Starting in January 2025, China’s Network Data Security Management Regulations (NDSMR) will come into effect. The new guidelines aim to link the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), thereby strengthening, complementing, and refining data protection. This integration enhances legal enforceability and reduces the burden on businesses while providing authorities with a detailed and practical legal basis for future enforcement measures. German and European companies with branches in China face the task of auditing and, if necessary, upgrading their IT systems for compliance with the NDSMR.
A structured audit process is required for reviewing IT systems under NDSMR. Initially, a comprehensive regulatory analysis should be conducted to understand the requirements of the NDSMR in detail. A gap analysis of the existing IT systems helps identify security vulnerabilities, followed by an assessment of network security. Systems like firewalls, VPNs, and Intrusion Detection Systems should be tested for performance and compliance. An important aspect is access control, including zero-trust models and modern encryption techniques. These measures protect sensitive corporate data and help meet NDSMR requirements. The regulations require comprehensive monitoring and reporting systems to ensure that security-relevant incidents are detected and analyzed early on.
Upon completion of the audit, a detailed report is created, documenting vulnerabilities and providing modernization recommendations. Modernization according to the NDSMR includes essential hardware and software components, such as firewalls and VPNs. Existing Western equipment should be checked for compliance in China and replaced if necessary.
Under NDSMR, there may be regulatory restrictions on Western technologies, especially in security-critical infrastructure. In certain cases, the use of Chinese components, such as those from Huawei or H3C, may be preferred or even required by authorities. Western systems like Oracle, Cisco, or IBM QRadar are used in China, provided they comply with local regulations and meet data localization requirements. Products from vendors like Huawei or Tencent are fully adapted to regulatory requirements and offer advantages for integration into local networks. A hybrid strategy that incorporates both Western and Chinese technologies may be the best solution for multinational companies to align global standards with local regulations.
CHINABRAND will address the topic of NDSMR in a webinar on 23 January 2025 at 10am. Registration link: https://register.gotowebinar.com/register/6892359450698165852
Source: Unsplash
China Intellectual Property Blog 