Data sovereignty and China regulations

It's ultimately your obligation to comply with your own regulatory requirements. We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you're subject to any specific data sovereignty requirement, or other industrial or jurisdictional requirements, you need to make your own assessment and take necessary steps to ensure compliance.

China Cybersecurity Law

The Cybersecurity Law of the PRC ("CSL") has been in effect since June 1, 2017. The law governs network security and cyberspace activities in the PRC. It requires network operators in the PRC to take appropriate measures to safeguard network security, prevent illegal activities, and maintain confidentiality of network data. Under the CSL, operators of critical information infrastructure ("CII") in the PRC are subject to special requirements in connection with procurement of products and services and cross-border transfer of data.

In particular, an operator of CII is subject to the data sovereignty requirement. "Personal information" and "important data" that is generated or collected by such an operator in the PRC must be stored in the PRC, and cross-border data transfer is subject to security assessment and government approval.

The CSL doesn't provide much guidance on how the cyber security assessment should be conducted. Draft regulations and draft guidelines that set out the framework for cyber security assessments in greater detail have been issued, but they have not been passed yet. As of July 2020, Azure China isn't formally categorized as "CII".

Under the Cybersecurity Review Measures issued in 2020, purchase of network products and services purchased by CII operators, which affects or may affect national security, shall also be subject to cybersecurity review.

Real name verification

Per the China legal requirement, online service providers have an obligation to verify the real name of users. For business entity users, a state-registered business license is required for real name verification.

ICP licensing and filing

Internet content providers (ICPs) must apply with the China Ministry of Industry and Information Technology (MIIT) for one of the following types of ICP numbers:

  • Commercial ICP services require an ICP license. All operators providing commercial ICP services in China must get an operation license from the MIIT or its branch offices.

  • Non-commercial ICP services must submit an ICP filing. To operate non-commercial ICP services, the operator must file a record, known as an ICP filing, with the MIIT or its branch offices.

Display your ICP license or filing numbers in the small print in website footers of the home page. Without an ICP license or ICP filing record, the domain and the website will be blocked.

Visit 21Vianet application website (in Chinese) to proceed.

Public security registration

When you have obtained the ICP filing or license mentioned above, you shall continue to apply for filing at the local police station within 30 days. For more information, see the Internet Security Management Service Platform (in Chinese).

VPN and dedicated lines

You may use a VPN or dedicated lines for your own office or operation purpose, as long as it is purchased from a qualified vendor with a valid operating license.