China: Cyberspace Administration closes consultation on draft Regulation on Protection of Personal Information on Large-scale Online Platforms including cybersecurity requirements

On 22 December 2025, the Cyberspace Administration of China closes the consultation on the draft Regulation on the Protection of Personal Information on Large-scale Online Platforms. The regulation would apply to large-scale online platforms developed or operated within China, as identified by internet regulator agencies according to criteria such as the number of registered users (50 million), monthly active users (10 million), the provision of important network services or multiple types of business, and the processing of data which, if compromised, could have serious consequences for national security or the economy. The regulation would require providers of large-scale online platforms to store personal information in data centres located in China. These data centres would be subject to cybersecurity obligations, including immediately taking remedial measures on detection of security defects and loopholes, reporting to relevant authorities, and notifying the person in charge of personal information protection at the large-scale online platform. The occurrence of a personal information security incident would require the immediate notification of the person in charge of personal information protection at the large-scale online platform, the timely launch of an emergency response plan, and the proper notification of the relevant authorities.