Asia
This content is for informational and educational purposes only and does not constitute legal advice.
On 13 April 2026, the Ministry of Industry and Information Technology (MIIT) closes the consultation on five draft mandatory national standards, including the draft Safety Requirements for Autonomous Driving Systems of Intelligent and Connected Vehicles. The draft standard establishes technical and functional safety requirements for autonomous driving systems in intelligent and connected vehicles. The draft standard defines the operational design domain and sets out requirements for continuous environmental monitoring and real-time hazard detection. The draft standard requires autonomous driving systems to transition to a minimal risk condition in the event of system failure or when operating outside the defined domain. The minimal risk condition may include controlled deceleration or safe roadside stopping. The draft standard also specifies requirements for human–machine interaction, including driver monitoring and takeover request procedures. In addition, the draft standard introduces provisions on system redundancy, operational data recording for post-incident analysis and cybersecurity safeguards. Finally, the draft standard requires simulation, closed-track, and real-world testing to verify compliance with performance and safety requirements.
On 10 April 2026, the rules on internet platform pricing behaviour issued by the State Administration for Market Regulation (SAMR), the National Development and Reform Commission (NDRC), and the Cyberspace Administration of China (CAC) come into force. Under Article 15 and in accordance with the “Regulations for the Implementation of the Consumer Rights Protection Law” and Price Law, platform operators and businesses are prohibited from using data, algorithms, or platform rules to set different prices for the same goods or services for different consumers under identical conditions without their knowledge. This ban applies when the price variation is based on consumer information such as their willingness to pay, ability to pay, or consumption habits. Additionally, platform operators must not engage in price discrimination against businesses operating on their platform. A platform’s long-term free business model may be exempt from this rule if it promotes innovation and improves welfare. Interpretive authority primarily rests with the NDRC, SAMR, and CAC. The regulations will remain in force for five years.
On 20 March 2026, the National Cybersecurity Standardisation Technical Committee (TC260) opened a public solicitation for member organisations to join the Artificial Intelligence Security Standards Working Group (WG9). The Working Group's scope covers investigating the current state and development trends of artificial intelligence security standards, researching and proposing a system of artificial intelligence security standards, and conducting research into and formulating artificial intelligence security standards. Eligible applicants must be enterprises, institutions of higher education, scientific research institutes, or other bodies registered within the territory of China and possessing legal person status, must recognise and comply with the Articles of Association of TC260 and the Working Group Rules of TC260, and must be engaged in business related to the technical fields of the Working Group.
On 17 March 2026, the Cyberspace Administration of China (CAC) announced that 48 new generative artificial intelligence (AI) services and 46 AI applications or functions completed their respective filing and registration procedures between January and February 2026. These administrative actions were conducted in accordance with the Interim Measures for the Management of Generative Artificial Intelligence Services to promote the regulated application of AI technologies. The Measures require providers of generative AI services with social mobilisation capabilities or public opinion attributes to complete these procedures through local cyberspace authorities. As of 28 February 2026, a cumulative total of 796 generative AI services have completed the filing process, while 481 applications or functions have finished registration. For applications that utilise the capabilities of previously filed models via Application Programming Interface (API) interfaces, registration is managed by local offices rather than the national body. The Measures mandate that generative AI products that are already live prominently display their model name and filing or registration number in a conspicuous location or on the product details page. The CAC and relevant departments continue to oversee this registration work to ensure that all generative AI services operating within the jurisdiction adhere to the established transparency and notification requirements.
On 12 February 2026, the Ministry of Industry and Information Technology opened a consultation on 5 draft mandatory national standards, including the draft Safety Requirements for Autonomous Driving Systems of Intelligent and Connected Vehicles, until 13 April 2026. The draft standard establishes technical and functional safety requirements for autonomous driving systems in intelligent and connected vehicles. The draft standard defines the operational design domain and sets out requirements for continuous environmental monitoring and real-time hazard detection. The draft standard requires autonomous driving systems to transition to a minimal risk condition in the event of system failure or when operating outside the defined domain. The minimal risk condition may include controlled deceleration or safe roadside stopping. The draft standard also specifies requirements for human-machine interaction, including driver monitoring and takeover request procedures. In addition, the draft standard introduces provisions on system redundancy, operational data recording for post-incident analysis, and cybersecurity safeguards. Finally, the draft standard requires simulation, closed-track and real-world testing to verify compliance with performance and safety requirements.
On 25 January 2026, the Cyberspace Administration of China closes the consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including artificial intelligence authority governance. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. Provincial internet and telecommunications departments would be responsible for supervising and enforcing the provisions in the measures, including by carrying out annual reviews of safety assessments. National regulators would be required to establish sandbox platforms and encourage providers to use those platforms for safety testing and the development of innovative technologies.
On 25 January 2026, the Cyberspace Administration of China closes the consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including data protection regulation. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. Article 10 would establish data protection requirements, including using training data conforming to core socialist values, cleaning and labelling training data to enhance transparency and reliability, ensuring the diversity of training data through negative sampling and adversarial training, evaluating the security of synthetic data, regularly upgrading data, and ensuring that training data is legal and traceable. Further, providers of anthropomorphic interactive services would need to take appropriate data security measures, refrain from providing interaction data to third parties, allow users to delete interactive data, and obtain additional guardian consent from users who are minors.
On 25 January 2026, the Cyberspace Administration of China closes a consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including design requirements. The measures apply to anthropomorphic interactive AI services, defined as services which simulate human personality, thinking patterns and communication styles and interact with humans through text, pictures, audio, video, or by other means. The measures would establish a number of design requirements for providers of anthropomorphic interactive services. Article 11 would require providers to have the ability to evaluate users' moods, degree of dependence on the service, and extreme emotions and addiction, and the intervene accordingly. Further, providers should ensure that users engaged in high-risk tendencies are prompted to seek professional assistance and implement an emergency response mechanism to address extreme situations. Additionally, when a user session reaches 2 hours the provider must continually remind users to end the session. In the case of emotional accompaniment services, users must be given a convenient way to terminate their use of the services.
On 25 January 2026, the Cyberspace Administration of China closes the consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including content moderation regulation. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. The measures would prohibit providers of anthropomorphic interactive AI services from providing, through their services, false promises seriously affecting the behaviour of users, inflicting damage on users' physical or mental health, inducing users to make unreasonable decisions through algorithm manipulation, misleading information, and emotional traps, or simulating the relatives of elderly users. Further, Article 16 would require providers to clearly indicate to users that they are interacting with AI rather than a natural person. Further, providers would be required to conduct safety assessments when launching anthropomorphic interactive services, when new technologies result in major changes for such services, when registered users exceed 1 million or monthly active users exceed 100'000, or when other national security or public interest considerations are relevant. Providers are required to evaluate factors including scale and duration of use, age structure, and group distribution, as well as the identification of high-risk tendencies among users. Article 23 would require providers to restrict or suspend services to users linked to major security risks and notify the relevant authorities.
On 27 December 2025, the Cyberspace Administration of China opened a consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including artificial intelligence authority governance, until 25 January 2026. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. Provincial internet and telecommunications departments would be responsible for supervising and enforcing the provisions in the measures, including by carrying out annual reviews of safety assessments. National regulators would be required to establish sandbox platforms and encourage providers to use those platforms for safety testing and the development of innovative technologies.
On 27 December 2025, the Cyberspace Administration of China opened a consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including data protection regulation, until 25 January 2026. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. Article 10 would establish data protection requirements, including using training data conforming to core socialist values, cleaning and labelling training data to enhance transparency and reliability, ensuring the diversity of training data through negative sampling and adversarial training, evaluating the security of synthetic data, regularly upgrading data, and ensuring that training data is legal and traceable. Further, providers of anthropomorphic interactive services would need to take appropriate data security measures, refrain from providing interaction data to third parties, allow users to delete interactive data, and obtain additional guardian consent from users who are minors.
On 27 December 2025, the Cyberspace Administration of China opened a consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including design requirements, until 25 January 2026. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns and communication styles and interact with humans through text, pictures, audio, video, or by other means. The measures would establish a number of design requirements for providers of anthropomorphic interactive services. Article 11 would require providers to have the ability to evaluate users' moods, degree of dependence on the service, and extreme emotions and addiction, and the intervene accordingly. Further, providers should ensure that users engaged in high-risk tendencies are prompted to seek professional assistance and implement an emergency response mechanism to address extreme situations. Additionally, when a user session reaches 2 hours the provider must continually remind users to end the session. In the case of emotional accompaniment services, users must be given a convenient way to terminate their use of the services.
On 27 December 2025, the Cyberspace Administration of China opened a consultation on the draft Interim Measures for the Administration of Anthropomorphic Interactive Artificial Intelligence Services, including user rights, until 25 January 2026. The measures apply to anthropomorphic interactive AI services, defined as services that simulate human personality, thinking patterns, and communication styles and interact with humans through text, pictures, audio, video, or by other means. The measures would prohibit providers of anthropomorphic interactive AI services from providing, through their services, false promises seriously affecting the behaviour of users, inflicting damage on users physical or mental health, inducing users to make unreasonable decisions through algorithm manipulation, misleading information, and emotional traps, or simulating the relatives of elderly users. Further, Article 16 would require providers to clearly indicate to users that they are interacting with AI rather than a natural person. Further, providers would be required to conduct safety assessments when launching anthropomorphic interactive services, when new technologies result in major changes for such services, when registered users exceed 1 million or monthly active users exceed 100'000, or when other national security or public interest considerations are relevant. Providers are required to evaluate factors including scale and duration of use, age structure, and group distribution, as well as the identification of high-risk tendencies among users. Article 23 would require providers to restrict or suspend services to users linked to major security risks and notify the relevant authorities.
On 25 December 2025, the Department of Science and Technology of the Ministry of Industry and Information Technology closes the public consultation on 24 Industry Standards. The consultation covers standards related to Internet of Things (IoT) applications and artificial intelligence testing. It includes technical requirements for IoT digital twin systems for hot-rolled and cold-rolled steel workshops, unmanned underground-loader driving systems, digital steel-delivery systems, intelligent equipment-fault perception systems, and equipment-level digital twin systems. It also covers requirements for wind-turbine vibration-monitoring sensors, distributed storage systems for video surveillance, data-security requirements for video-surveillance systems, passive smart-warehousing systems, IoT computing-fusion application systems, smart-building operations-management systems, and smart-fishery sensor protocols. The consultation further addresses end-side artificial intelligence pilot-testing standards, including algorithm-robustness evaluation, digital pilot systems, pilot-equipment management, pilot-platform evaluation, pilot-project management, and pilot-verification requirements.
On 9 December 2025, the National Development and Reform Commission (NDRC), the State Administration for Market Regulation (SAMR), and the Cyberspace Administration of China (CAC) issued rules on internet platform pricing behaviour. Under Articles 15 and in accordance with the “Regulations for the Implementation of the Consumer Rights Protection Law” and Price Law, platform operators and businesses are prohibited from using data, algorithms, or platform rules to set different prices for the same goods or services for different consumers under identical conditions without their knowledge. This ban applies when the price variation is based on consumer information such as their willingness to pay, ability to pay, or consumption habits. Additionally, platform operators must not engage in price discrimination against businesses operating on their platform. A platform’s long-term free business model may be exempt from this rule if it promotes innovation and improves welfare. Interpretive authority primarily rests with the NDRC, SAMR, and CAC. The regulations take effect on 10 April 2026, and will remain in force for a period of five years.
On 5 December 2025, the Ministry of Industry and Information Technology (MIIT) issued the Measures for the management of industrial technology infrastructure public service platforms (MIIT No. 261 of 2025), which entered into force on the same day. The Measures set up an accreditation system industrial technology infrastructure public service platforms, defined as organisations which provide foundational technical support services for key industries such as information technology, artificial intelligence, metaverse, and quantum information. Entities can apply for public service platform status with the MIIT, which is publishes an official catalogue of successful applicants. Public service platforms must adhere to certain operational principles, strengthen capacity building, and submit annual reports. The MIIT conducts both annual reviews and comprehensive reviews, which can result in a platform being classified as "excellent", "qualified", or loss of its classification status.
On 4 December 2025, the Cyberspace Administration of China published the Initiative on Deepening China-ASEAN Cooperation on Digital Governance, including commitments regarding the AI regulatory framework. The initiative, put forward in September 2025, aims to strengthen communication, exchanges, and practical cooperation regarding AI. Areas of focus include responding to potential risks, standardising security governance, and formulating policies, laws, and regulations related to AI security governance to prevent misuse of AI technologies. The initiative also encourages Chinese AI companies, universities, research institutions, and industrial associations to foster exchanges and cooperation with their ASEAN counterparts. This collaboration intends to promote interoperability and compatibility of sector-specific standards and facilitate the sharing of knowledge, best practices, and experience.
On 2 December 2025, the State Administration for Market Regulation adopted the technical requirements for safety of children's watches. The standard sets provisions for children’s watches designed for users aged 3 to under 14 years, covering structural safety, chemical limits, fire resistance, waterproofing, electromagnetic compatibility, and battery protection. It establishes requirements for data security and personal information protection under the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, including encryption, access controls, prohibitions on advertising, and restrictions on pre-installed applications. The standard also mandates anti-addiction mechanisms, guardian-controlled payment systems, secure communication functions, emergency call features, curated content libraries, and loss-reporting procedures. Additional obligations include clear labelling and instructions, restrictions on biometric data collection and use, secure server-side storage, user account authentication, vulnerability patching, access for guardians to usage records, and emergency location reporting, supported by type-approval testing and conformity of production.
On 2 December 2025, the State Administration for Market Regulation adopted the Technical Requirements of Electronic Product Information Erasure (GB 46864-2025), which enter into force on 1 January 2027. The document specifies the technical requirements for information erasure of electronic products. It applies to the design, development, and verification of information erasure functions. It also provides for the standardisation of the information erasure process in recycling.
On 30 November 2025, enterprises covered by the 2025 Internet of Vehicles (IoV) action plan adopted by the Shanghai Municipal Communications Administration must submit two types of data protection assessments to the municipal authority. First, they must file an annual data security risk assessment report covering the handling of important data, conducted either internally or through a third party. Second, they must submit personal information protection impact assessments for processing activities involving sensitive data, automated decision-making, delegated processing, joint use, public disclosure, or cross-border transfers of personal data. Both obligations apply to IoV enterprises operating in Shanghai, including intelligent connected vehicle manufacturers and vehicle networking platform operators. The assessments must comply with the Data Security Law, the Personal Information Protection Law, and relevant sectoral rules.
On 26 November 2025, the Department of Science and Technology of the Ministry of Industry and Information Technology opened a public consultation on 24 industry standards, until 24 December 2025. The consultation covers standards related to Internet of Things (IoT) applications and artificial intelligence testing. It includes technical requirements for IoT digital twin systems for hot-rolled and cold-rolled steel workshops, unmanned underground-loader driving systems, digital steel-delivery systems, intelligent equipment-fault perception systems, and equipment-level digital twin systems. It also covers requirements for wind-turbine vibration-monitoring sensors, distributed storage systems for video surveillance, data-security requirements for video-surveillance systems, passive smart-warehousing systems, IoT computing-fusion application systems, smart-building operations-management systems, and smart-fishery sensor protocols. The consultation further addresses end-side artificial intelligence pilot-testing standards, including algorithm-robustness evaluation, digital pilot systems, pilot-equipment management, pilot-platform evaluation, pilot-project management, and pilot-verification requirements.
On 22 November 2025, China’s Ministry of Industry and Information Technology (MIIT) closes the public consultation on the guidelines for the development of computing power standards system. The guidelines set out a national framework to standardise and strengthen China’s computing power ecosystem, covering nine areas including general fundamentals, infrastructure, equipment, network integration, interconnection, platforms, applications, security, and green and low-carbon development. It aims to promote the coordinated construction of a nationwide computing power network, enhance interoperability between systems, and improve the efficiency and sustainability of data centre operations.
On 11 November 2025, the Cyberspace Administration of China (CAC) announced the release of filing information for generative artificial intelligence (AI) services under the Measures for the Administration of Generative Artificial Intelligence Services. As of 1 November 2025, 73 new generative artificial intelligence services completed registration with the CAC, and 35 new generative artificial intelligence applications or functions completed registration through local cyberspace administrations. The total number of registered generative artificial intelligence services reached 611, with 306 generative artificial intelligence applications or functions also registered. Furthermore, generative AI applications or functions already online are required to prominently display the filing or registration information of the generative artificial intelligence services used, including the model’s name, filing number, or launch number, on their respective product details pages.
On 5 November 2025, the Department of Science and Technology under the Ministry of Industry and Information Technology closes the public consultation on the mandatory national standard establishing the unique product identification code for civil unmanned aircraft. The national standard sets design obligations requiring integration of the identity code into non-volatile storage, durable physical marking on the body and packaging, access control to prevent modification, and reporting or broadcast capability. It further specifies that identity display must be supported through ground control software to facilitate compliance verification. The national standard also includes lifecycle identification requirements, performance testing for marking durability, functional verification of broadcast and reporting mechanisms, and integrity protection for stored identity data to ensure conformity with national operational supervision specifications.
On 1 November 2025, China's National Information Security Standardization Technical Committee (TC260) Data Security Specifications for Generative Artificial Intelligence Pre-training and Optimisation Training of Information Security Technology standard enters into force. The standard includes a series of design requirements concerning the classification and management of pre-training and fine-tuning data, including the obligation to add metadata such as source information, URLs, dataset names, organisation names, service names, and user identification numbers to all data samples. For fine-tuning data, data samples composed of content generated by generative AI should also include metadata such as the model version and acquisition time. Data collection from websites should record the URLs, while data from organisations or individuals should have transaction contracts, agreements, or authorisation documents. Comprehensive, representative, and regularly updated keyword databases of at least 10'000 keywords should be used to identify data containing security and intellectual property infringement risks, and there should be multiple data sources for pre-training the same type of data. The classification model should completely cover all security risks listed in the appendix.
On 25 April 2025, the National Information Security Standardisation Technical Committee of China (TC260) adopted the national standard "Basic Requirements for Security of Generative Artificial Intelligence Services of Cybersecurity Technology". The standard requires providers to develop intellectual property management strategies to identify risks and to establish a reporting channel for infringements. Before using data for training purposes, providers are required to identify potential copyright infringement risks, especially for data containing literary, artistic, or scientific works. User agreements must address intellectual property risks, and strategies must be updated regularly. Finally, the standard requires providers to publish information on the intellectual property aspects of training data and to support third-party queries on data use.
On 1 November 2025, the national standard "Basic Requirements for Security of Generative Artificial Intelligence Services of Cybersecurity Technology" from the National Information Security Standardisation Technical Committee of China (TC260) enters into force. The standard outlines the requirements that providers of generative artificial intelligence (AI) services must implement during the development process, including the security of training data sources, training data content security, data annotation security, and model security. In addition, it outlines the security obligations after the system is released for public use. The standard requires providers to develop intellectual property management strategies to identify risks and establish a reporting channel for infringements. Before using data for training purposes, providers must identify potential copyright infringement risks, especially for data containing literary, artistic, or scientific works. User agreements should address intellectual property risks, and strategies must be updated regularly. Finally, the standard requires providers to publish information on the intellectual property aspects of training data and support third-party queries on data use.
On 30 October 2025, the Department of Science and Technology under the Ministry of Industry and Information Technology opened a public consultation, until 5 November 2025, on the mandatory national standard establishing the unique product identification code for civil unmanned aircraft. The national standard sets design obligations requiring integration of the identity code into non-volatile storage, durable physical marking on the body and packaging, access control to prevent modification, and reporting or broadcast capability. It further specifies that identity display must be supported through ground control software to facilitate compliance verification. The national standard also includes lifecycle identification requirements, performance testing for marking durability, functional verification of broadcast and reporting mechanisms, and integrity protection for stored identity data to ensure conformity with national operational supervision specifications.
On 29 October 2025, the State Administration for Market Regulation (SAMR) opened a consultation on draft measures for creation of demonstration zones for online market supervision and services, until 13 November 2025. The draft measures provide a framework for identifying and managing administrative areas that demonstrate advanced practices in online market governance. It defines Model Zones as regions with sound regulatory mechanisms, effective service systems, and strong innovation capacity that can serve as examples for nationwide improvement. The SAMR oversees the organisation, evaluation, and management of Model Zones, while provincial market regulation departments handle preliminary reviews, provide guidance, and monitor implementation. Local governments at the city or district level may apply voluntarily to establish Model Zones if they meet criteria such as a solid platform economy foundation, effective regulatory structures, and demonstrated innovation in governance and services. Recognised Model Zones are expected to balance development and regulation, enhance coordination, support fair competition, protect the rights of businesses and consumers, and promote integration between digital and real economies. They should also summarise and share successful regulatory and service innovations for replication elsewhere.
On 27 October 2025, the State Administration for Market Regulation reported that the Cybersecurity Department of the Changsha Public Security Bureau's High-tech Branch, together with public security authorities, investigated a company for fabricating a false online persona, a “former chief female technical hacker at a large tech company”, to promote courses through staged videos. The investigation found that the company had no connection to the claimed identity and had used false advertising to attract traffic and sales. The authorities imposed a CNY 200’000 administrative fine, ordered the removal of all fake content, and cancelled the related accounts. Officials reminded users to verify instructors’ credentials and remain cautious of deceptive online marketing tactics.
On 26 October 2025, the National Cybersecurity Standardisation Committee closes the consultation on a national standard for cybersecurity technology, focusing on the Internet of Things (IoT) security reference model and general requirements. The standard applies to all organisations developing or operating IoT systems across their entire lifecycle. It introduces a three-dimensional security framework with four distinct security zones and lifecycle-mapped requirements. The standard introduces obligations including mandatory data classification and encryption, supply chain security controls, and prioritised use of state-approved cryptographic algorithms. Organisations must use certified equipment for critical components and conduct annual risk assessments with regulatory reporting. The standard provides immediate guidance for IoT security implementation. The standard also serves as the baseline for sector-specific regulations.
On 26 October 2025, the National Cybersecurity Standardisation Committee closes the consultation on the national standard on guidelines and evaluation methods for personal information anonymisation. The standard applies to organisations processing personal data in China, including internet platforms, cloud providers, financial institutions, and research bodies. The standard sets out requirements for irreversible anonymisation, distinguishes anonymisation from pseudonymisation, prescribes technical methods including generalisation, suppression, randomisation, masking and synthetic data. The standard introduces evaluation criteria, including k-anonymity, l-diversity and t-closeness to mitigate re-identification risks, aiming to support compliance with the Personal Information Protection Law while enabling data use.
On 26 October 2025, the Chinese National Network Security Standardization Technical Committee Secretariat (TC260) closes the consultation on the national standard on information security technology open third-party resource authorisation protocol. The standard is addressed to professionals and organisations involved in cybersecurity, identity authentication, and secure communication system development in China. The GB/T (non-binding) standard defines a third-party resource authorisation protocol tailored for cross-domain identity authentication and authorisation services on the Internet. It specifies authorisation flows, grant types, endpoint functions, and message formats between system entities. Drawing from protocols such as OAuth 2.0 and OAuth 2.1, it incorporates China's national cryptographic algorithms and replaces Transport Layer Security with the Secure Sockets Layer VPN protocol specified in domestic cryptographic standards. The document introduces digital certificate-based client authentication and provides requirements for signing and encrypting access tokens. It is applicable to the development, testing, and evaluation of secure authorisation services within the framework of China’s cybersecurity policies.
On 26 October 2025, the Chinese National Network Security Standardisation Technical Committee Secretariat (TC260) closes the consultation on the national standard on network security technical authentication and authorisation, focused on the attribute-based access control model and management specification. The standard applies to organisations and cybersecurity product and service providers, and provides a reference for evaluators and regulators. The standard sets out obligations on attribute, policy, and engine management and requires natural language and digital policy expression with conflict resolution through metapolicies. The standard also mandates audits and maintenance of attribute-based access control engines, and introduces test methods for attributes, policies, and engines. It also outlines cryptographic safeguards for system integrity and confidentiality.
On 23 October 2025, the Legislative Affairs Commission of the Standing Committee of the National People’s Congress (NPC) announced that the draft amendment to the Cybersecurity Law will be submitted for a second review during the 18th session of the 14th NPC Standing Committee, held from 24 to 28 October 2025 in Beijing. Initially reviewed at the 17th session in September 2025, the draft incorporates additional measures following the public consultation conducted from 12 September to 11 October 2025. The proposed amendments update the Law’s cybersecurity framework to align with the Civil Code and the Personal Information Protection Law (PIPL) and introduce provisions on the secure and ethical development of artificial intelligence (AI). It introduces a framework on AI security and development covering algorithm research, infrastructure, ethical standards, and risk monitoring. Further revisions increase penalties for non-compliance, refine obligations for network and critical infrastructure operators, prohibit unapproved sale or certification of cybersecurity products, and include leniency clauses for minor or promptly rectified violations.
On 22 October 2025, China’s Ministry of Commerce opened a consultation, until 28 November 2025, as part of its anti-dumping investigation into imports of certain analogue integrated circuit (IC) chips from the United States. Exporters, importers, and producers are requested to respond using provided questionnaires. The case covers interface chips and gate driver chips using 40-nanometre (nm) and above process technology, classified under tariff code 85423990. The investigation reviews potential dumping between January and December 2024 and industry injury from 2022 to 2024. It was also highlighted that the investigation will conclude by 13 September 2026, with a possible six-month extension.
On 22 October 2025, China’s Ministry of Industry and Information Technology (MIIT) opened the public consultation on the guidelines for the development of computing power standards system, until 20 November 2025. The guidelines set out a national framework to standardise and strengthen China’s computing power ecosystem, covering nine areas including general fundamentals, infrastructure, equipment, network integration, interconnection, platforms, applications, security, and green and low-carbon development. It aims to promote the coordinated construction of a nationwide computing power network, enhance interoperability between systems, and improve the efficiency and sustainability of data centre operations.
On 22 October 2025, the Chinese Ministry of Industry and Information Technology (MIIT) issued a notice listing 20 Internet of Things (IoT) devices found to be collecting and using personal information illegally. The MIIT has ordered the producers of these devices to rectify their practices according to the regulation. The notice is part of a series of special actions on personal data protection conducted jointly by MIIT and other government agencies. The 20 smart terminals identified in the notice include home security cameras, smart locks with facial recognition capabilities, smart speakers, children's phones, learning tablets, and AI-enabled toys. The violations documented in the Notice include the absence of personal information processing rules, transmission of personal information to cloud services, and a lack of permission control mechanisms.
On 21 October 2025, the National Press and Publication Administration (NPPA) issued the domestic online game approval list for October 2025, authorising 159 titles across various categories, including mobile, casual puzzle, client, and web-based games. The approvals covered works including Ao Tu World: Rainbow Collector, Eight Directions Knights, and Ba Huang Adventure, as well as action and adventure games including Legend World: Return, Hero Assault, and Adventure Sky City. Casual puzzle formats were also authorised, including Move Brick Elite, Super Cute Elimination, and Bubble 2048 Battle. Franchise continuations and adaptations featured in the list included My Name is MT: Glory Guard and Tomorrow Ark, while original intellectual property included Legend of the Nine Heavens and Cloud Dream Westward. The authorisations extended to mobile-only releases, combined mobile and client formats, and web-enabled entries.
On 16 October 2025, China’s State Administration for Market Regulation (SAMR) published 10 typical cases of illegal online advertising to illustrate recent enforcement outcomes. In the first three quarters of 2025, market supervision authorities nationwide investigated and handled 22,185 cases of illegal online advertising, imposing total fines of CNY 111 million. Enforcement focused on sectors including medical care, pharmaceuticals, medical devices, health food, and finance, as well as on emerging advertising formats such as live-stream e-commerce and AI-generated advertising.
On 15 October 2025, the Cyberspace Administration of China (CAC) issued the results of an investigation into illegal and irregular self-media accounts involved in the dissemination of military-related information. The investigation was carried out jointly by military and local authorities in accordance with the Regulations on the Management of the Dissemination of Military Information on the Internet. The CAC identified multiple categories of violations, including the unauthorised use of military identities to produce and monetise content, the illegal sale of classified and sensitive military materials, the misinterpretation of official policies concerning military academy admissions, demobilisation, salary guarantees, and recruitment, as well as the publication of AI-generated or defamatory materials that damage the image of the armed forces. A number of self-media accounts, including those impersonating retired personnel or exploiting military imagery, were penalised under the relevant administrative procedures.
On 15 October 2025, the second revision to the Anti-Unfair Competition Law enters into force. The revised law includes consumer-protection safeguards and introduces regulatory provisions addressing unfair competition in digital business operations. Under Article 9, operators are prohibited from making false or misleading commercial advertisements regarding product performance, function, quality, sales status, or user evaluations, or from assisting others through fabricated transactions or false reviews. Article 11 prohibits deceptive prize-based sales practices, including fraudulent schemes or unclear redemption conditions that mislead consumers. Article 13 prohibits the use of data, algorithms, technology, or platform rules to influence user choices or disrupt the normal operation of lawful network products or services, while Article 14 prohibits platform operators from coercing sellers into below-cost pricing through pricing rules. Article 21 requires platform operators to establish fair competition rules, reporting and complaint-handling mechanisms, preserve records, and notify supervisory departments. Violations of these provisions are subject to administrative orders and fines ranging from CNY 50'000 to CNY 5 million under Articles 25 to 30. Articles 33 and 34 further establish obligations to record administrative penalties in operators’ credit records and prioritise civil liability where assets are insufficient to satisfy all obligations.
On 15 October 2025, the Cyberspace Administration of China (CAC) closes the consultation on the measures for identifying internet platform service providers with a large number of minor users and a significant impact on minors. The measures apply to online platforms, smart device makers, and providers of new internet products or applications, specifically those with over 10 million registered minor users or over 1 million monthly active minor users. Platforms must assess their impact on minors and submit reports within 20 working days. Identification of internet platform considers user scale, usage patterns, spending, content for minors, past incidents, and sector influence.
On 15 October 2025, the second revision to the Anti-Unfair Competition Law of the People’s Republic of China, adopted by the Standing Committee of the Fourteenth National People’s Congress on 27 June 2025, enters into force. The revised law introduces regulatory provisions targeting unfair competition in the context of digital business operations. It prohibits, under Article 13, the use of data, algorithms, technology, and platform rules to influence user choices or to hinder or disrupt the normal operation of network products or services lawfully provided by other operators. Article 29 provides that violations of these provisions shall result in an order to cease the illegal conduct and may lead to administrative fines ranging from CNY 100'000 to CNY 1 million, and where the circumstances are serious, from CNY 1 million to CNY 5 million. The law further prohibits, under Article 14, platform operators from forcing or coercively forcing operators on the platform to sell goods below cost through pricing rules. Article 30 introduces corresponding penalties ranging from CNY 50'000 to CNY 500'000, and where the circumstances are serious, from CNY 500'000 to CNY 2 million. Article 21 requires platform operators to establish fair competition rules in platform service agreements and transaction rules, create mechanisms for reporting and complaint handling, preserve records, take necessary disposal measures, and report unfair competition to the supervisory and inspection department of the people’s government at or above the county level. The revised law also introduces obligations under Article 33 to record administrative punishments in operators’ credit records and disclose them pursuant to law, and under Article 34, establishes the prioritisation of civil liability where the operator’s assets are insufficient to satisfy civil, administrative, and criminal liabilities.
On 14 October 2025, the Cyberspace Administration of China and the State Administration for Market Regulation adopted the Measures for the Authentication of Personal Information Exported Abroad (Order No. 20), which will enter into force on 1 January 2026. These measures apply to personal information processors who provide personal information outside the People's Republic of China through personal information protection certification. The measures define personal information export certification as a conformity assessment by professional certification bodies, verifying that processors' cross-border data activities comply with relevant laws, regulations, standards, and technical specifications. The certification is applicable to non-critical information infrastructure operators who have provided overseas the personal information of more than 100'000 but fewer than 1'000'000 individuals (excluding sensitive personal information) or the sensitive personal information of fewer than 10'000 individuals since 1 January of the current year. Important data is excluded, and processors must not split quantities to avoid mandatory security assessments. Before applying for certification, processors must fulfil obligations such as obtaining individual consent and conducting a personal information protection impact assessment. This assessment focuses on the legality, necessity, scope, and risks of data processing by both the processor and overseas recipient, along with the impact of recipient country policies. Professional certification bodies conduct activities in accordance with specified rules, issuing certificates valid for three years.
On 13 October 2025, the Cyberspace Administration of China (CAC) announced the 20th batch of domestic blockchain information service registration numbers under the national blockchain regulations. The list covers 30 entities across provinces, including Guangdong, Zhejiang, Jiangsu, and Shanghai. It applies to blockchain platforms in sectors including digital assets, cultural trading, and smart technology. The list included Anhui Cultural Property Exchange Co., Ltd., Guangzhou Chainplay Information Technology Co., Ltd., Zhejiang Cultural Property Exchange Co., Ltd., Shanghai Xin Hao Technology Co., Ltd. and Hainan Unlimited Chain Technology Co., Ltd.
On 12 October 2025, the Cyberspace Administration of China closes the consultation on draft regulations on the establishment of personal information protection supervisory committees on large-scale online platforms. The draft regulations aim to guide and regulate how large-scale platforms establish and operate these committees to oversee personal information protection and promote compliance. The draft regulations apply to platforms that provide important internet platform services, have significant user bases, and complex business operations. Under the draft regulations, a Personal Information Protection Supervisory Committee is an independent body, mainly composed of external members, responsible for supervising personal data protection. Committees must have at least seven members, with two-thirds being external, to ensure independence and expertise. They are required to hold quarterly meetings to review compliance systems, data protection rules, sensitive data handling, impact assessments, and social responsibility reporting, and must maintain a communication mechanism for user concerns.
On 11 October 2025, the Parliament of China closes its consultation on the Cybersecurity Law (Amendment Draft). It proposes increasing penalties for network operators and critical information infrastructure operators that fail to fulfil their cybersecurity protection obligations, introducing tiered fines for severe incidents such as large-scale data leaks or loss of critical infrastructure functionality. The Bill also prohibits the sale or provision of network equipment and cybersecurity products without required security certification or testing and increases penalties for engaging in unauthorised cybersecurity certification, testing, or risk assessment activities, or for disclosing cybersecurity vulnerabilities and attack information without approval. Additional provisions penalise critical information infrastructure operators that use network products or services that have not undergone, or have failed, mandatory security reviews. The Bill clarifies the liability for network operators that fail to handle illegal online information in accordance with regulatory requirements and consolidates provisions addressing personal information infringements and cross-border data transfers. It further introduces leniency clauses allowing administrative penalties to be reduced or waived when violations are minor, promptly corrected, or not intentional.
On 10 0ctober 2025, the Ministry of Industry and Information Technology (MIIT) opened a consultation on the pilot commercial trials for satellite Internet of Things (IoT) services, until 9 November 2025. The pilot applies to telecommunications and commercial aerospace companies providing wide-area IoT connectivity through satellite for devices, vehicles, and vessels. It provides that eligible firms must be legally registered, financially and technically capable, and adhere to requirements on network and data security, service quality, user protection, lawful device access, and radio spectrum management. MIIT and local Communications Administrations will oversee applications, monitor compliance, and evaluate trial outcomes, with non-compliant enterprises subject to exit. The two-year pilot will inform future formal implementation of satellite IoT services.
On 10 October 2025, the State Administration for Market Regulation (SAMR) announced the initiation of an investigation into Qualcomm for suspected violations of the Anti-Monopoly Law. The investigation concerns Qualcomm’s acquisition of Autotalks, which SAMR alleges was not properly declared as a concentration of undertakings as required by law. According to the announcement, the investigation aims to determine whether the transaction constitutes an unnotified concentration that could restrict or distort competition in the Chinese market. The proceedings were initiated under the Anti-Monopoly Law of the People’s Republic of China and relevant procedural provisions.
Last updated: 13/04/2026