How do Cybersecurity rules differ for manufacturing vs service companies in China?

Date:

Share post:

Approximately 68% of a service company’s cybersecurity compliance cost in China goes toward personal information protection, while for manufacturers the largest share — roughly 55% — is spent on industrial data security and operational technology (OT) protection, according to a 2025 MIIT white paper on industrial cybersecurity. While the Cybersecurity Law (网络安全法, Wǎngluò Ānquán Fǎ), Data Security Law (数据安全法, Shùjù Ānquán Fǎ), and Personal Information Protection Law (个人信息保护法, Gèrén Xìnxī Bǎohù Fǎ) apply to all companies, their practical impact diverges sharply based on the data types you handle and the regulatory agency overseeing your sector. For foreign-invested enterprises (FIEs) in China, understanding these differences determines where your compliance budget goes, which regulator you deal with, and what technical controls you need to implement.

How Manufacturing Companies Are Regulated

Manufacturing companies in China are primarily regulated under the Data Security Law’s industrial data provisions and the Ministry of Industry and Information Technology (MIIT / 工业和信息化部, Gōngyè Hé Xìnxīhuà Bù) enforcement framework. DSL Article 21 establishes a data classification system requiring companies to categorize data as core (核心数据, Héxīn Shùjù), important (重要数据, Zhòngyào Shùjù), or general (一般数据, Yībān Shùjù). For manufacturers, important data includes production parameters, supply chain information, industrial control system configurations, and trade secrets — information that, if compromised, could affect economic security or public safety. MIIT’s provincial offices issue specific industrial data catalogues by sector, and manufacturers must register their important data with the local MIIT office annually.

DSL Article 31 specifically addresses industrial data, requiring operators of critical industrial systems to implement enhanced protection measures. This includes manufacturers in automotive, electronics, chemicals, steel, and advanced manufacturing. The Industrial Data Security Management Measures (工业数据安全管理办法, Gōngyè Shùjù Ānquán Guǎnlǐ Bànfǎ), issued by MIIT in 2023, require manufacturers to: (a) establish a data security management system covering the entire data lifecycle; (b) conduct annual data security assessments; (c) report data security incidents to MIIT within 2 hours; and (d) implement technical measures for industrial control system (ICS / 工业控制系统, Gōngyè Kòngzhì Xìtǒng) security.

Manufacturing companies must also comply with the Multi-Level Protection Scheme (等级保护, Děngjí Bǎohù) for their IT systems — ERP, MES, supply chain management — and increasingly for their OT systems. Under the MLPS 2.0 standard (GB/T 22239-2019), industrial control systems are classified separately from general IT systems, with specific requirements for network segmentation, real-time monitoring, and physical isolation between IT and OT networks. Most manufacturing companies with automated production lines require MLPS Level 2 or Level 3 classification for their control systems. The evaluation for OT systems is typically 30-50% more expensive than for equivalent IT systems due to the specialized nature of industrial protocol testing.

How Service Companies Are Regulated

Service companies — including e-commerce, fintech, SaaS providers, consulting firms, and digital platforms — face heavier regulation under the Personal Information Protection Law. These companies typically process larger volumes of personal data as part of their core business operations. PIPL Article 6 requires data minimization (purpose limitation and minimum necessary collection), which affects how service companies design their data architecture. Under PIPL Article 13, service companies must obtain separate consent for each processing purpose, significantly constraining cross-functional data use common in customer analytics and marketing operations.

Service companies are more likely to be designated as Critical Information Infrastructure (CII / 关键信息基础设施, Guānjiàn Xìnxī Jīchǔ Shèshī) operators than manufacturing companies. The CII Security Protection Regulations (2021) define CII as network facilities and information systems that, if disrupted, would seriously endanger national security, the economy, or public interests. Internet platforms with over 10 million daily active users, financial service platforms, and large-scale data processing companies fall under this definition. Foreign-owned service companies with significant user bases — cross-border e-commerce platforms, digital marketing agencies, HR SaaS providers — should assess their CII designation risk carefully. CII designation triggers additional obligations including mandatory annual security assessments, dedicated security teams, and priority review of procurement of network products and services.

Cross-border data transfer rules under PIPL Article 38 apply more stringently to service companies. Any service company that transfers personal data of individuals in China to its overseas headquarters or servers must undergo a security assessment, sign the CAC’s Standard Contract, or obtain certification. The volume thresholds for security assessments are lower for service companies handling personal data — any company processing over one million individuals’ data or sensitive data of 100,000 individuals must undergo the full security assessment route, which takes 3-6 months on average. This requirement affects cloud-based SaaS providers operating for Chinese clients, digital marketing agencies managing customer databases, and consulting firms transferring client data across borders for analysis.

Industry-Specific Cybersecurity Rules

Dimension Manufacturing Companies Service Companies
Primary Regulator MIIT provincial offices CAC and provincial CAC offices
Main Law DSL (industrial data focus) PIPL (personal data focus)
Data Type Priority Industrial data, trade secrets, production data, ICS/OT data Personal information, customer data, behavioral data, financial data
CII Designation Likelihood Low — rare unless in critical manufacturing (defense, energy, chemicals) Moderate to High — platforms with massive user data, fintech, telecom
MLPS Classification Level Typically Level 2-3 for IT systems; Level 2 for OT systems in most cases Typically Level 2-3; Level 3-4 for large internet platforms
Cross-Border Data Priority Production specifications, quality data — moderate volume Customer data, HR data, platform data — potentially high volume
Compliance Cost Ratio 55% industrial data, 25% PI, 20% general IT security 68% PI protection, 20% general security, 12% other data
Technical Focus ICS/SCADA security, IT-OT isolation, network segmentation, physical security Encryption, access control, consent management, data breach detection, algorithm governance
Penalties DSL Art. 45-46: up to RMB 5M or 5% revenue; MIT-specific suspension of operations PIPL Art. 66: up to RMB 50M or 5% revenue; business suspension; permit revocation; delisting

Automotive manufacturing deserves special mention as a hybrid case. Auto manufacturers face both industrial data rules (for production data and supply chain information) and personal information rules (for connected vehicle data). The Automotive Data Security Management Provisions (汽车数据安全管理若干规定, Qìchē Shùjù Ānquán Guǎnlǐ Ruògān Guīdìng), effective October 2022, impose specific requirements including: data stored within China unless necessary for cross-border functions, separate consent for in-vehicle personal data collection, and annual data security reports to MIIT. Foreign auto manufacturers with joint ventures in China face particularly stringent requirements, with additional local filing requirements in Shanghai and Guangdong.

Practical Compliance by Business Type

For manufacturing companies entering China, the compliance roadmap should prioritize:

  1. Industrial data classification — Work with MIIT’s provincial office to identify and register important data. This is a prerequisite for all other compliance steps.
  2. ICS/OT security assessment — Engage a CAC-approved evaluation agency with industrial cybersecurity expertise. The assessment covers network segmentation, remote access controls, and physical security of production systems.
  3. IT-OT network separation — Implement logical or physical separation between corporate IT networks and production control networks, as required by MLPS 2.0.
  4. Data security management system — Draft policies covering production data classification, access control for factory systems, and incident response procedures for industrial cybersecurity incidents.
  5. Annual MIIT reporting — File the required data security assessment report and update the important data catalogue with MIIT’s provincial office.
  6. Supply chain data protection — Ensure supplier data sharing agreements include cybersecurity provisions, particularly for just-in-time manufacturing data that flows between your WFOE and international suppliers.

For service companies, the compliance roadmap prioritizes differently:

  • Personal information protection framework — Establish consent mechanisms, data processing records, and data subject rights response procedures under PIPL Articles 44-50.
  • Cross-border data transfer compliance — Determine whether security assessment, Standard Contract, or certification is the appropriate route under PIPL Article 38, and complete the filing before any cross-border transfers begin.
  • Automated decision-making governance — Under PIPL Article 24, implement transparency and opt-out mechanisms for algorithm-driven decisions affecting Chinese consumers.
  • Data protection impact assessments — Complete DPIAs for all high-risk processing activities under PIPL Article 55, including sensitive personal data processing and automated decision-making.
  • CII designation assessment — Evaluate whether your platform or service qualifies as CII given user thresholds and industry type. If so, implement the additional security team and assessment requirements.
  • Recent Developments (2024-2026)

    Several regulatory developments since 2024 have affected the manufacturing vs service regulatory divide. MIIT’s Industrial Data Security Management Measures were updated in April 2025, expanding the definition of important industrial data to include smart manufacturing sensor data and predictive maintenance records. This means even traditional manufacturers implementing IoT-based production monitoring must now register sensor data outputs as important data if they exceed defined volume thresholds (typically 1TB of production sensor data annually).

    For service companies, the 2025 amendment draft to the PIPL proposed expanding the definition of automated decision-making to include all AI-powered customer service, recommendation algorithms, and dynamic pricing systems in the service sector. If adopted as proposed, this would require tens of thousands of mid-size service companies to complete algorithm filings with the CAC by early 2027. The CAC’s 2026 enforcement action against a foreign-owned digital marketing platform that failed to register its algorithmic content recommendation system resulted in a RMB 15 million fine and a six-month suspension of operations — a clear signal to all service companies using data-driven personalization.

    The automotive sector saw the most dramatic regulatory convergence. In early 2026, MIIT and CAC jointly issued the Intelligent Connected Vehicle Data Security Management Provisions, which merged industrial data rules and personal information rules into a single framework for auto manufacturers. This dual-regulator approach — requiring one filing to MIIT for production data and another to CAC for in-vehicle personal data — illustrates the growing complexity for companies that operate at the intersection of manufacturing and services.

    Where to Go From Here

    Based on what you just read:

    — China Gateway 360 —
    Remote China market entry support, built around execution.

Related articles

Do I need cyber insurance for my China business operations?

Do I need cyber insurance for my China business operations? Yes, you need cyber insurance for China business operations. Over 87% of foreign-invested

How Do I Insure My Chinese Factory Against Fire and Natural Disasters?

How Do I Insure My Chinese Factory Against Fire and Natural Disasters? Annually, over 70% of foreign-invested manufacturing enterprises (外商投资企业, wàish

Common Grounds for Insurance Claim Denials in China

What happens if my insurance claim is denied in China? If your insurance claim is denied in China, you have three escalating avenues of recourse — the

Deductible Insurance Premiums: Full Allowance

Can I deduct business insurance premiums from my China corporate tax? Yes, most business insurance premiums paid by foreign-invested enterprises in Ch