China enforces new cybersecurity standards in move to bolster digital security

On 1 April 2025, China enacted a new set of nine national cybersecurity standards. Introduced jointly by the General Administration of Market Supervision and Administration (GAMSA) and the National Standardisation Administration of the People’s Republic of China (NSAIC), the rollout marks another step in China’s evolving approach to cybersecurity, emphasising tighter governance and increased accountability across both public and private sectors.

The new standards touch on key areas such as network security, technical controls for information systems, and detailed requirements for smart devices, including internet-connected door locks. While technical in nature, their impact is expected to ripple through a wide spectrum of industries, especially those reliant on digital infrastructure or data-driven business models.

These standards do not stand in isolation—they are designed to work in tandem with existing legislation, particularly the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL). Together, this legal framework reflects Beijing’s ambition to close regulatory gaps, respond more quickly to emerging threats, and better safeguard national interests in a digital age.

Their introduction comes just months after the revised Network Data Security Management Regulations came into effect on 1 January 2025. Those regulations placed stricter controls on cross-border data flows, set clearer requirements for internet platform providers, and reinforced obligations around the protection of personal information. The convergence of these measures paints a picture of a regulatory environment that is rapidly maturing, with a clear message: cybersecurity is no longer a background issue – it is a central pillar of national governance.

For businesses operating in China, these developments demand more than passive attention. Compliance will now require a more aggressive posture: reassessing internal cybersecurity policies, implementing tighter technical controls, and, in many cases, securing certifications for network products and services. Risk assessments will need to be more thorough, especially where third-party service providers or critical information infrastructure (CII) are involved. Companies engaged in cross-border data transfers should expect additional scrutiny and a higher bar for legal compliance.

In practical terms, these changes are likely to increase the operational and compliance burdens on firms, but they also offer a clearer, albeit stricter, framework within which to operate. As the regulatory landscape continues to shift, businesses will need to adapt quickly or risk falling foul of heightened enforcement.