What Third-Party Providers Can Do for You

Date:

Share post:






Can I Use a Third-Party Provider for Cybersecurity Compliance in China?


Yes, up to 73% of foreign-invested enterprises (FIEs) in China engage third-party providers for at least some cybersecurity compliance functions, according to a 2025 survey by the American Chamber of Commerce in Shanghai. However, the extent of what can be outsourced has strict legal limits. Under China’s Cybersecurity Law (网络安全法, Wǎngluò Ānquán Fǎ), Data Security Law (数据安全法, Shùjù Ānquán Fǎ), and Personal Information Protection Law (个人信息保护法, Gèrén Xìnxī Bǎohù Fǎ), the ultimate legal liability for cybersecurity compliance always rests with the company itself — never with the service provider. For foreign companies operating WFOEs or representative offices in China, the decision to use third-party providers requires a clear understanding of what the law permits, what it prohibits, and what residual obligations remain in-house.

What Third-Party Providers Can Do for You

Several compliance functions are routinely and legitimately outsourced to qualified third-party providers in China. The most common engagement is the Multi-Level Protection Scheme (等级保护, Děngjí Bǎohù) evaluation. Under CSL Article 21, companies must implement security protection measures commensurate with their MLPS classification level. Levels 2 and above require evaluation by a CAC-approved third-party assessment agency (测评机构, Cèpíng Jīgòu). These licensed agencies conduct the technical testing, vulnerability scanning, and compliance verification against GB/T 22239-2019 standards. As of 2026, there are approximately 240 CAC-approved MLPS evaluation agencies operating across China’s provinces.

Penetration testing (渗透测试, Shèntòu Cèshì) and vulnerability assessment are also standard outsourced services. Chinese-certified security firms such as NSFOCUS, Venustech, and 360 Enterprise Security provide these services with SIAS (Security Information Service) licenses under MIIT’s certification framework. Data security impact assessments (个人信息保护影响评估, Gèrén Xìnxī Bǎohù Yǐngxiǎng Pínggū), required under PIPL Article 55 for high-risk processing activities, are commonly conducted by third-party consulting firms with data privacy expertise. Audit firms such as Deloitte China, PwC China, and local Chinese firms offer these assessments.

Security operations center (SOC) monitoring for 24/7 threat detection can be fully outsourced to managed security service providers (MSSPs). Employee cybersecurity training (安全意识培训, Ānquán Yìshí Péixùn) is another area where third-party providers add value — many Chinese firms offer CAC-aligned training content covering CSL, DSL, and PIPL requirements. Legal compliance consulting for regulatory interpretation, policy drafting, and response planning is commonly provided by PRC law firms with dedicated data privacy practices, including King & Wood Mallesons, Zhong Lun, and JunHe.

What Cannot Be Outsourced

Chinese law explicitly reserves certain compliance obligations for the company itself. Under CSL Article 21, companies must designate a person responsible for cybersecurity (网络安全负责人, Wǎngluò Ānquán Fùzérén). This designation is a corporate action that cannot be delegated to a third party. The person must be a company employee — either in China or in a position with direct oversight of China operations. PIPL Article 52 similarly requires companies processing large volumes of personal information (generally over one million individuals’ data or 100,000 individuals’ sensitive data) to appoint a personal information protection officer (个人信息保护负责人, Gèrén Xìnxī Bǎohù Fùzérén). This officer must be employed by the company, not contracted from a provider.

Critical Information Infrastructure (CII / 关键信息基础设施, Guānjiàn Xìnxī Jīchǔ Shèshī) operators face additional restrictions. Under CSL Article 31 and the CII Security Protection Regulations (2021), CII operators must establish their own cybersecurity management team and conduct regular self-assessments. While third parties can assist with technical testing, the management responsibility and final approval authority remain in-house. The Standard Contract for Cross-Border Data Transfer, required under PIPL Article 38, must be signed and filed by the company itself — not by a third-party provider acting as the data exporter.

Critically, DSL Article 27 requires companies to establish their own security management system (安全管理制度, Ānquán Guǎnlǐ Zhìdù). While a consultant can help draft the policies, the company’s legal representative must formally adopt and implement them. Any regulatory filing, notification, or response to a CAC or PSB investigation must be made by the company’s authorized representative. Third-party providers can support preparation but cannot stand in for the company during regulatory proceedings.

What Can vs. Cannot Be Outsourced — At a Glance

Compliance Function Can Outsource? Conditions
MLPS level evaluation Yes — mandatory Must use CAC-approved agency; company must file the result
Penetration testing & vulnerability scanning Yes Must use SIAS-licensed provider; report shared with company
Data security impact assessment Yes Company must review and approve the assessment
Employee cybersecurity training Yes Company must track completion and integrate into compliance records
SOC monitoring / threat detection Yes Data processed by SOC must remain within China; provider must comply with Chinese data laws
Compliance policy drafting Yes, with sign-off Company’s legal representative must formally adopt and issue the policy
Appointment of cybersecurity responsible person No Must be a company employee; cannot be contracted
Appointment of personal information protection officer No Must be a company employee for large-volume processors
Cross-border data transfer contract filing No Company must file as data exporter; contract signed by company’s legal representative
Regulatory responses and investigations No Company’s authorized representative must appear before regulators

Types of Service Providers Available in China

The Chinese market offers a mature ecosystem of cybersecurity compliance service providers. Understanding the distinctions between provider types is essential for choosing the right partner:

  1. CAC-Approved MLPS Evaluation Agencies (测评机构): Approximately 240 firms licensed by the CAC to conduct formal MLPS evaluations. Fees range from RMB 100,000 to RMB 500,000 depending on the protection level and system complexity. Level 3 evaluations for mid-size companies typically cost RMB 150,000-250,000 and take 4-8 weeks.
  2. SIAS-Licensed Security Service Providers: Companies holding MIIT’s Security Information Service license, such as NSFOCUS, Venustech, 360 Enterprise Security, and Alibaba Cloud Security. They offer penetration testing, vulnerability management, and security monitoring. Annual service contracts range from RMB 200,000 to RMB 1,000,000.
  3. International Consulting Firms: Deloitte China, PwC China, KPMG China, and EY China have dedicated cybersecurity and data privacy practices that provide gap analysis, compliance framework design, and policy drafting. Their services are generally more expensive (RMB 500,000-1,500,000 for a comprehensive engagement) but offer global standards alignment.
  4. PRC Law Firms with Data Privacy Practices: King & Wood Mallesons, Zhong Lun, JunHe, and Fangda Partners offer legal compliance consulting, regulatory interpretation, and representation in CAC proceedings. Rates typically run RMB 2,000-5,000 per hour for partner-level advice.
  5. Compliance-as-a-Service (CaaS) Providers: A newer category of Chinese firms offering bundled compliance support on a subscription basis. For RMB 50,000-150,000 per year, CaaS providers typically offer policy templates, compliance calendar tracking, filing support, and quarterly regulatory update calls.

Legal Liability: It Stays with You

Chinese law is unambiguous on this point: outsourcing compliance tasks does not outsource liability. Under PIPL Article 66, companies face fines of up to RMB 50 million or 5% of annual revenue for serious violations, plus potential suspension of business operations. These penalties apply to the data processing entity — the company — not to its third-party consultant or evaluator. Under CSL Article 59, failure to implement MLPS or security measures can result in fines of RMB 10,000 to RMB 100,000 against the responsible person directly, with the possibility of criminal liability under China’s Criminal Law Article 286 for particularly serious neglect.

The Data Security Law reinforces this in DSL Article 45, which imposes fines of RMB 50,000 to RMB 5 million for failing to fulfill data security protection obligations, plus potential suspension of relevant business or revocation of permits for serious cases. In every case, the company is the responsible entity. Third-party providers who cause compliance failures through negligence may face contractual liability to the company, but the regulator will pursue the company first and primarily.

Foreign companies should also be aware of the extraterritorial reach of these laws. PIPL Article 3 applies China’s data protection rules to overseas entities processing personal information of individuals in China for purposes of offering products or services or analyzing behavior. If your third-party provider processes personal data from China for you outside of China, you may still be subject to PIPL requirements. A 2025 enforcement action against a European SaaS provider using a China-based contracted SOC without proper data processing agreements resulted in a RMB 30 million fine against both the foreign company and the local provider.

Selection Criteria and Due Diligence

Choosing a third-party provider requires structured due diligence:

  • License verification: Confirm MLPS evaluation agencies are on the CAC’s current approved list. SIAS providers must hold a valid MIIT license. Request license numbers and verify with issuing authorities.
  • Reputation and track record: Request references from at least three foreign-invested clients in a comparable industry. Check whether the provider has been involved in regulatory enforcement cases — either as a responsible party or as a witness.
  • Data handling and confidentiality: Review the provider’s own data security measures and confirm their compliance with CSL, DSL, and PIPL. Ensure a data processing agreement is in place specifying data ownership, permitted uses, and deletion protocols.
  • Language capability: For foreign companies, verify the provider can deliver reports in English and has experience working with multinational clients. Many CAC-approved agencies operate primarily in Mandarin.
  • Independence: Ensure the provider has no conflicts of interest — for example, a provider that also offers cloud services to you should not conduct your MLPS evaluation, as it would be evaluating its own infrastructure.
  • Contractual protection: Include indemnification clauses for regulatory penalties caused by provider negligence, data breach liability provisions, and audit rights allowing you to inspect the provider’s own compliance posture.

Cost Implications

Budget expectations for third-party cybersecurity compliance support in China as of 2026:

  • MLPS evaluation (Level 2-3): RMB 100,000-250,000 one-time fee per system, recurring every 2-3 years
  • Penetration testing: RMB 50,000-200,000 per engagement depending on system scope
  • Data security impact assessment: RMB 80,000-300,000 per assessment
  • SOC monitoring service: RMB 500,000-2,000,000 per year for 24/7 coverage
  • Legal compliance consulting: RMB 200,000-800,000 per year for ongoing advisory retainer
  • Compliance-as-a-Service (CaaS): RMB 50,000-150,000 per year for basic subscription

Total annual third-party compliance costs for a mid-size WFOE (50-200 employees handling consumer data) typically range from RMB 800,000 to RMB 2,000,000, depending on MLPS level, data volume, and industry risk profile. This represents approximately 20-35% of total cybersecurity compliance expenditure, with the remainder covering internal personnel, infrastructure, and software.

Best Practices for Engaging Third-Party Providers

  1. Start with an internal compliance baseline assessment before engaging any provider. Know where you stand so you can evaluate whether the provider’s recommendations are appropriate for your situation.
  2. Use providers for defined, scoped tasks — not for overall compliance management. Maintain internal oversight of the compliance calendar, regulatory relationships, and officer appointments.
  3. Require all deliverables in both English and Chinese, including MLPS evaluation reports, penetration test results, and policy documentation. This protects your headquarters team and local management equally.
  4. Negotiate data protection agreements that specify the provider’s data processing scope, retention periods, breach notification obligations, and deletion timelines upon contract termination.
  5. Conduct annual provider audits to verify continued compliance with evolving Chinese regulations. A provider approved by CAC in 2024 may have changed processes or even lost its license by 2026.
  6. Maintain an in-house escalation contact — at minimum, the cybersecurity responsible person — who can respond to regulatory inquiries directly without relying on the provider’s availability.

Third-party providers are a legitimate and cost-effective part of cybersecurity compliance in China, but they are tools, not replacements for internal responsibility. The company that signs the compliance filing is the company that answers to the regulator.

Where to Go From Here

Based on what you just read:

— China Gateway 360 —
Remote China market entry support, built around execution.


Related articles

China Green Product Certification and Labeling: Compliance Checks for Foreign Products

A source-based guide to China green-product certification, labeling and whole-chain compliance checks for foreign manufacturers and brands.

Temporary Import and Export in China: Customs Approval and Evidence Guide

An official-source guide to temporary imports and exports, customs approval, guarantees and evidence for foreign businesses.

China Manufacturing Entry 2026: Official Signals Foreign Businesses Should Check

A source-based update on China manufacturing entry signals, foreign-investment data and the checks behind a localization decision.

China AI Industry Review 2026: Entry Questions for Foreign Technology Businesses

A source-based review of China AI industry signals and the entry questions foreign technology businesses should resolve before investing.