CSL
Cybersecurity Law
The Cybersecurity Law took effect 1 June 2017 as the foundational statute for China's cyberspace governance. It introduced network operator security obligations, real-name registration, and the concept of critical information infrastructure with associated data localization duties.
Who it applies to
Network operators and the construction, operation, maintenance, and use of networks within China, with stricter duties imposed on operators of critical information infrastructure (CII) in sectors such as finance, energy, telecommunications, and public services.
Identity requirements
- Implement real-name identity verification of users when providing network access, domain, publishing, or messaging services
- Adopt multi-level protection scheme (MLPS) technical and organizational security measures to protect networks and stored data
- Store personal information and important data collected or generated by CII operators within China, subject to security assessment before export
- Designate persons responsible for cybersecurity and maintain network logs for at least six months
- Protect the confidentiality of user information collected and refrain from unlawful disclosure or sale of personal data
- Report and respond to cybersecurity incidents and cooperate with regulatory supervision
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Authentication & MFA | The real-name registration mandate requires operators to verify user identities before delivering many network services. |
| Data residency & cross-border transfer | Critical information infrastructure operators must localize personal information and important data in China and pass a security assessment before exporting it. |
| Audit, logging & accountability | Operators must retain network logs for at least six months and implement graded protection measures to support traceability. |
| Identity verification (KYC/proofing) | Service providers must confirm the true identity of users, embedding proofing into onboarding for messaging, publishing, and access services. |
| Breach notification | Operators must adopt remedial measures for security incidents and report them to users and the relevant authorities. |
Penalties
Violations can lead to warnings, rectification orders, confiscation of unlawful gains, fines on the operator and responsible individuals, suspension of operations, and revocation of licenses.
CSL: frequently asked questions
- What is a critical information infrastructure operator under the CSL?
- It is an operator of networks and systems in important sectors such as communications, energy, finance, transport, and e-government, where damage could seriously harm national security or the public interest.
- Does the CSL require real-name verification?
- Yes. Network operators must require users to provide real identity information when signing them up for network access, domain registration, publishing, or instant messaging services.
- How does the CSL relate to the PIPL and DSL?
- The CSL is the foundational law; the DSL later added a data classification and security regime for all data, and the PIPL added comprehensive personal information protection rules.