Skip to main content

Cyber Crime in China: Legal Risks and Defense for Foreign Businesses

16. July 2026

The Cyber Crime Landscape in China

China has experienced a dramatic increase in cyber crime prosecutions over the past decade, driven by both the rapid digitization of the economy and the government's enhanced focus on online security. For foreign businesses operating in China, understanding the legal framework governing cyber crime is essential for compliance and risk management. The legal consequences of cyber-related offenses can be severe, with penalties ranging from substantial ...

The Cyber Crime Landscape in China

China has experienced a dramatic increase in cyber crime prosecutions over the past decade, driven by both the rapid digitization of the economy and the government's enhanced focus on online security. For foreign businesses operating in China, understanding the legal framework governing cyber crime is essential for compliance and risk management. The legal consequences of cyber-related offenses can be severe, with penalties ranging from substantial fines to lengthy prison terms.

Legal Framework

Cyber crime in China is governed by multiple legal instruments. The Criminal Law establishes the core offenses through Articles 285 and 286, addressing illegal intrusion into computer information systems and destruction of computer systems. The Cybersecurity Law of 2017 imposes broad obligations on network operators and establishes administrative penalties for security failures. The 2021 Data Security Law adds another layer of compliance requirements for companies handling data in China.

OffenseLegal BasisMaximum PenaltyKey Elements Required for Prosecution
Illegal intrusion into computer systemsCriminal Law Article 2857 years imprisonmentUnauthorized access to specified categories of computer systems
Destruction of computer systemsCriminal Law Article 2867 years imprisonmentDeletion, modification, addition, or disruption of system functions
Online fraudCriminal Law Article 266Life imprisonmentFraud using internet platforms, specific amount thresholds
Identity theft and data breachCybersecurity Law Articles 40-42Administrative fines plus potential criminal liabilityCollection or disclosure of personal information without consent

Online Fraud

Online fraud is the most frequently prosecuted cyber crime in China. The Supreme People's Court and Supreme People's Procuratorate Interpretation on telecom and online fraud cases establishes clear thresholds. Fraud involving RMB 3,000 or more constitutes a large amount triggering criminal liability. Fraud involving RMB 50,000 or more is considered a huge amount, and fraud exceeding RMB 500,000 is an especially huge amount carrying potential sentences of 10 years to life imprisonment.

The 2021 Interpretation on telecom and online fraud established that the number of defrauded persons, the total amount involved, and whether the fraud caused serious consequences such as victim suicide or mental illness are all aggravating factors for sentencing. Cross-border cyber crimes and crimes targeting elderly victims receive especially severe punishment, leading to a significant increase in both prosecutions and average sentence lengths.

Digital Evidence

Digital evidence has become central to cyber crime prosecutions. The Supreme People's Procuratorate's regulations on electronic data specify that chat records, transaction logs, IP addresses, server data, and digital payment records may all serve as admissible evidence if collection procedures comply with legal requirements. Defense counsel should examine whether digital evidence was obtained lawfully, as Article 54 of the Criminal Procedure Law requires that illegally obtained evidence be excluded from trial.

Corporate Compliance

Foreign-invested enterprises face specific cyber crime risks. Employees may engage in unauthorized data access or disclosure, exposing the company to regulatory penalties and criminal liability. External attackers may target corporate systems, and failure to implement adequate security measures can result in administrative sanctions under the Cybersecurity Law. Companies should establish comprehensive cyber security protocols, conduct regular employee training, and maintain incident response procedures that include immediate engagement of legal counsel with cyber crime expertise.

Responding to Investigations

If a foreign-invested enterprise becomes the subject of a cyber crime investigation, immediate action is required. The company should preserve all relevant electronic evidence, instruct employees not to delete files or communications, engage legal counsel with cyber crime expertise, and cooperate with authorities in a structured manner that protects corporate interests while demonstrating good faith. A coordinated response can significantly influence the outcome of the investigation and any subsequent proceedings.

International Cooperation in Cyber Crime Cases

China has become increasingly active in international cooperation on cyber crime matters. The Mutual Legal Assistance framework allows Chinese authorities to request assistance from foreign counterparts in investigating and prosecuting cyber crimes, including the collection of digital evidence located abroad. The 2021 Data Security Law imposes restrictions on cross-border data transfers, which can complicate international cooperation in cases involving foreign companies.

For foreign businesses operating in China, understanding the intersection of Chinese cyber crime law and international cooperation mechanisms is essential. If a foreign company's systems are compromised and the attacker is located abroad, Chinese authorities may seek assistance through mutual legal assistance channels. Conversely, if Chinese authorities investigate a foreign company for alleged cyber crimes, they may seek evidence from the company's home jurisdiction through these same channels.

The Cybersecurity Law requires that network operators store certain categories of data within China and cooperate with Chinese authorities in investigations. This creates potential conflicts of law for foreign companies whose home jurisdictions may restrict the sharing of certain data with foreign governments. Companies should develop protocols for responding to Chinese government requests for data that address these potential conflicts while maintaining good-faith cooperation with authorities.

Cyber Crime Prevention for Foreign Businesses

Preventing cyber crime requires a comprehensive approach that addresses both technical vulnerabilities and human factors. Foreign-invested enterprises in China should implement robust cyber security measures including firewalls, intrusion detection systems, encryption for sensitive data, and regular security audits. The Cybersecurity Law requires network operators to implement a multi-layered security protection system and to report security incidents to authorities within the timeframes specified in the law.

Employee training is equally important. Many cyber crimes originate from inside the organization, whether through intentional misconduct or inadvertent security lapses. Companies should establish clear policies on data access, password management, and acceptable use of company systems. Regular training sessions should cover topics such as phishing awareness, social engineering, and proper handling of sensitive data. Employees who handle financial transactions or have access to customer data should receive additional training on fraud prevention.

Incident response planning is essential for minimizing the impact of a cyber crime incident. Companies should develop and regularly test incident response plans that address detection, containment, eradication, and recovery. The plan should designate a response team with clear roles and responsibilities, establish communication protocols for internal and external stakeholders, and include procedures for preserving evidence that may be needed for criminal prosecution or regulatory reporting. Engaging legal counsel with cyber crime expertise as part of the incident response team ensures that the company's legal interests are protected from the outset of any incident.

Building a culture of cyber security awareness within the organization is an ongoing process that requires leadership commitment and regular reinforcement. Companies should designate a senior executive with responsibility for cyber security and data protection, provide regular updates to the board on cyber security risks and incidents, and integrate cyber security considerations into all business decisions involving technology and data. Foreign companies that demonstrate a strong commitment to cyber security compliance in China are better positioned to respond effectively to investigations when they arise.

Legal Framework for Cyber Crime Prosecution in China

China has developed a comprehensive legal framework to address cyber crime, anchored by the Criminal Law amendments and the Cybersecurity Law of the People's Republic of China which took effect in June 2017. Article 285 of the Criminal Law prohibits illegal intrusion into computer information systems, with penalties including up to seven years imprisonment for intrusion into systems classified as critical information infrastructure. Article 286 addresses the destruction of computer systems and data, while Article 287 specifically targets crimes committed through telecommunications networks, computers, or other information technology. Foreign businesses must also comply with the Personal Information Protection Law (2021), which imposes strict data handling obligations that, if violated, may trigger both administrative sanctions and criminal liability.

Practical Safeguards for Foreign Companies

To minimize legal exposure to cyber crime allegations, foreign companies operating in China should establish a dedicated information security management system that aligns with the Multi-Level Protection Scheme (MLPS 2.0) requirements. This includes implementing data classification protocols, conducting annual security assessments by accredited third-party firms, and maintaining access logs for at least six months as required by law. Employee training programs should address prohibited conduct including unauthorized data extraction, use of unapproved external storage devices, and circumvention of network monitoring tools. In the event of a cyber security incident, companies must report to the local public security bureau within 24 hours and cooperate fully with any criminal investigation, as failure to report can itself constitute an independent violation.

About the Author

Yuchen Sun

Yuchen Sun

Related Legal Topics


Other lawyers have the same expertise

Haoran Wei — Administrative Disputes lawyer in Futian, Shenzhen, advising foreign clients on tax administrative recon...
Zichen Gu — Product Liability Insurance lawyer in Guangming, Shenzhen, advising foreign clients on product liability ...
Xinyi Duan — Product Quality Breach lawyer in Pingshan, Shenzhen, advising foreign clients on product quality breache...
Qichen Tang — Sexual Harassment lawyer in Longgang, Shenzhen, advising foreign clients on workplace investigations, s...
Boyang Cao — Unfair Competition lawyer in Longhua, Shenzhen, advising foreign clients on unfair competition remedies ...
Ruoxi Shen — Copyright lawyer in Yantian, Shenzhen, advising foreign clients on copyright licensing and withholding tax.