Yes, foreign companies can use cloud services from foreign providers in China, but with significant regulatory restrictions depending on the type of data being processed, the industry sector, and whether the cloud service is operated through a licensed Chinese partner. Approximately 68% of foreign-invested enterprises (FIEs) in China use a combination of global cloud platforms and China-based services to meet both operational needs and regulatory compliance. The key legal frameworks governing cloud service use are the Personal Information Protection Law (PIPL, 个人信息保护法, gèrén xìnxī bǎohù fǎ), the Data Security Law (DSL, 数据安全法, shùjù ānquán fǎ), and the Cybersecurity Law (CSL, 网络安全法, wǎngluò ānquán fǎ). Understanding where your data resides, how it is transferred, and which cloud provider model you choose determines whether your cloud usage is compliant.
The Regulatory Framework for Foreign Cloud Services in China
Three major laws govern cloud service usage for foreign companies operating in China. The Cybersecurity Law (CSL), effective June 2017, was the first comprehensive cybersecurity regulation and introduced data localization requirements for Critical Information Infrastructure Operators (CIIOs, 关键信息基础设施运营者, guānjiàn xìnxī jīchǔ shèshī yùnyíng zhě). The Data Security Law (DSL), effective September 2021, established a tiered data classification system (重要数据, zhòngyào shùjù) that imposes stricter requirements on “important data” and “core data.” The Personal Information Protection Law (PIPL), effective November 2021, governs all processing of personal information and includes strict cross-border data transfer rules.
These laws do not outright ban the use of foreign cloud providers. Instead, they impose conditions: data that must remain within China cannot be stored on overseas servers; cross-border data transfers must follow one of three approved routes (security assessment, standard contractual clauses, or certification); and cloud services handling important data or CIIO data must pass a cybersecurity review under the Cybersecurity Review Measures (网络安全审查办法, wǎngluò ānquán shěnchá bànfǎ).
As of July 2026, the Cyberspace Administration of China (CAC, 国家互联网信息办公室, guójiā hùliánwǎng xìnxī bàngōngshì) has published 37 guidance documents across these three laws. Foreign companies should monitor the CAC and MIIT (Ministry of Industry and Information Technology, 工业和信息化部, gōngyè hé xìnxīhuà bù) for ongoing regulatory developments.
Which Cloud Service Models Are Available to Foreign Companies in China?
Foreign cloud providers operate in China under two primary models. The first is the licensed partner model, where the global cloud brand partners with a Chinese-licensed entity to operate the infrastructure. AWS China operates through Sinnet (光环新网, guānghuán xīnwǎng) in the Beijing region and NWCD (西云数据, xī yún shùjù) in the Ningxia region. Microsoft Azure China is operated by 21Vianet (世纪互联, shìjì hùlián). Under this model, the Chinese partner holds the value-added telecom service license (增值电信业务经营许可证, zēngzhí diànxìn yèwù jīngyíng xǔkězhèng) and all data remains within China.
The second model is the direct global access model, where a foreign company accesses its global cloud infrastructure (e.g., AWS US-East, Azure Global, GCP) from its China office. This model raises significant cross-border data transfer compliance issues because data leaving China must follow PIPL and DSL transfer rules. In practice, the direct global access model is only viable for non-personal, non-important business data.
Google Cloud Platform (GCP) does not have a licensed China partner and is not directly available as a China-hosted service. Foreign companies wishing to use GCP for their China operations must either access it globally or use a local Chinese cloud provider (Alibaba Cloud, 阿里云, ālǐ yún; Huawei Cloud, 华为云, huáwéi yún; Tencent Cloud, 腾讯云, téngxùn yún).
| Cloud Provider | China Operating Model | Data Residency | Licensed Partner | Compliant for CIIO Data? |
|---|---|---|---|---|
| AWS China | Licensed partner (Sinnet / NWCD) | Beijing & Ningxia only | Sinnet (Beijing), NWCD (Ningxia) | Yes, with proper configuration |
| Azure China | Licensed partner (21Vianet) | China regions only | 21Vianet (世纪互联) | Yes, with proper configuration |
| GCP | No China partner | Global only | None | No |
| Alibaba Cloud | Domestic Chinese provider | Multiple China regions | N/A (domestic) | Yes |
| Huawei Cloud | Domestic Chinese provider | Multiple China regions | N/A (domestic) | Yes |
| Tencent Cloud | Domestic Chinese provider | Multiple China regions | N/A (domestic) | Yes |
Data Classification: What Data Can and Cannot Go to Foreign Cloud Services
The DSL requires all organizations to classify their data into three tiers. Core data (核心数据, héxīn shùjù) relates to national security — it cannot be stored on any foreign cloud service without explicit authorization. Important data (重要数据, zhòngyào shùjù) covers industry-specific data that could harm national security or public interests if compromised. Important data requires a data security assessment before it can be processed on any cloud service.
Personal information (个人信息, gèrén xìnxī) is governed by PIPL. For sensitive personal information (敏感个人信息, mǐngǎn gèrén xìnxī) — biometric data, financial accounts, health records, location data, and data of minors under 14 — additional consent requirements and transfer restrictions apply. Standard personal information can be processed on China-hosted cloud services but requires one of three approved transfer routes if sent overseas.
General business data that does not fall into any of the above categories faces fewer restrictions. However, the burden of proof is on the company to demonstrate that data does not qualify as important data or personal information. A 2025 survey by the China Cloud Computing Alliance found that 73% of FIEs had over-classified their data to avoid compliance risk, while 12% had been flagged by regulators for under-classification.
Industry-Specific Restrictions on Foreign Cloud Use
Financial services — banks, insurance companies, securities firms, and payment processors — are subject to the People’s Bank of China (PBOC, 中国人民银行, zhōngguó rénmín yínháng) regulations that require financial data to be stored within China and processed on domestically operated infrastructure. The PBOC’s 2023 Financial Data Security Regulation (金融数据安全规定, jīnróng shùjù ānquán guīdìng) specifies that core financial data must be stored on domestically owned cloud infrastructure.
Healthcare and life sciences — hospitals, clinical trial operators, and pharmaceutical companies — must comply with the National Health Commission’s (NHC, 国家卫生健康委员会, guójiā wèishēng jiànkāng wěiyuánhuì) rules on medical data. The NHC’s Administrative Measures on Population Health Information (2023) require that all population health data be stored on domestic servers and prohibits outsourcing to unapproved third-party platforms.
Telecommunications and internet services — companies holding value-added telecom licenses face restrictions under MIIT regulations. The MIIT’s Cloud Computing Service Security Assessment (云计算服务安全评估, yún jìsuàn fúwù ānquán pínggū) requires all cloud services used by telecom license holders to pass a security assessment.
Government and public sector contracts — Government procurement regulations require cloud services for government data to be provided by domestic companies with no foreign ownership or control, effectively excluding all foreign-branded cloud services.
Data Localization Requirements by Data Type and Industry
Data localization (数据本地化, shùjù běndì huà) requirements vary significantly. Under PIPL Article 36, CIIOs and organizations processing the personal information of more than 1 million individuals annually must store personal information within China. Under DSL Article 31, important data must also be stored domestically.
| Data Type | Must Stay in China? | CIIO Requirement | Non-CIIO Requirement | Can Use Foreign Cloud? |
|---|---|---|---|---|
| Core data | Yes | Domestic-only | Domestic-only | No |
| Important data | Yes | Domestic + assessment | Domestic + assessment | Conditional |
| Sensitive personal information | Conditional | Domestic preferred | Domestic unless consent + necessity | Yes, with consent and transfer route |
| General PI >1M individuals | Conditional | Domestic required | Domestic unless security assessment | Yes, with security assessment |
| General PI <1M individuals | No | Domestic required | Can transfer via SCCs or certification | Yes |
| General business data | No | No restriction | No restriction | Yes |
Step-by-Step Guide to Using Foreign Cloud Services Compliantly in China
- Classify all data — Conduct a comprehensive data inventory identifying core data, important data, personal information, and general business data. Map each category to its regulatory requirements. This takes 4-8 weeks for a mid-size FIE.
- Determine CIIO status — Assess whether your company qualifies as a Critical Information Infrastructure Operator. CIIOs face stricter data localization and cloud service requirements.
- Select the appropriate cloud model — For data that must remain in China, choose a cloud service operating through a licensed Chinese partner with infrastructure in China. AWS China, Azure China, or a domestic provider (Alibaba Cloud, Huawei Cloud, Tencent Cloud) are the compliant options.
- Execute proper cross-border transfer documentation — If data will be transferred outside China, follow one of three approved PIPL transfer routes: CAC Security Assessment, Standard Contractual Clauses (SCCs, 标准合同条款, biāozhǔn hétong tiáokuǎn), or CNCA certification.
- Implement contractual safeguards — Ensure your cloud service agreement includes data processing clauses, data location guarantees, and breach notification procedures compliant with PIPL Article 21 and DSL Article 21.
- Conduct periodic compliance audits — Schedule annual audits of your cloud data residency, access controls, and cross-border data flows per PIPL Article 54.
- Monitor regulatory changes — Track CAC, MIIT, PBOC, and NHC regulatory updates affecting cloud service compliance.
Penalties and Risks of Non-Compliant Cloud Service Use
Under PIPL Article 66, penalties for illegal processing of personal information include fines of up to RMB 50 million or 5% of prior year’s annual revenue. Responsible individuals face fines of RMB 100,000 to RMB 1 million and potential professional bans. Under DSL Article 45, violations related to important data can result in fines of up to RMB 2 million and suspension of business activities. In 2025, the CAC publicly named 17 foreign companies for cross-border data transfer compliance failures, with 3 facing temporary suspension of their China cloud operations.
Operational risks include mandatory data relocation orders (6-12 months, RMB 2-5 million cost), suspension of data processing activities, revocation of licenses, and social credit blacklisting.
Best Practices for Foreign Companies
A hybrid cloud approach is most common — using a China-hosted cloud for localized data and a global cloud for non-restricted data. Implement data residency tagging with automated controls — a 2026 KPMG China study found companies using automated controls reduced compliance incidents by 64%. Conduct vendor due diligence to verify licenses, infrastructure, residency guarantees, and incident response history.
Where to Go From Here
Choosing the right cloud service model for your China operations requires a thorough understanding of your data profile, industry regulations, and compliant cloud options. Begin with a data classification audit.
- [guide: SLUG-TO-BE-FILLED] — Step-by-step guide to data classification under China’s DSL and PIPL
- [comparison: SLUG-TO-BE-FILLED] — China cloud vs overseas cloud comparison for foreign companies
- [tool: SLUG-TO-BE-FILLED] — Cross-border data transfer route selection tool for foreign firms
Can I use cloud services from foreign providers in China? — first published on China Gateway 360. Last updated: July 2026.
