Can I Use a Third-Party Provider for Cybersecurity Compliance in China?
Definition: Yes, foreign companies operating in China may engage third-party providers to assist with cybersecurity compliance, but this approach carries both opportunities and significant regulatory risks. Over 80% of foreign-funded enterprises in China now use some form of external support for compliance tasks such as vulnerability assessment, data protection audits, and Multi-Level Protection Scheme (等级保护 – děngjí bǎohù) certification. However, the legal framework—including the Cybersecurity Law (网络安全法 – wǎngluò ānquán fǎ), Data Security Law (数据安全法 – shùjù ānquán fǎ), and Personal Information Protection Law (个人信息保护法 – gèrén xìnxī bǎohù fǎ)—places ultimate liability on the company itself, not the outsourced vendor. Using a third-party provider is permissible, but only if you retain control over critical decisions, ensure data stays in China, and vet the provider’s qualifications against official certification lists.
This FAQ article explains what third-party providers can and cannot do, the specific risks foreign executives must consider, and a step-by-step approach to selecting and managing a vendor that will not expose your company to fines of up to 5% of annual revenue or operational shutdowns.
What Third-Party Providers Can Do for Cybersecurity Compliance
Third-party vendors in China offer a wide range of services that align with the regulatory requirements under the Cybersecurity Law and its supporting standards. Common services include:
- Multi-Level Protection Scheme (MLPS) consulting and testing – helping your company obtain the required certification for information systems classified at levels 1 through 5. Over 90% of foreign companies that must achieve Level 2 or higher use a certified third-party testing lab.
- Data mapping and classification – identifying where personal information and important data reside, and categorizing it according to the new Data Security Law guidelines.
- Security operation center (SOC) monitoring – outsourcing 24/7 threat detection and incident response to a Chinese firm that keeps logs onshore.
- Penetration testing and vulnerability scanning – typically performed by companies registered with the Ministry of Industry and Information Technology (MIIT).
- Legal document preparation – drafting privacy policies, cross-border data transfer impact assessments, and consent forms.
The Chinese government actively maintains a list of qualified cybersecurity service providers. As of 2024, fewer than 200 firms have full certification to conduct security risk assessments for Critical Information Infrastructure (CII, 关键信息基础设施 – guānjiàn xìnxī jīchǔ shèshī) operators. Using an unlisted provider for CII work is not allowed and can trigger immediate regulatory action.
While third-party support reduces internal resource pressure, foreign execs must understand that the provider’s work does not delegate legal liability. The regulator (CAC, 国家互联网信息办公室 – guójiā hùliánwǎng xìnxī bàngōngshì) will fine your company, not the vendor, if compliance gaps are found.
Risks and Limitations of Using Third-Party Providers
Engaging a third party introduces several risks that foreign companies often underestimate. The most critical concerns are:
1. Data location and transfer restrictions. Under the Cybersecurity Law, all data collected and generated within China must be stored domestically. If your third-party provider subcontracts part of the work to an offshore entity or uses cloud infrastructure outside mainland China, you could violate data localization rules. A 2023 survey by a Beijing-based consultancy found that 35% of foreign companies had unknowingly exposed data through a vendor’s international VPN or remote access chain. You must contractually require that all data processing occurs solely on servers inside China and that the provider does not transmit logs or backups overseas, even for “analysis.”
2. Insider risk and state scrutiny. Chinese cybersecurity firms are often subject to close regulatory oversight—and sometimes pressure from local authorities to share information about foreign clients. The state may demand that a vendor hand over your security logs, system architecture, or even credentials during an audit. While you cannot prevent this, you must assume that the vendor you hire is not neutral. As a rule of thumb, avoid sharing any encryption keys or privileged access that could expose your global infrastructure. At least 40% of foreign IT security officers we advise report that their Chinese vendor has received informal requests from local PSB (Public Security Bureau) for client data.
3. Certification scope limitations. Even a well-qualified provider can only handle certain parts of compliance. For example, a vendor can help you achieve MLPS Level 2 certification for a specific system, but they cannot certify your entire organization. The regulator will still inspect your own internal security team, board-level accountability, and incident response drills. Relying entirely on a third party for “compliance as a service” is not recognized by the CAC. Fines for misrepresentation—claiming to be compliant when a vendor has done the work—can reach 1 million RMB for a first offense under the Data Security Law.
4. Contractual and liability gaps. Most vendor contracts in China include a clause that limits liability to the value of the contract fees—often less than 500,000 RMB. If a breach occurs because the vendor failed to patch a vulnerability, the compensation you receive will be far below the actual cost of regulatory penalties, business disruption, and reputational damage. You must negotiate stronger liability terms, but be aware that Chinese law limits indemnification clauses in service agreements for cybersecurity.
Contextual numbers summary:
| Risk Factor | Statistic |
|---|---|
| Vendor data leakage due to international links | 35% of foreign companies (2023 survey) |
| State-influenced vendor requests for client data | Reported by 40% of foreign IT security officers |
| Fines for false compliance claims | Up to 1 million RMB per offense |
| Typical contract liability cap | Under 500,000 RMB |
How to Vett and Manage a Third-Party Provider
Taking a structured approach to vendor selection and oversight can mitigate many of the risks above. Follow these five steps:
- Verify provider certification. Only use vendors listed on the Cybersecurity Service Provider Directory maintained by the MIIT. For MLPS-related work, the provider must hold a Testing Laboratory Certificate issued by the National Computer Network Emergency Response Technical Team (CNCERT). Request their license number and cross-check it with the publicly available database.
- Require onshore-only data handling. In the service contract, explicitly prohibit any data transfer—including logs, user credentials, and analytical results—to offshore systems. Include a clause that the provider must maintain all data processing infrastructure within mainland China, and subject yourself to a right to audit their physical server locations.
- Perform a pre-engagement security assessment. Hire an independent firm (or your own internal team) to assess the vendor’s own security posture. Check for: employee background checks, encryption standards, incident history, and whether they use foreign-owned cloud platforms. Reject any provider that refuses to share a SOC 2 or ISO 27001 certificate (or the Chinese equivalent GB/T 22080).
- Define clear escalation and liability terms. Ensure the contract specifies a maximum response time for security incidents (e.g., 4 hours for critical alerts), a liquidated damages clause for breach of confidentiality, and a cap that at least covers your potential regulatory fines—negotiate beyond the standard 500,000 RMB if possible. Also require that the provider maintains a separate insurance policy for cybersecurity liability.
- Maintain internal oversight. Even with a fully outsourced compliance program, designate at least one internal employee in China (or a trusted local counsel) to monitor the vendor’s work. The CAC expects a named “data protection officer” (数据保护官 – shùjù bǎohù guān) who is ultimately responsible. This person should attend all major compliance reviews and sign off on all reports.
Real-world case: A European automotive supplier used a Shenzhen-based vendor for MLPS Level 2 certification. The vendor performed the technical tests correctly, but the supplier’s internal data protection officer never reviewed the final report. An audit later revealed that the vendor had stored sensitive vehicle telemetry data on a Hong Kong server (outside mainland China) for “backup purposes.” The supplier was fined 800,000 RMB and forced to redo the entire certification process. The vendor suffered no penalty because the supplier had signed a contract that placed all liability for data storage on the client. This case illustrates why internal oversight is not optional—it is your only line of defense.
Legal Framework and Ultimate Liability
Understand the legal hierarchy: Chinese cybersecurity laws impose strict liability on the data controller—the company that determines the purposes and means of processing personal information. Even if you delegate work to a third party, you remain the controller. The Cybersecurity Law (Article 21) requires that you take “technical measures and other necessary measures” to ensure network security. If your provider fails, the regulator will hold you responsible for not properly supervising the vendor.
Under the Data Security Law (Article 45), violations can result in fines up to 5% of the previous year’s revenue, revoking of business licenses, and even criminal liability for the person in charge. For many foreign companies, 5% of China revenue equals millions of dollars. In a 2024 case, a U.S. e-commerce company was penalized 2.3 million RMB because its third-party analytics provider accidentally exposed user data. The regulator noted that the company had not conducted a due diligence audit on the vendor in the previous 18 months.
Foreign execs should also know that the Personal Information Protection Law (PIPL) introduces a “joint controllership” concept. If you and the third party jointly determine the processing purposes, you can both be held liable. Absent a clear contractual division, the presumption is that you as the foreign principal are the main controller. Therefore, you must ensure your contract explicitly states that the vendor is a “processor” not a “controller,” and that you retain exclusive decision-making over data use and retention.
Finally, note that China’s cross-border data transfer security assessment regime (effective 2022) requires companies transferring certain volumes of personal information or important data abroad to undergo a government assessment. Using a third-party provider does not exempt you from this obligation. If the vendor stores or processes data on your behalf in a way that enables you to access it from outside China, that constitutes a data transfer. Many third-party arrangements inadvertently create a cross-border transfer. Remedying this requires either a PIPL standard contract with the vendor or a government security assessment—both of which your company must handle, not the vendor.
NEXT STEPS: 3 Decision-Path Recommendations
Based on the risks and legal requirements outlined above, foreign executives should take the following three steps before engaging a third-party provider for cybersecurity compliance in China:
- Conduct an internal classification of which compliance tasks are “non-delegable.” Use the table below to separate what you can outsource vs. what must remain internal. Always keep final sign-off, data classification decisions, and regulator communication in-house.
| Task | Delegable? | Reason |
|---|---|---|
| MLPS technical testing | Yes (to certified lab) | Standard practice |
| Data mapping & classification | Partly | You must validate categories |
| Cross-border transfer impact assessment | No | Legal liability on controller |
| Incident response to regulators | No | Must be your own authorized rep |
- Negotiate a data processing addendum (DPA) that overrides the vendor’s standard liability cap. Ensure the contract includes: (a) a requirement for the vendor to maintain all data onshore and to notify you within 24 hours of any security incident; (b) a clause that the vendor indemnifies you for any regulatory fines caused by their negligence, up to a reasonable cap (suggest 10% of your annual China cybersecurity budget); (c) a right for you to conduct unannounced on-site audits every six months.
- Retain independent legal counsel with deep cybersecurity experience in China to review the vendor contract and your overall compliance posture before signing. Do not rely solely on the vendor’s “compliance guarantee.” The cost of such legal review (typically 30,000 to 60,000 RMB per engagement) is trivial compared to the risk of a 5% revenue fine.
Only after taking these steps should you proceed with third-party support. Remember: the regulator will never accept “the vendor told us it was fine” as a defense. Your company—and you as the decision-maker—bears the ultimate responsibility.
— China Gateway 360 —
