China: Ministry of Public Security closes consultation on Law on the Prevention and Control of Cybercrime including authorisation requirements

On 2 March 2026, the Ministry of Public Security closes the public consultation on the Law on the Prevention and Control of Cybercrime. Article 25 establishes a tiered authorisation regime for conducting cybersecurity testing activities such as penetration testing. It requires provincial-level approval or operator authorisation for tests on networks with security level 3 or higher, and either city-level approval or operator authorisation for lower-level networks. All such tests require a 5-day advance notification to county police. Article 32 mandates that any development or provision of attached client software that could impact service operations or fair trade must receive explicit authorisation from the internet service provider. Violations of either article leading to disruption of network services may result in business suspension, shutdown, or revocation of licenses. It may also result in fines of 1-10 times the unlawful gains or up to RMB 500’000 if such gains are under RMB 50’000, as well as detainment up to 15 days. Administrative penalties are recorded in credit files.