arm jurisdiction” provisions of Article 2 of the Draft Law.
2. Filing and Supervision of Dual-Use Technical Tools: Articles 14 and 15 mandate filing administration for equipment, software, and tools that “may be extensively used for cybercrimes or violations”, including products with functions such as batch account control, cyber virtual positioning, and intrusion into computer information systems. Sellers must register the true identity information of purchasers. This represents a legal response to the “dual-use” nature of cybersecurity tools. Legitimate security researchers and penetration testing agencies will face stricter compliance requirements, while the circulation of “underground tools” will be substantially blocked. This may render independent, public vulnerability research more difficult within China and could potentially create a certain “chilling effect” on collaborative models in global cybersecurity research that rely on China’s white-hat hacker community.
3. Tendency Towards Administrative Licensing of Vulnerability Research: Article 25 stipulates that vulnerability detection and penetration testing on networks classified as Level 3 protection or above may not be conducted without approval from provincial-level or higher cyberspace administration or public security departments. Even when conducted legally with authorization, reports must be made to public security organs five working days in advance. The “responsible vulnerability disclosure” model encouraged in Europe and America tends to favor establishing private, cooperative disclosure channels between researchers and vendors. Compared with that model, the Draft Law chooses to fully incorporate vulnerability research activities on critical information infrastructure into the track of state administrative licensing, highlighting the prioritization of national security over the free exploration of technology.
4. Technological Shift in Platform Responsibility: The Draft Law upgrades the traditional “notice-takedown” rule to an active prevention obligation of “monitoring-blocking-reporting”. Article 38 authorizes public security organs to require service providers to discontinue services for cards, numbers, or lines suspected of being used for crimes. Article 44 requires network operators to actively block overseas illegal information. Consequently, platforms must invest significant resources in building technical systems for content monitoring, behavioral analysis, and risk warning, and be accountable for the accuracy and fairness of their algorithms. Should major criminal activities exploit their platforms due to monitoring omissions, platforms not only face substantial administrative fines under Article 60 but may also bear civil compensation liability under Article 63, making “compliance” a core risk issue vital to corporate survival.
5. Data Sovereignty and Cross-Border Data Flows: Article 43 requires important data processors to establish “data labeling” and “traceability chains”. Article 44 authorizes blocking overseas illegal information. This suggests that China is constructing a cross-border data flow control mechanism within the framework of “data sovereignty”, potentially impacting multinational corporations’ data localization and cross-border transfer strategies. This means multinational enterprises must not only focus on where data is stored but also pay attention to its “flow trajectory” and “labels”. Routine operations such as internal cross-border data sharing and inter-group data retrieval may require establishing new compliance review and record-keeping mechanisms.
Conclusion
The Draft Law represents a systematic legislative attempt by China in the field of cyberspace governance. Its core characteristics can be summarized as: building a full-chain, full-cycle cybercrime prevention and control system based on real-name registration, leveraging platform responsibility, employing technical prevention and control measures, and extending through cross-border jurisdiction. For international enterprises operating in China or targeting Chinese users, the Draft Law undoubtedly sends a clear signal: China’s cyber regulation is deeply evolving from “compliance management” to “risk governance”. Actively tracking legislative developments, conducting gap analyses of business models in advance, and collaborating with legal professionals to establish internal cybercrime prevention and control systems conforming to Chinese requirements will be pragmatic approaches to navigating this new regulatory landscape.
Overview of the Draft Law
The Draft Law applies to cybercrime prevention and control activities conducted within the territory of China; it also holds liable Chinese citizens outside the territory and foreign entities providing services to users within China, where such acts endanger China’s national security, public interests, or the lawful rights and interests of citizens or organizations. The Draft Law consists of 7 chapters and 68 articles, with specific preventive requirements focusing on four key areas: management of basic cyber resources, governance of the cybercrime ecosystem, obligations for cybercrime prevention and control, and cross-border cybercrime prevention and control.
In terms of management of basic cyber resources, the Draft Law sets forth specific requirements regarding real-name registration and the management of devices and software, aiming to curb the rampant use of illicit cards, accounts, lines, and devices exploited by cybercriminals and the underground industry. The Draft Law introduces a two-tier real-name system combining “static registration” with “dynamic verification”. Beyond traditional account-opening real-name checks, it establishes a dynamic identity verification mechanism requiring service providers to increase verification frequency in “areas/periods with high incidence of cybercrime” or upon detecting “abnormal operations”. Failure to pass verification may result in service restrictions, suspensions, or terminations. This provision upgrades the real-name system from “one-time validation” to “continuous dynamic supervision”, fundamentally constricting the operational space of underground industries such as account trading and card hoarding by card dealers. The Draft Law prohibits any individual or organization from engaging in acts that interfere with or undermine the real-name system, and bans the illegal manufacture, sale, or provision of devices or software with functions including automatic repetitive dialing, batch control, number alteration, or virtual positioning. Additionally, Article 17 proposes the construction and provision of a “National Online Identity Authentication Public Service”. This signals that China is building a unified and authoritative digital identity infrastructure. If this public service is promoted, it could reduce costs for enterprises conducting complex identity verification independently, but it also implies that user identity verification will become more closely integrated with the national system.
Regarding governance of the cybercrime ecosystem, the Draft Law adopts a legislative model combining “abstract endangerment offenses” with “prohibitions by enumeration”, bringing within its regulatory scope acts such as providing technical support, financial support, fund transfers, or traffic direction while knowing that others are using the network to commit crimes. The Draft Law explicitly prohibits providing assistance for cybercrimes including technical support, financial support, fund transfers, personnel recruitment, and training; prohibits illegal collection, use, or provision of personal information or data; prohibits services such as withdrawal, transfer, or virtual currency conversion for criminal proceeds; prohibits publishing false information, controlling accounts for fraudulent engagement (brushing), or traffic fraud; prohibits promoting illegal websites or applications; prohibits illegal packaging or distribution of unlawful applications and unauthorized development of client software affecting service fairness; and prohibits fictitious transactions or subsidy fraud through fake orders. Notably, Article 26 regulates virtual currencies—explicitly prohibiting “using virtual currencies or other cyber virtual property to provide fund transfer services for others”. This reflects China’s strategy of precisely targeting the underground industry chain of cybercrime, extending governance reach to front-end supporting links of criminal activities. This provision may have profound implications for emerging fields such as Web3.0 and DeFi. It could substantially impede any commercial activities involving virtual currencies targeting Chinese users, forcing relevant projects to consider in their technical design how to completely avoid any fund interaction with users within China, potentially even affecting the geographical distribution of validation nodes on public chain projects.
Concerning obligations for cybercrime prevention and control, the Draft Law imposes corresponding obligations on various network service providers—including network operators, Internet access service providers, telecommunications service providers, domain name registration/hosting/content delivery service providers, Internet information service providers, mobile intelligent terminal manufacturers, and cybersecurity product/service providers—urging them to establish and improve systems and measures for preventing and detecting cybercrime, fully leveraging their role as the “first line of defense” in cybercrime prevention. Article 40 sets differentiated monitoring, prevention, and blocking obligations according to service types (information publication, online transactions, payment, search, gaming, blockchain, AI, etc.), forming a “scenario-based obligation list”. For example: blockchain service providers must prevent “the publication and dissemination of illegal information on the blockchain”; AI service providers must monitor abnormal behaviors such as “batch generation of malicious code”; data interface services must establish identity authentication and permission verification. This legislative approach, embodying an “exception to technological neutrality”, requires platforms to proactively design crime prevention mechanisms based on the technical characteristics of their services, essentially legalizing the principle of “technology for good” (requiring technology service providers to proactively prevent the risk of technology misuse during the design phase).
In cross-border cybercrime prevention and control, the Draft Law stipulates measures for preventing and controlling transnational and cross-border cybercrime, sanctions for cross-border cybercrime, supervision of cross-border network services, and restrictions on entry/exit of relevant personnel, providing legal support for source governance and blocking of cross-border cybercrime. The Draft Law grants competent authorities the power to seal, seize, and freeze assets derived from crimes committed overseas, and to restrict relevant entities from investing in China. For foreign entities that use the network to harm China’s sovereignty, security, or development interests, measures such as freezing assets and restricting entry may be taken. This reflects China’s legislative attempt to assert jurisdiction based on the “effects principle” in cyberspace.
Analysis of Key Provisions
1. Cross-border Jurisdiction and Compliance Risks: Article 2 of the Draft Law stipulates that foreign organizations or individuals providing services to users within China may be held accountable according to law if their illegal acts harm China’s interests. The jurisdictional principle established in this article implies that the Draft Law may bind foreign entities whose business involves Chinese users, whose products or services are used for criminal activities targeting China, or whose overseas conduct harms China’s national security or public interests. It is recommended that multinational technology companies, financial institutions, and cloud service providers immediately reassess their legal risk exposure regarding China-related businesses, particularly when their business models involve P2P transmission, end-to-end encryption, anonymization services, or decentralized applications, as these areas are highly susceptible to exploitation by criminals, potentially triggering the “long-arm jurisdiction” provisions of Article 2 of the Draft Law.
2. Filing and Supervision of Dual-Use Technical Tools: Articles 14 and 15 mandate filing administration for equipment, software, and tools that “may be extensively used for cybercrimes or violations”, including products with functions such as batch account control, cyber virtual positioning, and intrusion into computer information systems. Sellers must register the true identity information of purchasers. This represents a legal response to the “dual-use” nature of cybersecurity tools. Legitimate security researchers and penetration testing agencies will face stricter compliance requirements, while the circulation of “underground tools” will be substantially blocked. This may render independent, public vulnerability research more difficult within China and could potentially create a certain “chilling effect” on collaborative models in global cybersecurity research that rely on China’s white-hat hacker community.
3. Tendency Towards Administrative Licensing of Vulnerability Research: Article 25 stipulates that vulnerability detection and penetration testing on networks classified as Level 3 protection or above may not be conducted without approval from provincial-level or higher cyberspace administration or public security departments. Even when conducted legally with authorization, reports must be made to public security organs five working days in advance. The “responsible vulnerability disclosure” model encouraged in Europe and America tends to favor establishing private, cooperative disclosure channels between researchers and vendors. Compared with that model, the Draft Law chooses to fully incorporate vulnerability research activities on critical information infrastructure into the track of state administrative licensing, highlighting the prioritization of national security over the free exploration of technology.
4. Technological Shift in Platform Responsibility: The Draft Law upgrades the traditional “notice-takedown” rule to an active prevention obligation of “monitoring-blocking-reporting”. Article 38 authorizes public security organs to require service providers to discontinue services for cards, numbers, or lines suspected of being used for crimes. Article 44 requires network operators to actively block overseas illegal information. Consequently, platforms must invest significant resources in building technical systems for content monitoring, behavioral analysis, and risk warning, and be accountable for the accuracy and fairness of their algorithms. Should major criminal activities exploit their platforms due to monitoring omissions, platforms not only face substantial administrative fines under Article 60 but may also bear civil compensation liability under Article 63, making “compliance” a core risk issue vital to corporate survival.
5. Data Sovereignty and Cross-Border Data Flows: Article 43 requires important data processors to establish “data labeling” and “traceability chains”. Article 44 authorizes blocking overseas illegal information. This suggests that China is constructing a cross-border data flow control mechanism within the framework of “data sovereignty”, potentially impacting multinational corporations’ data localization and cross-border transfer strategies. This means multinational enterprises must not only focus on where data is stored but also pay attention to its “flow trajectory” and “labels”. Routine operations such as internal cross-border data sharing and inter-group data retrieval may require establishing new compliance review and record-keeping mechanisms.
Conclusion
The Draft Law represents a systematic legislative attempt by China in the field of cyberspace governance. Its core characteristics can be summarized as: building a full-chain, full-cycle cybercrime prevention and control system based on real-name registration, leveraging platform responsibility, employing technical prevention and control measures, and extending through cross-border jurisdiction. For international enterprises operating in China or targeting Chinese users, the Draft Law undoubtedly sends a clear signal: China’s cyber regulation is deeply evolving from “compliance management” to “risk governance”. Actively tracking legislative developments, conducting gap analyses of business models in advance, and collaborating with legal professionals to establish internal cybercrime prevention and control systems conforming to Chinese requirements will be pragmatic approaches to navigating this new regulatory landscape.