According to Art. 14 of the Measures for the Administration of Internet Information Services, ISPs must provide user information to the authorities upon request, without judicial oversight.

A basic legal framework on intermediary liability for copyright infringement is absent in China's law and jurisprudence. A safe harbour defence for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defence established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person."
Furthermore, the Tort Law allows victims of the tort to notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

A basic legal framework on intermediary liability beyond copyright infringement is absent in China's law and jurisprudence. A safe harbour defence for internet intermediaries providing hosting services is spelt out in the Guiding Framework on Protection of Copyright for Network Dissemination (Art. 14-17, 22). The hosting defence established in Art. 22, only applies to service providers who host third-party materials. However, Art. 36 of the Tort Law of the People's Republic of China states that a "network service provider" shall assume the tort liability if it infringes "upon the civil right or interest of another person."
Furthermore, the Tort Law allows victims of the tort to notify the network service provider to demand the deletion, blocking or disconnection of the cause of infringement. Failing to do so can lead to further liability for the network provider in the event of further harm to the user. Finally, liability can be further increased in the event that the network service provider knew of the infringement but did not take action.

Art. 6 of the "Provisions on the Management of Mobile Internet Applications’ Information Services" stipulates that application providers offering services such as information dissemination or instant messaging must verify the real identity information of individuals seeking to register. Such verification shall be conducted using credentials including mobile telephone numbers, identification numbers, or a unified social credit code. Where users fail to provide authentic identity information, or unlawfully appropriate the identity details of organisations or other individuals to falsify registration, the relevant services must not be made available to them.

Pursuant to Art. 21 of the Counter-Terrorism Law, providers of telecommunications, internet, and financial services are obligated to verify the identities of their customers or clients and to withhold services from those who refuse to supply such information.

Art. 4 of the Provisions on the Management of Internet Post Comments Services outlines the requirements for "post comment service providers" to verify the real identity information of registered users, adhering to the principle of "using a real name in the back end, while allowing either an alias or a real name at the front end." For individual users, identity verification may be conducted using mobile phone numbers and identification numbers. For corporate users, identity verification may be conducted through the use of uniform social credit codes. "Post comment services" refers to services provided by Internet websites, applications, and other website platforms of a public opinion nature or with the capacity to mobilize the public, for users to express text, code, emojis, pictures, audio, video, or other information through methods such as commenting, responding, leaving messages, realtime streaming comments, "liking", and so forth. Therefore, they include blogs, microblogs, instant messaging services, online discussion forums, news comment sections, among others.
The Provisions repealed a 2017 legislation of the same name, which already included a similar restriction in Art. 5.

According to the Administrative Measures on Internet Forum Community Service, providers of Internet forum community services are required to obtain and verify the identity information of users and enter into service agreements with them.

The Measures for the Administration of Internet Information Services requires that Internet Service Providers (ISPs) keep records of each service user’s time spent online, user account, IP address or domain name, phone number and other information for 60 days and provide that information to the authorised government authorities when required (Art. 14). In addition, the Decision on Strengthening Network Information Protection requires ISPs to cooperate with the government and provide technical support upon inquiry from the authorised government authorities (Art. 10).

Art. 23 of the "Regulations on Administration of Business Premises for Internet Access Services" stipulates that the operators of internet access service premises must verify and register the identity documents, such as identity cards, of individuals using internet services and must record relevant information concerning their internet usage. The particulars of these registrations and the associated backup records shall be retained for a minimum of 60 days and must be produced upon the lawful request of the cultural administrative authorities or public security organs, and such registration details and backup records shall not be altered or deleted during the prescribed retention period. Art. 2 provides that, for the purposes of these Regulations, "Internet access service premises" refers to commercial establishments such as internet cafés and computer leisure centres that provide internet access services to the public via computers or comparable devices.

Art. 14 of the "Provisions for the Administration of Internet Electronic Bulletin" requires electronic bulletin service providers to record all information posted on their systems, including the content, the time of publication, and the relevant Internet Protocol address or domain name, and to retain backups of these records for 60 days for provision to the competent state authorities upon lawful request. Art. 2 clarifies that, for the purposes of these Provisions, "electronic bulletin services" denotes facilities enabling Internet users to publish information online through interactive formats such as electronic noticeboards, electronic whiteboards, electronic forums, online chat rooms, and message boards.

Art. 52 of the Personal Information Protection Law requires the appointment of a data protection officer when the personal information handler meets specified conditions. In addition, under Arts. 55 and 56, a personal information protection impact assessment is required in certain circumstances.

Art. 27 of the Data Security Law mandates the designation of personnel responsible for overseeing data security. This obligation applies solely to processors of important data; however, the statute itself does not provide a definition of that category.

Art. 26 of the "Administrative Measures for the Online Payment Business of Non-Banking Payment Institutions" requires payment institutions to maintain secure and standardised online payment processing systems and their backup systems within the territory of China, supported by contingency plans to ensure operational continuity. It further provides that services for domestic transactions must be processed through these domestic systems and that the settlement of funds must also occur within China.

Arts. 8 and 9 of the Online Publishing Service Management Rules mandate that the servers and storage equipment of online publishers must be situated within the borders of China.

According to Section 13 of the Guiding Opinions on Encouraging and Regulating the Development of Internet Rental Bicycles, companies offering internet-based bicycle rental services are required to establish domestic servers and store operational data collected within China.