According to the Administrative Measures on Internet Forum Community Service and the Administrative Measures on Internet Comment, providers of Internet forum community services and providers of comment functions (together known as 'Speech Function Providers') are required to obtain and verify the identity information of users and enter into service agreements with them.

Intermediaries are effectively required to monitor content in order to comply with the copyright law. If they fail to do so, they face a variety of sanctions, including the withdrawal of their business license and/or criminal penalties. Additionally, a 2008 suit brought on by NuCom Online International against Shanghai TuDou Network Technology determined that, in cases where platforms failed to take reasonable action to stop an infringement, they can be held liable. This involved the upload of a movie which was very popular at the time of the lawsuit.

According to the Regulation on Protection of the Right to Network Dissemination of Information, intermediaries are obliged to obtain real identity information when providing internet access services and information publication services. Furthermore, it is required that users of blogs, microblogs, instant-messaging services, online discussion forums, news comment sections, and related services register with their real names and avoid spreading content that challenges national interests. Finally, according to the Counterterrorism Law (Art. 21) providers of telecommunication, internet, and financial services are required to conduct identity checks of their customers or clients and refuse to provide services to those that decline to provide such information. No implementing regulations have been issued yet. This requirement came into force via the implementing Regulation on the Management of Internet Posts and Comment Services in October 2017.

According to the Administrative Provisions on Information Services of Mobile Internet Application Program, app providers must ensure that new app users register with their real names by verifying users’ mobile phone numbers and/or other identity information.

A basic legal framework on intermediary liability beyond copyright infringement is absent in China's law and jurisprudence. On one hand, a safe harbor defense for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defense established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person." Furthermore, the Tort Law allows victims of the tort can notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

According to Art. 14 of Decree No. 292, ISPs are required to provide user information to the authorities upon request, without judicial oversight or transparency.

A basic legal framework on intermediary liability for copyright infringement is absent in China's law and jurisprudence. On one hand, a safe harbor defense for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defense established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person." Furthermore, the Tort Law allows victims of the tort can notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

Art. 18 of the Counterterrorism Law requires Internet service providers and telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”

The Provisions authorize local law enforcement agencies to conduct remote or onsite inspections of the businesses under their supervision. Inspections must be for the purpose of ensuring compliance with general regulatory obligations on all businesses under the Cybersecurity Law or specific obligations applicable to internet service providers, including, but not limited to, the implementation of technical measures for network security and data protection that comply with national standards. During such an inspection, law enforcement agencies can physically enter business sites, machine rooms, review and copy relevant information and assess the operational conditions and effectiveness of the technical measures taken by the company to safeguard the security of networks and information.

There are two articles in the State Security Law permitting the state security organ to accede, when necessary, to any information or data held by anyone in China. Art. 11 stipulates that ‘where state security requires, a state security organ may inspect the electronic communication instruments and appliances and other similar equipment and installations belonging to any organization or individual’ and Art. 18 ‘When a State security organ investigates and finds out any circumstances endangering State security and gathers related evidence, citizens and organizations concerned shall faithfully furnish it with relevant information and may not refuse to do so.’
The Counterespionage Law, which repealed the State Security Law, provides for state security organ personnel to gain entry to restricted regions, venues or units and to inspect, read or collect relevant archives, materials or items. Such access is permitted on the basis of relevant national regulations and upon approval and presentation of appropriate documents. Further, state security organ personnel can also check electronic communication tools, equipment and facilities in accordance with the regulations.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialized security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

The Personal Protection Law requires controllers to:
- Notify data subjects that its legal representative or principal person bears overall responsibility for the security of personal data;
- Appoint a data security officer (that must a full time position if the organization deals with personal data as its main line of business and employs over 200 people, or processes personal data for more than 500,000 people);
- Devise emergency plans to deal with security issues;
- Undertake security audits at least once per year;
- Provide training to relevant staff on data security at least once a year.

The 2020 Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must be someone who has relevant management experience and personal information protection expertise and shall participate in important decisions on personal information processing activities and report directly to the principal of the organization.

These provisions apply to electronic bulletin services. Electronic bulletin services refer to electronic bulletin boards, electronic whiteboards, electronic forums, internet chat rooms, message boards, and other forms of interactive behavior characterized by the provision of information dissemination for online customers.
The electronic bulletin service provider must record all information content published in the electronic bulletin service system as well as internet access time, user account, Internet address or domain name, caller's phone number and other information. Such record must be kept for 60 days and provide to the relevant State authority when inquired in accordance with the law.