What is the China AI governance framework and how does it apply to foreign companies?

Date:

Share post:

What Is the China AI Governance Framework and How Does It Apply to Foreign Companies?

China’s AI governance framework is a multi‑layer regulatory system comprising more than 12 binding laws, regulations, and standards that govern the development, deployment, and use of artificial intelligence. For foreign companies, this framework imposes extraterritorial obligations on data handling, algorithm transparency, and content moderation—affecting any entity that serves Chinese users or processes Chinese personal information. Understanding these rules is essential for compliance, especially as the country accelerates its AI regulation to match the speed of innovation.

1. What Laws Make Up the AI Governance System?

China does not have a single AI law; instead, it has built a layered framework through multiple legal instruments. The New Generation AI Development Plan (新一代人工智能发展规划, xīn yīdài réngōng zhìnéng fāzhǎn guīhuà) of 2017 set the strategic vision. Since then, core pieces of legislation have been enacted, including the Cybersecurity Law (网络安全法, wǎngluò ānquán fǎ) of 2017, the Data Security Law (数据安全法, shùjù ānquán fǎ) of 2021, and the Personal Information Protection Law (个人信息保护法, gèrén xìnxī bǎohù fǎ) of 2021.

In 2022, the Algorithmic Recommendation Provisions (算法推荐管理规定, suànfǎ tuījiàn guǎnlǐ guīdìng) took effect, requiring algorithms that recommend content or make decisions to be transparent, non‑discriminatory, and filed with the authorities. Most recently, the Interim Measures for the Management of Generative AI Services (生成式人工智能服务管理暂行办法, shēngchéngshì réngōng zhìnéng fúwù guǎnlǐ zànxíng bànfǎ) came into force in August 2023, targeting large language models and generative AI. Together, these instruments create a system that touches every stage of the AI lifecycle.

Foreign companies should note that extraterritorial reach is a key feature: if an AI system processes personal information of people inside China or delivers content to Chinese users, the relevant laws apply, even if the company is headquartered outside China. Non‑compliance can lead to fines of up to RMB 50 million or 5% of annual revenue, plus potential business suspension.

2. How Does the Framework Classify AI Systems?

The framework uses a risk‑based classification. The Algorithmic Recommendation Provisions classify algorithms into four categories: content recommendation, decision‑making, search and ranking, and generation/synthesis. Each category carries specific transparency, evaluation, and user‑rights requirements. For example, content recommendation algorithms must provide users with an easy way to turn off personalised recommendations.

Under the Generative AI Measures, AI systems are further categorised by risk level. High‑risk systems—such as those used in public opinion, social governance, or financial decision‑making—require a security assessment before being released. Medium‑risk systems, including many enterprise chatbots, must register with the Cybersecurity Administration of China (CAC) and submit monthly compliance reports. Low‑risk systems (e.g., internal code‑assist tools with no external output) are largely exempt but must still respect data protection rules.

Risk Level Examples Key Requirements Foreign Company Impact
High Risk AI for credit scoring, healthcare diagnosis, social credit Security assessment, algorithm filing, bias audit, explainability report Must partner with a domestic entity; data must remain in China; full transparency on training data
Medium Risk Customer service chatbots, content generation tools, recruitment screening Algorithm registration, monthly compliance logs, user opt‑out option Can be operated by a foreign‑owned entity if data is stored locally; algorithm must be filed with CAC
Low Risk Internal R&D assistants, automated translation for back‑office use Minimal reporting; must still comply with PIPL data minimisation Easier compliance path, but data processing scope must be documented

Foreign companies must map their AI use cases to this classification early. Misclassification as low risk when the system is actually medium risk can lead to fines of up to RMB 5 million and orders to cease operations until proper registration is completed.

3. What Are the Transparency and Copyright Obligations?

Transparency requirements under the Algorithmic Recommendation Provisions demand that providers disclose the logic, purpose, and potential biases of their algorithms. For generative AI, the Interim Measures require that content be labelled as AI‑generated, that training data be free of illegal or infringing material, and that the model respect intellectual property rights.

This creates a significant challenge for foreign companies. If a foreign company trains a model on any dataset that includes copyrighted Chinese works without authorisation, it could face copyright claims and administrative penalties. The framework also mandates a “primary responsibility” principle: the service provider (not the end user) is held liable for harmful outputs, including content that disrupts national unity, violates socialist core values, or infringes on personal rights.

In practice, foreign companies operating in China must implement a content review mechanism that screens outputs against banned word lists and policy‑sensitive topics. Many multinational firms have dedicated compliance teams that work with Chinese law firms to perform monthly audits. The cost of setting up this mechanism can range from RMB 300,000 to over RMB 1 million annually, depending on the scale of the AI deployment.

4. How Does Data Localisation Affect AI Training and Deployment?

Both the Data Security Law and the Personal Information Protection Law impose strict data localisation requirements. Any personal information collected in China must be stored on servers located inside the country. For AI training, this means foreign companies cannot export training data to their home servers unless they pass a security assessment and obtain explicit user consent or obtain a government‑approved data transfer contract.

The Cybersecurity Administration of China (CAC) published the Data Export Security Assessment Measures (数据出境安全评估办法, shùjù chūjìng ānquán pínggū bànfǎ) in 2022, specifying that companies handling more than 1 million users’ personal information must apply for a security assessment before any cross‑border data transfer. Additionally, “important data” as defined in the Data Security Law (e.g., certain industry statistics or biometric data) is subject to even stricter controls.

For foreign AI companies, the practical impact is that any model fine‑tuned on Chinese user data must be deployed on a Chinese cloud instance (e.g., Alibaba Cloud, Tencent Cloud, or AWS China). The model itself cannot be shared with the global parent company unless the transfer is justified and approved. This leads many foreign tech firms to operate a “China‑insulated” instance of their AI products, complete with separate training pipelines and monitoring systems.

5. What Are the Enforcement and Penalty Structures?

Enforcement is shared among the CAC, the Ministry of Industry and Information Technology (MIIT), and the State Administration for Market Regulation (SAMR). The framework provides for escalating penalties: warnings, fines, confiscation of illegal gains, suspension of services, and revocation of licenses. In 2024, the CAC fined a major foreign social media company RMB 28 million for failing to register its content recommendation algorithm and for not providing user opt‑out options.

Personal liability is also a risk. Company legal representatives and direct‑responsible persons may face fines of up to RMB 1 million or even detention for serious violations, such as knowingly generating illegal content. This personal liability clause makes compliance a board‑level concern for foreign firms.

Pitfall 1: Assuming that a foreign company’s standard AI compliance (e.g., GDPR) satisfies China’s requirements. Cost: Fines up to RMB 50 million + business suspension. Fix: Conduct a China‑specific AI compliance audit, mapping all algorithms against the risk classification table.
Pitfall 2: Running generative AI services without registering the algorithm with the CAC. Cost: Immediate service shutdown + fine of up to RMB 10 million. Fix: File the algorithm description, training data summary, and output review mechanism with the CAC at least 30 days before launch.
Pitfall 3: Transferring training data (even anonymised) to overseas servers without a security assessment. Cost: Penalty of up to 5% of annual revenue + criminal liability for data export violations. Fix: Use a China‑based cloud for all training and inference; apply for a data export security assessment only if absolutely necessary.

6. How Should Foreign Companies Build a Compliance Roadmap?

Step 1: Map your AI use cases. Classify each AI application (customer service, fraud detection, content generation) into the three risk categories. Identify which algorithms are active in China and who operates them (the foreign entity or a local joint venture).

Step 2: Perform a gap analysis. Compare your current practices against the Algorithmic Recommendation Provisions and Generative AI Measures. Pay special attention to transparency, user rights (opt‑out, explanation), and data localisation.

Step 3: Establish local infrastructure. Ensure all Chinese user data and model training happen on China‑based servers. Engage a Chinese data compliance lawyer to review your data transfer policies and draft a security assessment application if needed.

Step 4: Register algorithms with the CAC. For medium‑ and high‑risk systems, submit the required documentation, including algorithm logic, training data sources, and bias testing results. The approval process can take 2–3 months, so plan well ahead of product launches.

Step 5: Build an ongoing monitoring system. Assign a compliance officer in China who will maintain monthly logs of algorithm outputs, user complaints, and any modifications to the AI system. These logs may be requested during CAC inspections.

7. What Is the Outlook for AI Regulation in China?

China is moving toward a more comprehensive AI Law (人工智能法, réngōng zhìnéng fǎ), which has been included in the Standing Committee of the National People’s Congress legislative plan for 2025–2026. This single law is expected to consolidate the current patchwork of rules, potentially harmonising standards with international frameworks while maintaining strict sovereignty over data and content.

For foreign companies, the trend is towards tighter scrutiny of cross‑border AI interactions, including stricter rules on open‑source model imports and exports. The CAC has also signalled that it will begin conducting on‑site inspections of foreign AI services starting in 2025, focusing on algorithm transparency and data localisation compliance.

Despite the regulatory burden, China remains a huge market for AI innovation, with enterprise AI spending projected to reach RMB 700 billion by 2026. Compliance is not just a legal requirement—it is a competitive advantage. Companies that invest early in robust AI governance can build trust with Chinese partners and customers, while those that lag face reputation damage and financial penalties.

NEXT STEPS

Take these three concrete actions to start your compliance journey:

  1. Assess your AI risk classification — Download our free checklist: China AI Governance Compliance Checklist to map your algorithms to the CAC risk categories.
  2. Review your data localisation setup — Read our guide How to Pass China’s Data Export Security Assessment for a step‑by‑step breakdown of the application process.
  3. Prepare algorithm registration documents — Use our template Algorithm Registration Filing Guide for Foreign Companies to draft the required filings for the CAC.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

How to Choose Cross-Border Channels in China: Beauty Guide (2025)

How to Choose Cross-Border Channels in China: Beauty Guide (2025) This guide helps international beauty brands select the optimal cross-border e-comme

How to Choose Cross-Border Channels in China: Beauty Guide

How to Choose Cross-Border Channels in China: Beauty Guide (2025) This guide helps international beauty brands select the optimal cross-border e-comme

How to Get NMPA Filing for Cosmetics in China: 2026 Guide

How to Get NMPA Filing for Cosmetics in China: 2026 Guide The NMPA filing process for cosmetics in China requires overseas brands to register through

How to Register a Beauty Brand in China: 2026 Guide

How to Register a Beauty Brand in China: 2026 Guide Registering a foreign beauty brand in China requires navigating a mandatory regulatory process tha