China Data Security Law (DSL) and Cybersecurity Law (CSL)

China

2 domains

32 controls

China Data Security Law (DSL), effective 1 September 2021, and Cybersecurity Law (CSL), effective 1 June 2017. Both are statutory regulations governing data security and network security in China.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (2)

CSL

20 controls

Controls in the CSL domain of China Data Security Law (DSL) and Cybersecurity Law (CSL) — 20 controls
Code	Title	Description
CSL-Art21	Multi-Level Protection Scheme (MLPS 2.0)	Network operators must perform security protection duties under the multi-level protection scheme, including formulating...
CSL-Art22	Network Products and Services Security	Network products and services must comply with mandatory national standards. Providers must not install malicious progra...
CSL-Art23	Critical Network Equipment Certification	Critical network equipment and specialized cybersecurity products must obtain safety certification by a qualified instit...
CSL-Art24	Real-Name Registration	Network operators providing network access, domain registration, fixed or mobile phone access, or information publishing...
CSL-Art27	Prohibition on Illegal Network Intrusion	No individual or organization may engage in illegal intrusion into networks, disrupt normal network function, steal netw...
CSL-Art31	Critical Information Infrastructure (CII) Designation	The State implements key protection of CII in public communication and information services, energy, transportation, wat...
CSL-Art34	CII Operator Security Obligations	CII operators must set up specialized security management bodies and security responsible persons subject to background...
CSL-Art35	CII Procurement Security Review	CII operators procuring network products and services that may affect national security must undergo a national security...
CSL-Art37	CII Data Localization	Personal information and important data collected and generated by CII operators within China must be stored within Chin...
CSL-Art38	CII Annual Security Inspection	CII operators must conduct a cybersecurity inspection and risk assessment at least annually, either themselves or by com...
CSL-Art40	Confidentiality of User Information	Network operators must keep user information they collect strictly confidential and establish and improve user informati...
CSL-Art41	Lawful Collection of Personal Information	Network operators collecting and using personal information must follow principles of legality, propriety, and necessity...
CSL-Art42	Personal Information Breach Notification	Network operators must not leak, tamper with, or damage collected personal information. Without consent they must not pr...
CSL-Art43	Right to Correction and Deletion	Individuals who discover that network operators have collected or used their personal information in violation of laws,...
CSL-Art47	Content Monitoring and Reporting	Network operators must strengthen management of information published by users. Upon discovery of information prohibited...
CSL-Art49	Complaints and Reporting Mechanism	Network operators must establish complaint and reporting systems for cybersecurity, publicly disclose channels, and prom...
CSL-Art51	Cybersecurity Monitoring and Early Warning	The State establishes a cybersecurity monitoring, early warning, and information notification system. CAC coordinates wi...
CSL-Art56	Cybersecurity Risk Talks (Interview)	Where a network operator has major cybersecurity risks or incidents, provincial-or-above departments may summon legal re...
CSL-Art59	Penalties for Network Operator Violations	Failure to perform security protection duties under Articles 21 and 25 results in correction orders and warnings. Refusa...
CSL-Art66	Penalties for Cross-Border Violations	Violation of CSL Article 37 on cross-border storage or transfer by CII operators results in correction orders, warnings,...

DSL

12 controls

Controls in the DSL domain of China Data Security Law (DSL) and Cybersecurity Law (CSL) — 12 controls
Code	Title	Description
DSL-Art21	Data Classification and Grading System	The State establishes a hierarchical data classification and grading protection system based on importance to national s...
DSL-Art24	National Security Review for Data Activities	Data processing activities that affect or may affect national security are subject to a national security review. The re...
DSL-Art27	Data Security Management System	Organizations conducting data processing activities must establish a sound data security management system across the fu...
DSL-Art28	Lawful and Legitimate Data Processing	Data processing activities and the development and use of new data technologies must support innovation that is conduciv...
DSL-Art29	Risk Monitoring and Remediation	Data processors must strengthen risk monitoring. When data security defects or vulnerabilities are discovered, remediati...
DSL-Art30	Risk Assessment for Important Data Processors	Important data processors must conduct periodic risk assessments of their data processing activities per regulation and...
DSL-Art31	Cross-Border Transfer of Important Data	Cross-border transfer of important data collected and generated by CII operators within China is governed by CSL. For ot...
DSL-Art32	Lawful Collection of Data	Any organization or individual collecting data must do so by lawful and proper means and must not steal or obtain data b...
DSL-Art33	Data Brokers and Intermediary Services	Institutions providing data transaction intermediary services must require data providers to explain the data source, ex...
DSL-Art35	Government Data Access Requests	Public security and national security organs needing data for criminal investigation or national security work must foll...
DSL-Art36	Foreign Authority Data Requests	Without approval of the competent Chinese authorities, domestic organizations and individuals must not provide data stor...
DSL-Art45	Penalties for Data Security Violations	Violation of data security protection obligations may result in correction orders, warnings, fines up to RMB 2 million f...

Frequently Asked Questions

What is China Data Security Law (DSL) and Cybersecurity Law (CSL)?

China Data Security Law (DSL) and Cybersecurity Law (CSL) is a compliance framework from China with 2 domains and 32 controls. China Data Security Law (DSL), effective 1 September 2021, and Cybersecurity Law (CSL), effective 1 June 2017. Both are statutory regulations governing data security and network security in China. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does China Data Security Law (DSL) and Cybersecurity Law (CSL) have?

China Data Security Law (DSL) and Cybersecurity Law (CSL) has 32 controls organised across 2 domains. The largest domains are CSL (20 controls), DSL (12 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does China Data Security Law (DSL) and Cybersecurity Law (CSL) map to?

China Data Security Law (DSL) and Cybersecurity Law (CSL) does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with China Data Security Law (DSL) and Cybersecurity Law (CSL) compliance?

Start your China Data Security Law (DSL) and Cybersecurity Law (CSL) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about China Data Security Law (DSL) and Cybersecurity Law (CSL) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 32 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 768 frameworks.

Get Started Free →

Free forever — no credit card required