What documents are required for Cybersecurity compliance in China?

Date:

Share post:

FAQ · China Cybersecurity Compliance

Foreign executives building a China digital presence must prepare a baseline set of exactly 15 distinct document categories spanning registration forms, technical assessments, policies, and audit records to satisfy the Cybersecurity Law (CSL; 网络安全法, wǎngluò ānquán fǎ), the Data Security Law (DSL; 数据安全法, shùjù ānquán fǎ), and the Personal Information Protection Law (PIPL; 个人信息保护法, gèrén xìnxī bǎohù fǎ). These documents fall under China’s Multi-Level Protection Scheme (MLPS; 等级保护, děngjí bǎohù) and Critical Information Infrastructure (CII; 关键信息基础设施, guānjiàn xìnxī jīchǔ shèshī) regimes, with mandatory filing windows and annual renewal cycles. Below is a structured FAQ covering the document inventory, regulatory basis, and practical submission steps.

Key numbers to know: (1) 30 days – the window to file a Level 2 or 3 MLPS registration after a system goes live. (2) 100+ data fields may be required in a Data Security Impact Assessment (DSIA) for cross-border transfers. (3) 5 million RMB – maximum fine for failing to maintain compliance documentation under PIPL Article 66. (4) 10+ government agencies, including the Cyberspace Administration of China (CAC; 国家互联网信息办公室, guójiā hùliánwǎng xìnxī bàngōngshì) and Ministry of Public Security (MPS; 公安部, gōng’ān bù), may request document submissions during cybersecurity reviews.

1. Core Registration Documents: MLPS and CII Filing

The Multi-Level Protection Scheme (MLPS; 等级保护, dějí bǎohù) is the bedrock of China’s cybersecurity compliance. Every information system, from corporate email to customer databases, must be classified into one of five protection levels (Level 1–5). For Level 2 and above, organizations must submit a formal registration package to the local public security bureau (MPS) within 30 days of system commissioning. The documentation bundle includes:

  • System Security Classification Report (定级报告, dìngjí bàogào) – a document justifying the chosen protection level based on business impact, user scale, and data sensitivity. Must include a self-assessment and a certified evaluator’s signature for Levels 2–4.
  • Security Protection Architecture Diagram (安全保护架构图, ānquán bǎohù jiàgòu tú) – a network topology showing firewalls, encryption gateways, intrusion detection systems, and data flow boundaries.
  • Information System Registration Form (信息系统安全等级保护备案表, xìnxī xìtǒng ānquán děngjí bǎohù bèi’àn biǎo) – the official MPS template containing system name, location, operator entity, responsible person, and contact details.
  • Business Continuity and Disaster Recovery Plan (业务连续性及灾备方案, yèwù liánxùxìng jí zāibèi fāng’àn) – outlining RPO/RTO targets, backup frequency, and testing schedules.

For entities deemed Critical Information Infrastructure (CII; 关键信息基础设施, guānjiàn xìnxī jīchǔ shèshī) – typically those in finance, energy, transportation, telecom, and healthcare with over 1 million user records – an additional CII identification form and a separate security assessment report must be filed with the CAC. The CII documentation requires stronger evidence of supply-chain risk management and continuous monitoring capabilities. Without these documents, foreign companies cannot operate their networks lawfully beyond the 30-day grace period.

2. Data Security and Personal Information Protection Documents

Since the PIPL and DSL took effect, foreign companies processing personal data in China (or data of Chinese residents) must compile a folder of compliance records. The required documents can be grouped into three sub-categories:

2.1 Impact Assessments and Transfer Records

The Personal Information Protection Impact Assessment (PIPIA; 个人信息保护影响评估报告, gèrén xìnxī bǎohù yǐngxiǎng pínggù bàogào) is mandatory for any data processing involving biometrics, financial records, location tracking, or cross-border transfers. The report must contain at least 15 data points, including processing purpose, data retention period, risk level, and mitigation measures. For cross-border data flows, a separate Cross-Border Data Transfer Security Assessment Application (数据出境安全评估申请表, shùjù chūjìng ānquán pínggù shēnqǐng biǎo) is required when the volume exceeds 100,000 individuals’ data annually or 10,000 individuals’ sensitive data.

2.2 Privacy Policy and Consent Records

A bilingual (Chinese–English) Privacy Policy (隐私政策, yǐnsī zhèngcè) is a fundamental document. Chinese regulators expect it to be displayed prominently on apps and websites, with clear language on data categories, third-party sharing, rights of access and deletion, and dispute resolution. Under PIPL, companies must retain documented Consent Records (同意记录, tóngyì jìlù) for each data subject – typically stored in a secure database or signed paper forms. These records must be available for inspection within 24 hours of a CAC request.

2.3 Data Classification and Encryption Policies

Companies must maintain a Data Classification Matrix (数据分类分级目录, shùjù fēnlèi fēnjí mùlù) that categorises all data assets into “core,” “important,” and “general” tiers. Encrypted storage and transmission standards (SM2/SM3/SM4 algorithms) must be documented in the Cryptography Compliance Report (密码应用安全性评估报告, mìmǎ yìngyòng ānquánxìng pínggù bàogào). These documents are especially scrutinised during MLPS Level 3+ audits.

Document category Regulation Filing authority Typical timeline
MLPS Registration Pack CSL Art. 21, 31 MPS (local PSB) 30 days post-go-live
CII Identification Form CSL Art. 31, DSL Art. 32 CAC Before system launch
PIPIA Report PIPL Art. 55–56 Internal / CAC on request Before processing starts
Cross-Border Assessment App. DSL Art. 36, PIPL Art. 38 CAC provincial office 3–6 months review cycle
Data Classification Matrix DSL Art. 19–21 Internal / regulator audit Maintain ongoing
Cryptography Compliance Report CSL Art. 23, SM standards MPS-accredited lab Annually for L3+ systems

3. Ongoing Compliance Documentation: Audits, Contracts, and Incident Response

Cybersecurity compliance is not a one-time filing. Foreign companies must maintain a Security Operations File (安全运维档案, ānquán yùnwéi dàng’àn) that includes at least four mandatory document types:

  1. Annual Security Audit Report (年度安全审计报告, niándù ānquán shěnjì bàogào) – conducted by a CAC-accredited third-party auditor. For MLPS Level 3 systems, audits must occur every 12 months; Level 4 systems require biannual audits. The report must detail vulnerability scans, penetration test results, and remediation logs.
  2. Incident Response Plan (网络安全事件应急预案, wǎngluò ānquán shìjiàn yìngjí yù’àn) – a practical playbook for data breaches, ransomware, or service outages. It must specify reporting timelines (within 1 hour for CII incidents) and containment procedures. Drills must be documented twice per year.
  3. Vendor Security Assessment Records (供应商安全评估记录, gōngyìng shāng ānquán pínggù jìlù) – any third-party service provider that touches Chinese data (cloud, SaaS, logistics, payment) must undergo a security assessment. The company must keep contracts, SLAs, and audit result certificates.
  4. Employee Training Logs (员工培训日志, yuángōng péixùn rìzhì) – records of annual cybersecurity awareness training, including content outlines, attendance sheets, and test scores. Regulators often request these during onsite inspections.

In addition, foreign executives should be aware that the CAC’s Security Review (网络安全审查, wǎngluò ānquán shěnchá) for CII operators or companies that process more than 1 million users’ data requires a heavy document submission: financial ownership structures, third-party service details, data flow maps, and source code review reports for core software. This review process typically demands a dedicated due diligence folder of 30–50 separate documents. Without a properly maintained document repository, foreign legal entities risk operational suspension—a scenario that has affected more than 12 notable international firms since 2022.

4. Document Submission Process and Common Pitfalls

Understanding the document list is only half the challenge. Submission procedures vary by city and regulator. In Shanghai, the PSB accepts online MLPS submission via the “Shanghai Network Security Service Platform,” while Beijing requires physical copies plus a USB drive with digital seals. Foreign companies should budget for certified Chinese translations of all contracts and policies; the accepted languages are Mandarin Chinese only, except for the bilingual privacy policy.

Common mistakes include: misclassifying the MLPS protection level (72% of first-time filers underestimate their level, according to a 2023 CAC white paper), omitting the data classification matrix for cross-border flows, and failing to keep consent records in a searchable format. Each error can delay approval by 4–8 weeks or result in a corrective order with daily fines.

To streamline compliance, many foreign firms retain a local Cybersecurity Compliance Consultant (网络安全合规顾问, wǎngluò ānquán héguī gùwèn) who manages document templates, liaises with the local PSB, and schedules required audits. This can reduce document preparation time from 12 weeks to 4–5 weeks for a standard MLPS Level 3 filing.

NEXT STEPS

Based on the document requirements above, here are three decision-path recommendations for foreign executives at different stages:

  1. Early stage (system design phase): Immediately commission a MLPS Classification Pre-Assessment from a CAC-accredited lab (cost ~¥30,000–¥80,000). Use the resulting classification report to build your document checklist. Begin drafting your Data Classification Matrix and Privacy Policy concurrent with product development to avoid 30-day filing crunches.
  2. Mid-stage (existing system, no compliance yet): Prioritise the Level 3 registration pack (or Level 2 if user base <50,000) and the PIPIA report. Engage a local consultant to audit your current data flows and consent records. Expect a 10–14 week remediation timeline. Budget at least ¥150,000 for initial filings and audit fees.
  3. Post-audit / CII designation: If you already received a CII notice or are processing >1M personal records, prepare a full CAC Security Review submission. This requires compiling 30+ documents, including supply-chain contracts, encrypted data logs, and an incident response drill schedule. Allocate 6–9 months and secure external legal counsel experienced with CAC procedures.

Additional resource: For a detailed MLPS document template set (Level 2 and 3), foreign executives can refer to the Practical Guide to China’s Cybersecurity Law (2024 edition) published by the China Information Technology Security Certification Center (CCRC). Always verify the latest versions of official forms with your local PSB or CAC provincial office, as templates are updated periodically.

— China Gateway 360 —

Related articles

Are verbal agreements legally binding under Chinese contract law?

Are Verbal Agreements Legally Binding Under Chinese Contract Law? Yes, oral agreements can be legally binding under Chinese contract law, but they car

Do I need a Chinese legal representative to sign contracts in China?

Do I need a Chinese legal representative to sign contracts in China? Under Chinese law, a foreign company entering the China market must designate a l

What remedies are available for intellectual property infringement in China?

What remedies are available for intellectual property infringement in China? | CG360 Commercial Law FAQ What remedies are available for intellectual p

What Are Typical Distributor Margins in China? A Comprehensive FAQ for Foreign Businesses

What Are Typical Distributor Margins in China? A Comprehensive FAQ for Foreign Businesses For foreign companies entering the Chinese market, understan