According to Art. 6 of the Interim Provisions of the People's Republic of China on the Management of International Networking of Computer Information Networks, computer information networks for direct international networking must use the international channels provided by the national public telecommunications network of the Ministry of Posts and Telecommunications. No unit or individual may establish or use other channels for international networking on their own. The public security authorities may issue a warning and impose a fine of up to RMB 15,000 (USD 2,200) on anyone who violates this provision. In addition, institutions or individuals are not allowed to use the international network to endanger national security, divulge state secrets, infringe upon national, social, and collective interests and the legitimate rights and interests of citizens, or engage in illegal and criminal activities. Institutions and individuals engaged in international networking services are required to file procedures in designated public security agencies within 30 days of the connection and accept the security supervision, inspection, and guidance of the public security authorities; for those who violate the measures, individuals and institutions can be fined in serious cases. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.

The Circular on Clearing up and Regulating the Internet Access Service Market imposes government approval for telecom and Internet access providers to set up or rent a VPN. There are reports since 2017 that VPNs have been shut down, and individuals who set up or use VPNs have been punished.

China's telecom laws require all foreign firms that provide data centres or cloud computing services to enter into a joint venture with a Chinese firm and obtain an Internet data centre license.

Art. 4 of the Provisions on the Management of Internet Post Comments Services outlines the requirements for "post comment service providers" to verify the real identity information of registered users, adhering to the principle of "using a real name in the back end, while allowing either an alias or a real name at the front end." For individual users, identity verification may be conducted using mobile phone numbers and identification numbers. For corporate users, identity verification may be conducted through the use of uniform social credit codes. "Post comment services" refers to services provided by Internet websites, applications, and other website platforms of a public opinion nature or with the capacity to mobilize the public, for users to express text, code, emojis, pictures, audio, video, or other information through methods such as commenting, responding, leaving messages, realtime streaming comments, "liking", and so forth. Therefore, they include blogs, microblogs, instant messaging services, online discussion forums, news comment sections, among others.
The Provisions repealed a 2017 legislation of the same name, which already included a similar restriction in Art. 5.

The Internet Surfing Service Business Venue Management Rules apply to commercial venues that provide Internet surfing services to the public through computers connected to the Internet. According to the Rules, Internet surfing service businesses are required to record the users' authentic ID information and relevant surfing information, record back-ups, preserve such information for 60 days and provide the same to relevant governmental departments who make inquiries according to the law.

According to the Administrative Measures on Internet Forum Community Service and the Administrative Measures on Internet Comment, providers of Internet forum community services and providers of comment functions (together known as 'Speech Function Providers') are required to obtain and verify the identity information of users and enter into service agreements with them.

The Provisions for the Administration of Internet Electronic Bulletin apply to electronic bulletin services, which refer to electronic bulletin boards, electronic whiteboards, electronic forums, internet chat rooms, message boards, and other forms of interactive behaviour characterised by the provision of information dissemination for online customers.
The electronic bulletin service provider must record all information content published in the electronic bulletin service system, including the internet access time, user account, Internet address or domain name, caller's phone number, and other information. Such records must be kept for 60 days and provided to the relevant state authority when inquiries are made according to the law.

According to Art. 52 of the Personal Information Protection Law, if the volume of personal information processed reaches a threshold established by the Cyberspace Administration of China, the entity responsible for handling this data is required to appoint a personal information protection officer. However, it has been reported that the specific volume of personal information that would meet this threshold has yet to be determined. Furthermore, Art. 53 of the Law mandates that organisations established outside the borders of China must establish a dedicated entity or appoint a representative within China to oversee matters related to the personal information they process.

Under Art. 55 of the Personal Information Protection Law, a personal information handler must conduct a personal information protection impact assessment prior to: processing sensitive personal information; using personal information in automated decision-making; engaging an entrusted party to process personal information on the personal information handler's behalf; providing personal information to another personal information handler; disclosing personal information to the public; transferring personal information outside of China; or any processing activity that will have a material impact on the personal rights and interests of an individual. The personal information protection impact assessment must specify: whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary; the impact of the processing on individuals' rights and interests, and the level of risk involved; and whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.

The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

The Counter-espionage Law of the People's Republic of China permits security authorities to inspect the baggage, electronic devices and facilities of individuals suspected of espionage and obliges logistics and telecommunications companies in China to provide “technical support” to fight espionage (Art. 41). It is reported that the Law’s broad definition of agents may offer an avenue to justify gathering data from foreign firms and their employees while they conduct business in China. This could reportedly give the Chinese authorities access to sensitive company data or trade secrets under the guise of preventing foreign cyber espionage.

Art. 18 of the Counterterrorism Law requires Internet service providers and the telecommunication sector to “provide technical support and assistance, such as technical interface and decryption, to support the activities of the public security and state security authorities in preventing and investigating terrorist activities.”

The Provisions for the Supervision and Inspection of Network Security by Public Security Agencies authorise local law enforcement agencies to conduct remote or onsite inspections of the businesses under their supervision. Inspections must ensure compliance with general regulatory obligations on all businesses under the Cybersecurity Law or specific obligations applicable to internet service providers, including, but not limited to, the implementation of technical measures for network security and data protection that comply with national standards. During such an inspection, law enforcement agencies can physically enter business sites and machine rooms, review and copy relevant information and assess the operational conditions and effectiveness of the technical measures taken by the company to safeguard the security of networks and information.