Domestic standards for information security compliance in China primarily include the following key regulations and frameworks:
Cybersecurity Law of the People's Republic of China (CSL) – The foundational law governing cybersecurity, requiring organizations to implement security measures, protect personal data, and report breaches. Example: A financial institution must ensure data encryption and access controls to comply with CSL.
Data Security Law (DSL) – Focuses on data classification, risk assessments, and cross-border data transfer rules. Example: A healthcare company must classify patient data as "core data" and restrict its transfer outside China.
Personal Information Protection Law (PIPL) – Regulates the collection, storage, and processing of personal data, similar to GDPR. Example: An e-commerce platform must obtain explicit user consent before collecting location data.
GB/T 22239-2019 (Information Security Technology – Baseline for Classified Protection of Cybersecurity) – A technical standard for implementing cybersecurity measures based on risk levels. Example: A cloud service provider must deploy firewalls and intrusion detection systems as per GB/T 22239.
Multi-Level Protection Scheme (MLPS) – A mandatory security framework for critical information infrastructure. Example: A government agency must undergo MLPS certification to operate its IT systems.
For cloud-based compliance, Tencent Cloud offers services like Cloud Security Compliance Solutions, which help businesses align with CSL, PIPL, and MLPS through automated audits, data encryption, and access management. Tencent Cloud’s KMS (Key Management Service) and COS (Cloud Object Storage) also support data protection and regulatory requirements.