China Cybersecurity Law (CSL)
The Cybersecurity Law of the People's Republic of China (effective 1 June 2017) is China's foundational cybersecurity legislation. It imposes obligations on network operators and operators of critical information infrastructure (CII) to implement a multi‑level protection scheme (MLPS), conduct security assessments of network products and services, ensure data localization for personal information and important data, protect personal information, and cooperate with government security inspections. The law also defines responsibilities for data breach notification and establishes penalties for non‑compliance. Although the CSL itself has not been amended since 2017, it is now complemented by the Data Security Law (2021) and the Personal Information Protection Law (2021), which expand and refine China's data governance regime.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
China CSL: Critical Information Infrastructure
| Code | Title |
|---|---|
| CSL-Art31 | Critical Information Infrastructure Designation - Art. 31 |
| CSL-Art34 | CII Operator Security Obligations - Art. 34 |
| CSL-Art35 | CII Procurement Security Review - Art. 35 |
| CSL-Art37 | CII Data Localization and Cross-Border Assessment - Art. 37 |
| CSL-Art38 | CII Annual Security Inspection - Art. 38 |
China CSL: General Provisions and Support
| Code | Title |
|---|---|
| CSL-Art1 | Scope, Cyberspace Sovereignty and Definitions (Art. 1-2, 76) |
| CSL-Art2025AI | 2025 Amendment - AI Governance and Development |
China CSL: Monitoring, Early Warning and Liability
| Code | Title |
|---|---|
| CSL-Art51 | Cybersecurity Monitoring and Early Warning - Art. 51 |
| CSL-Art56 | Cybersecurity Risk Talks (Regulatory Interview) - Art. 56 |
| CSL-Art59 | Penalties for Network Operators - Art. 59-68 |
| CSL-Art66 | Penalties for Cross-Border / Localization Violations - Art. 66 |
China CSL: Network Information Security
| Code | Title |
|---|---|
| CSL-Art40 | Confidentiality of User Information - Art. 40 |
| CSL-Art41 | Lawful Collection of Personal Information - Art. 41 |
| CSL-Art42 | Personal Information Protection and Breach Handling - Art. 42 |
| CSL-Art43 | Right to Correction and Deletion - Art. 43 |
| CSL-Art47 | Content Management Obligations - Art. 47 |
| CSL-Art49 | Complaints and Reporting Mechanism - Art. 49 |
China CSL: Network Operations Security
| Code | Title |
|---|---|
| CSL-Art21 | Multi-Level Protection Scheme (MLPS) - Art. 21 |
| CSL-Art22 | Security of Network Products and Services - Art. 22 |
| CSL-Art23 | Critical Network Equipment Certification - Art. 23 |
| CSL-Art24 | Real-Name Registration - Art. 24 |
| CSL-Art27 | Prohibition on Illegal Network Intrusion - Art. 27 |
Your Compliance Coverage
If you comply with China Cybersecurity Law (CSL), you already cover:
NIST Cybersecurity Framework 2.0
27%
6 controls mapped
Compare →GDPR
18%
4 controls mapped
Compare →China Personal Information Protection Law (PIPL)
14%
3 controls mapped
Compare →+ 2 more: ISO 27001:2022 (9%), China Data Security Law (DSL) (5%)
See all 5 mapped frameworks ↓Maps to 5 other frameworks
Frequently Asked Questions
What is China Cybersecurity Law (CSL)?
China Cybersecurity Law (CSL) is a compliance framework from China with 5 domains and 22 controls. The Cybersecurity Law of the People's Republic of China (effective 1 June 2017) is China's foundational cybersecurity legislation. It imposes obligations on network operators and operators of critical information infrastructure (CII) to implement a multi‑level protection scheme (MLPS), conduct security assessments of network products and services, ensure data localization for personal information and important data, protect personal information, and cooperate with government security inspections. The law also defines responsibilities for data breach notification and establishes penalties for non‑compliance. Although the CSL itself has not been amended since 2017, it is now complemented by the Data Security Law (2021) and the Personal Information Protection Law (2021), which expand and refine China's data governance regime. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does China Cybersecurity Law (CSL) have?
China Cybersecurity Law (CSL) has 22 controls organised across 5 domains. The largest domains are China CSL: Network Information Security (6 controls), China CSL: Critical Information Infrastructure (5 controls), China CSL: Network Operations Security (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does China Cybersecurity Law (CSL) map to?
China Cybersecurity Law (CSL) maps to 5 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (27% coverage), GDPR (18% coverage), China Personal Information Protection Law (PIPL) (14% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with China Cybersecurity Law (CSL) compliance?
Start your China Cybersecurity Law (CSL) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about China Cybersecurity Law (CSL) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required