China Issues Draft Regulations on Cybersecurity Compliance Inspections for Public Security Authorities
Published 4 December 2025
Xia Yu
On 29 November 2025, the Ministry of Public Security of the People’s Republic of China published the draft Measures for Network Space Security Supervision and Inspection by Public Security Authorities (“Draft Measures”) for public consultation, which is intended to replace the 2018 Provisions on Internet Security Supervision and Inspection by Public Security Authorities. Comprising twenty-three articles, the Draft Measures sets out procedural rules for the Public Security Authorities to conduct supervision and inspection of network space security, encompassing cybersecurity, information security, and data security. Key provisions address the subjects, methods, contents, and frequency of inspections, as well as the handling of identified issues and corresponding legal liabilities.
The Draft Measures expand the scope of entities subject to supervision and inspection by the Public Security Authorities, incorporating not only traditional “network operators” but also “data processors” and “personal information processors”. The Draft Measures specify that the Public Security Authorities may conduct supervision and inspection over eight categories of entities. These include internet service providers offering services such as internet access, data centers, content delivery, domain name services, and information services; public internet access service providers; network operators along with their developers and maintainers; critical information infrastructure operators together with their developers and maintainers; providers of network products and services; data processors; and personal information processors. This expanded scope covers enterprises that do not directly provide network services but process substantial volumes of data, such as biotechnology and fintech companies. The Draft Measures is applied to the supervision and inspection conducted by Public Security Authorities regarding the fulfillment of statutory cybersecurity, information security, and data security obligations by such entities. Entities that have been in operation for less than one year or have experienced incidents within the past two years are designated as key subjects for intensified supervision and inspection.
The Draft Measures prescribe online inspection as the method for supervision and inspection, involving the assessment of an entity‘s network space security through measures such as network information patrols, information review capability tests, and vulnerability scanning, all conducted in a manner that does not jeopardize network space security. Risks and potential hazards identified during online inspections are subject to offline verification through on-site inspections. The Draft Measures authorize the Public Security Authorities to employ technical measures, including vulnerability detection and penetration testing, for network space security supervision and inspection of network facilities and information systems, excluding critical information infrastructure, provided that the entity subject to inspection is notified in advance. Consequently, relevant enterprises may face not only documentary reviews but also further technical examinations. For network operators classified under Cybersecurity Level Protection tier 3 or higher and operators of critical information infrastructure, the Public Security Authorities will conduct on-site inspections on an annual basis.
The Draft Measures enumerate eleven key inspection items, encompassing: (i) whether relevant filing and information reporting obligations have been fulfilled; (ii) whether security management systems and operational procedures have been formulated and implemented; (iii) whether user registration information and internet log data have been recorded and retained; (iv) whether obligations regarding cybersecurity level protection and critical information infrastructure security protection have been performed; (v) whether technical measures to prevent viruses, cyber-attacks, or intrusions have been adopted; (vi) whether remedial measures have been taken to address cybersecurity vulnerabilities and potential risks; (vii) whether preventive measures have been implemented regarding information prohibited from publication or transmission; (viii) whether obligations for algorithm security responsibility have been fulfilled, including the establishment of algorithm recommendation management systems and technical measures; (ix) whether data security and personal information protection obligations have been discharged; and (x) whether technical support and assistance have been provided to the Public Security Authorities for national security safeguarding and criminal investigation activities. These inspection items align with multiple legal statutes, such as the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, thereby enabling a single inspection by the Public Security Authorities to concurrently assess an enterprise’s compliance across various domains, including cybersecurity, data classification and grading, personal information protection, and algorithm security. Furthermore, the Draft Measures introduce five additional inspection items applicable during major security safeguarding operations, covering: (i) whether relevant work plans have been formulated and security management personnel designated; (ii) whether risk assessments have been conducted and corresponding risk control measures implemented; (iii) whether emergency response plans have been developed and relevant emergency drills carried out, among others.
Regarding issues identified subsequent to supervision and inspection, the Draft Measures clarify follow-up handling procedures. For discovered problems or potential risks that do not constitute a criminal offense, the Draft Measures establish a three-tier notification process. First, Public Security Authorities at or above the county level may issue a Public Security Advisory Notice to the inspected entity, urging it to adopt necessary security preventive measures. Second, Public Security Authorities at or above the level of a city divided into districts may issue a Public Security Advisory Notice to the relevant industry regulatory authority, urging it to enhance the supervision and administration of network space security within its respective industry. Finally, Public Security Authorities at or above the provincial level may issue a Public Security Announcement to the general public. This announcement, which does not identify specific inspected entities, serves to alert the public to network space security risks and potential hazards, prompting the adoption of preventive measures. For major security risks or hazards discovered concerning networks classified at Level 3 or above, critical information infrastructure, or important data, the Draft Measures require notification to be provided to industry regulatory authorities and cyberspace administration departments at the corresponding administrative level. If significant risks or hazards pertaining to critical industries or major network space security are identified, a report must be submitted to the government at the corresponding level and to the superior Public Security Authorities. In such cases, the issuance of a Public Security Advisory Notice or Announcement is also mandated.
In instances where significant security risks are identified or security incidents have occurred, the Public Security Authorities may conduct an interview with the relevant organization or individual. The interviewed party is required to take corrective measures to address and eliminate the identified risks or hazards.
The Draft Measures expand the scope of entities subject to legal liability. It stipulates that the Public Security Authorities and entrusted institutions shall not neglect their duties, abuse their authority, or disclose state secrets or commercial secrets. Violations will result in disciplinary actions or penalties against directly responsible personnel, with criminal liability pursued where such acts constitute a crime. Furthermore, the Draft Measures provide that service organizations and personnel entrusted by the Public Security Authorities to provide technical support shall bear legal liability if they engage in illegal activities, such as network intrusion or data theft. This indicates that the regulatory scope of the Public Security Authorities has been extended along the service supply chain to include third-party technical service providers.
In conclusion, based on relevant provisions concerning the data security supervision responsibilities of the Public Security Authorities stipulated in enacted laws and regulations such as the Data Security Law, the Personal Information Protection Law, and the Regulations on the Administration of Network Data Security, the Draft Measures provide unified and detailed procedural provisions for the Public Security Authorities to enforce cyberspace security supervision. This development further strengthens China’s regulatory framework, which integrates substantive cyberspace security laws (e.g., the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law) with procedural rules (i.e., the Draft Measures). Consequently, multinational corporations must navigate compliance with both China’s regulatory regime and other systems such as the European Union’s General Data Protection Regulation, rendering their global compliance strategies increasingly complex.
The Draft Measures expand the scope of entities subject to supervision and inspection by the Public Security Authorities, incorporating not only traditional “network operators” but also “data processors” and “personal information processors”. The Draft Measures specify that the Public Security Authorities may conduct supervision and inspection over eight categories of entities. These include internet service providers offering services such as internet access, data centers, content delivery, domain name services, and information services; public internet access service providers; network operators along with their developers and maintainers; critical information infrastructure operators together with their developers and maintainers; providers of network products and services; data processors; and personal information processors. This expanded scope covers enterprises that do not directly provide network services but process substantial volumes of data, such as biotechnology and fintech companies. The Draft Measures is applied to the supervision and inspection conducted by Public Security Authorities regarding the fulfillment of statutory cybersecurity, information security, and data security obligations by such entities. Entities that have been in operation for less than one year or have experienced incidents within the past two years are designated as key subjects for intensified supervision and inspection.
The Draft Measures prescribe online inspection as the method for supervision and inspection, involving the assessment of an entity‘s network space security through measures such as network information patrols, information review capability tests, and vulnerability scanning, all conducted in a manner that does not jeopardize network space security. Risks and potential hazards identified during online inspections are subject to offline verification through on-site inspections. The Draft Measures authorize the Public Security Authorities to employ technical measures, including vulnerability detection and penetration testing, for network space security supervision and inspection of network facilities and information systems, excluding critical information infrastructure, provided that the entity subject to inspection is notified in advance. Consequently, relevant enterprises may face not only documentary reviews but also further technical examinations. For network operators classified under Cybersecurity Level Protection tier 3 or higher and operators of critical information infrastructure, the Public Security Authorities will conduct on-site inspections on an annual basis.
The Draft Measures enumerate eleven key inspection items, encompassing: (i) whether relevant filing and information reporting obligations have been fulfilled; (ii) whether security management systems and operational procedures have been formulated and implemented; (iii) whether user registration information and internet log data have been recorded and retained; (iv) whether obligations regarding cybersecurity level protection and critical information infrastructure security protection have been performed; (v) whether technical measures to prevent viruses, cyber-attacks, or intrusions have been adopted; (vi) whether remedial measures have been taken to address cybersecurity vulnerabilities and potential risks; (vii) whether preventive measures have been implemented regarding information prohibited from publication or transmission; (viii) whether obligations for algorithm security responsibility have been fulfilled, including the establishment of algorithm recommendation management systems and technical measures; (ix) whether data security and personal information protection obligations have been discharged; and (x) whether technical support and assistance have been provided to the Public Security Authorities for national security safeguarding and criminal investigation activities. These inspection items align with multiple legal statutes, such as the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, thereby enabling a single inspection by the Public Security Authorities to concurrently assess an enterprise’s compliance across various domains, including cybersecurity, data classification and grading, personal information protection, and algorithm security. Furthermore, the Draft Measures introduce five additional inspection items applicable during major security safeguarding operations, covering: (i) whether relevant work plans have been formulated and security management personnel designated; (ii) whether risk assessments have been conducted and corresponding risk control measures implemented; (iii) whether emergency response plans have been developed and relevant emergency drills carried out, among others.
Regarding issues identified subsequent to supervision and inspection, the Draft Measures clarify follow-up handling procedures. For discovered problems or potential risks that do not constitute a criminal offense, the Draft Measures establish a three-tier notification process. First, Public Security Authorities at or above the county level may issue a Public Security Advisory Notice to the inspected entity, urging it to adopt necessary security preventive measures. Second, Public Security Authorities at or above the level of a city divided into districts may issue a Public Security Advisory Notice to the relevant industry regulatory authority, urging it to enhance the supervision and administration of network space security within its respective industry. Finally, Public Security Authorities at or above the provincial level may issue a Public Security Announcement to the general public. This announcement, which does not identify specific inspected entities, serves to alert the public to network space security risks and potential hazards, prompting the adoption of preventive measures. For major security risks or hazards discovered concerning networks classified at Level 3 or above, critical information infrastructure, or important data, the Draft Measures require notification to be provided to industry regulatory authorities and cyberspace administration departments at the corresponding administrative level. If significant risks or hazards pertaining to critical industries or major network space security are identified, a report must be submitted to the government at the corresponding level and to the superior Public Security Authorities. In such cases, the issuance of a Public Security Advisory Notice or Announcement is also mandated.
In instances where significant security risks are identified or security incidents have occurred, the Public Security Authorities may conduct an interview with the relevant organization or individual. The interviewed party is required to take corrective measures to address and eliminate the identified risks or hazards.
The Draft Measures expand the scope of entities subject to legal liability. It stipulates that the Public Security Authorities and entrusted institutions shall not neglect their duties, abuse their authority, or disclose state secrets or commercial secrets. Violations will result in disciplinary actions or penalties against directly responsible personnel, with criminal liability pursued where such acts constitute a crime. Furthermore, the Draft Measures provide that service organizations and personnel entrusted by the Public Security Authorities to provide technical support shall bear legal liability if they engage in illegal activities, such as network intrusion or data theft. This indicates that the regulatory scope of the Public Security Authorities has been extended along the service supply chain to include third-party technical service providers.
In conclusion, based on relevant provisions concerning the data security supervision responsibilities of the Public Security Authorities stipulated in enacted laws and regulations such as the Data Security Law, the Personal Information Protection Law, and the Regulations on the Administration of Network Data Security, the Draft Measures provide unified and detailed procedural provisions for the Public Security Authorities to enforce cyberspace security supervision. This development further strengthens China’s regulatory framework, which integrates substantive cyberspace security laws (e.g., the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law) with procedural rules (i.e., the Draft Measures). Consequently, multinational corporations must navigate compliance with both China’s regulatory regime and other systems such as the European Union’s General Data Protection Regulation, rendering their global compliance strategies increasingly complex.