According to Art. 51 of the Postal Law of the People's Republic of China, a specific license is needed for express delivery business. It is reported that the administrative licensing for express delivery services is non-transparent and burdensome, preventing competition. It is reported that as companies are required to apply to each city where there is a postal administration department, they need to go through at least 350 review and approval processes if they want to operate at the national level.

Without a sales certificate provided by the China’s National Commission on Encryption Code Regulations (NCECR), it is illegal to sell products using Commercial Encryption Codes (CEC). It is also prohibited to use CEC products not certified by the NCECR. The public promotion and/or exhibition of CEC products must be reported to and approved by the NCECR in advance.
To obtain the certificate, the company must fulfill three requirements:
- They must be staffed with personnel who are knowledgeable in CEC product information and capable of providing post‑sales services;
- They must be able to provide full sales services and be equipped with safety regulations;
- They must also have the rights of an independent juridical unit.

The Ministry of Industry and Information Technology (MIIT), in concert with the State Encryption Management Bureau, informally announced in early 2012 that only domestically developed encryption algorithms, such as ZUC, would be allowed for use in the network equipment (mobile base stations) and mobile devices comprising 4G TD-LTE networks in China. In addition, an industry analysis published by MIIT suggests that burdensome and invasive testing procedures threatening companies’ sensitive intellectual property could be required.
Although a globally accepted standard (3GPP) already exists, ZUC is de facto often required in order to enter the Chinese market, along with invasive testing requirements (source code review). These requirements are potentially violating bilateral commitments with the US and a commitment that China made to its trading partners in 2000 stating that China would permit the use of foreign encryption standards in IT and telecommunication hardware and software for commercial use and that it would only impose strict “Chinese-only” encryption requirements on specialized IT products whose “core function” is encryption.

A locally developed encryption standard (WAPI) is required to be used in all wireless equipment despite existing international standard IEEE 802.11i.

The National Security Law foresees the rollout of a “secure and controllable” internet infrastructure. Under the National Security Law, the State can establish national security review and oversight management systems and mechanisms, conduct national security review of foreign commercial investment, special items and technologies, internet information technology produces and services, projects involving national security matters, as well as other major matters and activities, that impact or might impact national security.

Imported and exported encryption products must be certified by the Office of State Commercial Cryptography Administration (OSCCA). The use of encryption products without OSCCA certification is prohibited, regardless of public, commercial or individual nature of use.However, it is reported that, in practice, only Chinese or Chinese-owned companies are eligible for OSCCA certification to sell, produce and carry out R&D for encryption technology in China, as well as to gain product licensing. Foreign or foreign-owned companies, even if based in China, are excluded. In 2007, OSCCA started to consider products such as Trusted Platform Module (used in computers) or smartcards (used in banking, insurance, health, transport, etc.) as core encryption products. As a result, such products could no longer be produced or sold by foreign or foreign-invested companies.
Under the Cryptography Law, import and export of commercial encryption products, technologies and services remains subject to government approval. Commercial encryption products that may affect national security, public interest and have encryption-based protective functions can only be imported under a permit. The Ministry of Commerce together with the OSCCA and the General Administration of Customs will issue catalogues of commercial encryption products that are subject to the above import permit and export controls. The aforesaid requirements will not apply to commercial encryption used in ""products for consumption by general population"". However, the Cryptography Law does not define the term leaving it unclear as to how this will be implemented in practice.
The Cryptography Law has removed the requirement for mandatory certification and has instead established a voluntary certification scheme, which encourages manufacturers to apply to qualified agencies for the testing and certification of their commercial encryption products. The products set out in the Product Catalogue will no longer be subject to mandatory approval requirements before launching their product in the market. The voluntary certification will provide a marking which will serve to assure customers that their commercial encryption products conform with Chinese encryption standards. Products included in the product catalogue are smart password key, smart IC card, ATM application system, security authentication, financial data encryption machine etc.

The MLPS requires all IT systems in China to be classified on different levels of security, from one to five (with the most sensitive systems designated as level 5). The MLPS 2.0 has expanded the definition of 'information systems' to broader systems including network infrastructure, cloud computing systems, mobile application platforms, connected devices and industrial control systems.

The MLPS 2.0 requires networks of level 3 and above to adopt network products and services appropriate to their security protection levels. Companies classified as level 2 and above require companies' procurement and use of encryption products and services to be preapproved by the Chinese government. Under the MLPS 2.0, companies must self-assess their security management and compliance and such assessment results are evaluated and endorsed by the MLPS regulatory body.

The MLPS 2.0 require companies to set up their cloud infrastructure, including servers, virtualized networks, software, and information systems, in China. Such cloud infrastructures are subject to testing and evaluation by the Chinese government. Overseas operation and maintenance of Chinese cloud computing platforms must also follow Chinese laws and regulations. The national standards also state that customers' data and users' personal information processed by cloud service providers should be stored inside China, which is an additional requirement. It is currently uncertain how these national standards would be enforced and there has not yet been reports of enforcement.

China’s current certification requirements for telecommunications equipment are reported to conflict with its WTO obligations of limiting imported products to no more than one conformity assessment scheme and requiring the same mark for all products (Article 13.4.a of China’s WTO Accession).
China has three different licensing regimes: State Radio Regulation of China (SRRC), the Network Access License (NAL) and the China Compulsory Certification (CCC). The CCC is required for a list of products that includes many types of IT products, video and audio equipment etc. The NAL is required for all telecommunications equipment in China. The NAL license requires extensive testing and support and may include network trials and review of the product by a local panel of experts, in addition to laboratory testing against China's national standards. Radio communication equipment intended to be marketed in China requires radio type approval granted by the Ministry of Industry and Information Technology of the People’s Republic of China (MIIT)’s ‘State Radio Regulation Committee’ (SRRC). Specified equipment samples are tested in designated laboratories according to local Chinese standards.
Therefore, for a given piece of equipment, it can cost between USD 30,000-35,000 to test for all three licenses (SRRC, NAL, and CCC). The CCC mark is used for both Chinese and foreign products. Moreover, all testing for the CCC mark must be conducted in China and US exporters are often required to submit their products to Chinese laboratories for additional tests.
The CCC certificate and permission of printing the CCC mark must be renewed annually as part of a follow-up certification. Part of the follow-up certification is also a one-day factory audit.
China is also reported as having limitations on foreign invested conformity assessment bodies in country.

Since 2009, Administration of Quality Supervision, Inspection, and Quarantine (AQSIQ) bureaus have greater authority to conduct on-site investigations and increase penalties for non-compliance.

The regulations add more categories of non-compliance and refine and expand penalties. They also penalize companies that counterfeit or sells CCC marks or use canceled or expired certification documents. The revised regulations also raise fines for some violations—the fine for companies that are certified but do not apply CCC labels to their products has doubled to ¥20,000 ($2,928). The new provisions specify a five-year validity period for CCC certification and require a company to apply for an extension within 90 days of expiration.

Companies have expressed concerns about duplication of safety certification requirements, particularly for radio and telecommunications equipment, medical equipment, and automobiles, which result in increased costs and slow down of product introduction in the market.

Twelve categories of ICT products and nine categories of telecommunication equipment are subject to compulsory EMC and safety regulation. Whether EMC, safety only or both tests are required depends on the certification guidelines for a particular product. Suppliers' declaration of conformity is not sufficient, while certification by a third party and/or certification by a government agency is not accepted unless the third party meets the requirements prescribed in Articles 10 and 11 of the Regulations of People's Republic of China on Certification and Accreditation.

Moreover, China retains the right to reconfirm sample machines or conduct tests on inconsistent items.

The Self-Declaration of Compulsory Product Certification has two product types known as “Type A” and “Type B.” Type A products can be allowed to be tested in own or self-determined laboratories, whereas Type B products must be tested in laboratories accredited by the Chinese authority CNAS. Products for which self-certification is allowed include electrical tools, IT equipment, certain audio and video equipment. The complete list of the products is set out in Annex 2 of the notification.

It is reported that China applies the China Compulsory Certification (CCC) mark requirement inconsistently and that many Chinese produced goods continue to be sold without the mark.

It is reported that most of the standards are drafted by the Chinese government alone, without foreign or public input. Even if foreign companies are allowed to sit in on the drafting process, they do not have a vote when the technical committees actually vote on a draft standard. In recent years, existing technical committees continue to develop standards but more foreign participation is being allowed in some cases. For example, the technical committee for cybersecurity standards has begun allowing foreign companies to participate in some standards development and setting, with a few U.S. and other foreign companies being allowed to vote and to participate at the working group level in standards development. However, foreign companies’ ability to participate in technical committee activities remains restricted.
China is also increasingly developing and mandating national algorithms for its encryption technology that differ from global standards. These standards are developed in technical committees that are closed to foreign participation.
The Chinese government has also supported the development of mandated domestic radio frequency identification (RFID) standards, without international participation or consensus, despite the fact that global standards for RFID already exist.

Announcement No. 38 amends the Catalogue of Technologies Prohibited or Restricted from Export adding 23 categories of technologies to the list of technologies restricted from export, modifying the control parameters of 21 categories of technologies already included on such list. The announcement also removes certain products from the prohibited and restricted list including informational security firewall technology. The export of restricted products can only be undertaken pursuant to obtaining permission from the Chinese government, while export of technologies such as AI and interactive interface technologies is prohibited. Newly added categories of technologies, the export of which is restricted as a result of the amendments, include cryptographic security technologies, information countermeasure and defense technologies, 3D printing technologies, laser technologies, cryptographic chip design and implementation technology, information processing technology, basic software security enhancement technology, among others.

It is reported that China imposes a set of export restrictions, including export duties and export quotas, on selected raw materials: graphite, cobalt, copper, lead, chromium, magnesia, talcum, tantalum, tin, antimony, and indium. Some of these raw materials (e.g. graphite, copper, tin, and indium) are used to produce smartphones and batteries. The export restrictions limit access to these products for companies outside China. In addition, a draft regulation on rare earths is pending approval to provide for total quota control over rare-earth mining, smelting, and separation, and the approval system for investment projects of rare earths.