In December 2023, China's Ministry of Commerce (MOFCOM) and Ministry of Science and Technology (MOST), through Announcement No. 57 of 2023, published a revised Catalog of Technologies that are Prohibited or Restricted for Export, which was last updated in August 2020. Following a draft revision published for public comment in December 2022, the updated Catalog reduces the number of controlled items (requiring prior government authorizationn for export) from 164 to 134, with 34 items deleted, 4 added and 37 modified, including dual-use technologies under export control management.
The list of items prohibited for export includes technologies such as encryption and decryption software and hardware. On the other hand, among the products included in the list of restricted goods are cryptographic security technologies, countermeasure and information defense technologies, 3D and laser printing technologies, cryptographic chip design and implementation, information processing technology and basic software security enhancement technology.

It is reported that China imposes a set of export restrictions, including export duties and export quotas, on selected raw materials: graphite, cobalt, copper, lead, chromium, magnesia, talcum, tantalum, tin, antimony, and indium. Some of these raw materials (e.g. graphite, copper, tin, and indium) are used to produce smartphones and batteries. Export restrictions limit companies' access to these products outside China. In addition, a draft regulation on rare earths is pending approval to provide for total quota control over rare-earth mining, smelting, and separation, as well as the approval system for investment projects of rare earths.

It is reported that the Chinese Government is working to improve its standards system by incorporating both government guidance and market input, moving away from a solely government-led approach. Despite this progress, foreign participation in standards setting remains limited, and China often pursues unique national standards for strategic reasons. The revised standardisation Law, effective since January 2018, includes measures recognising the value of international standards and the participation of foreign-invested enterprises. However, foreign stakeholders are concerned that these measures still prioritise Chinese standards over international ones and do not ensure equal participation for foreign companies. Reports indicate that foreign companies often face restrictions in participating in China's domestic standards-setting processes, and even when participation is allowed, it is usually under less favourable terms than for domestic competitors.

China’s current certification requirements for telecommunications equipment are reported to conflict with its WTO obligations of limiting imported products to no more than one conformity assessment scheme and requiring the same mark for all products (Article 13.4.a of China’s WTO Accession).
China has three different licensing regimes: the State Radio Regulation of China (SRRC), the Network Access License (NAL) and the China Compulsory Certification (CCC). The CCC is required for a list of products that includes many types of IT products, such as video and audio equipment. The NAL is required for all telecommunications equipment in China. The NAL license requires extensive testing and support and may include network trials and review of the product by a local panel of experts, in addition to labouratory testing against China's national standards. Radio communication equipment intended to be marketed in China requires radio-type approval granted by the Ministry of Industry and Information Technology of the People’s Republic of China (MIIT)’s ‘State Radio Regulation Committee (SRRC). Specified equipment samples are tested in designated labouratories according to local Chinese standards.
Therefore, for a given piece of equipment, it can cost between USD 30,000-35,000 to test for all three licenses (SRRC, NAL, and CCC). The CCC mark is used for both Chinese and foreign products. Moreover, all testing for the CCC mark must be conducted in China, and US exporters are often required to submit their products to Chinese labouratories for additional tests.
The CCC certificate and permission to print the CCC mark must be renewed annually as part of a follow-up certification. Part of the follow-up certification is also a one-day factory audit.
China is also reported as having limitations on foreign -invested conformity assessment bodies in the country.

The Administrative Measures for the Multi-level Protection of Information Security (MLPS) require all IT systems in China to be classified into different levels of security, from one to five (with the most sensitive systems designated as level 5). In 2019, the MLPS 2.0 (composed by GB/T 22239-2019, GB/T 25070-2019, and GB/T 28448-2019) has expanded the definition of 'information systems' to broader systems, including network infrastructure, cloud computing systems, mobile application platforms, connected devices and industrial control systems.
The MLPS 2.0 requires networks of level 3 and above to adopt network products and services appropriate to their security protection levels. Companies classified as level 2 and above require the procurement and use of encryption products and services to be preapproved by the Chinese government. Under the MLPS 2.0, companies must self-assess their security management and compliance, and such assessment results must be evaluated and endorsed by the MLPS regulatory body.
The MLPS 2.0 requires companies in China to set up their cloud infrastructure, including servers, virtualised networks, software, and information systems. Such cloud infrastructures are subject to testing and evaluation by the Chinese government. Overseas operation and maintenance of Chinese cloud computing platforms must also follow Chinese laws and regulations. The national standards also state that customers' data and users' personal information processed by cloud service providers should be stored inside China, which is an additional requirement. It is currently uncertain how these national standards would be enforced, and there have not yet been reports of enforcement.

The National Security Law foresees the rollout of a “secure and controllable” internet infrastructure. Under the National Security Law, the State can establish national security review and oversight management systems and mechanisms, conduct a national security review of foreign commercial investment, special items and technologies, internet information technology produces and services, projects involving national security matters, as well as other major matters and activities, that impact or might impact national security.

Imported and exported encryption products must be certified by the Office of State Commercial Cryptography Administration (OSCCA). The use of encryption products without OSCCA certification is prohibited, regardless of the public, commercial or individual nature of use. However, it is reported that, in practice, only Chinese or Chinese-owned companies are eligible for OSCCA certification to sell, produce and carry out R&D for encryption technology in China, as well as to gain product licensing. Foreign or foreign-owned companies, even if based in China, are excluded. In 2007, OSCCA started to consider products such as Trusted Platform Module (used in computers) or smartcards (used in banking, insurance, health, transport, etc.) as core encryption products. As a result, such products could no longer be produced or sold by foreign or foreign-invested companies.
Under the Cryptography Law, the import and export of commercial encryption products, technologies and services remain subject to government approval. Commercial encryption products that may affect national security and public interest and have encryption-based protective functions can only be imported under a permit. The Ministry of Commerce, together with the OSCCA and the General Administration of Customs, will issue catalogues of commercial encryption products that are subject to the above import permit and export controls. The requirements above will not apply to commercial encryption used in "products for consumption by the general population". However, the cryptography law does not define the term, leaving it unclear how this will be implemented in practice.
The Cryptography Law has removed the requirement for mandatory certification and has instead established a voluntary certification scheme, which encourages manufacturers to apply to qualified agencies for the testing and certification of their commercial encryption products. The products in the Product Catalogue will no longer be subject to mandatory approval requirements before they are launched. The product catalogue includes smart password keys, smart IC cards, ATM application systems, security authentication, and financial data encryption machines, among others.

It is reported that a locally developed encryption standard (WAPI) is required to be used in all wireless equipment despite the existing international standard IEEE 802.11i.

China's telecom laws require all foreign firms that provide data centres or cloud computing services to enter into a joint venture with a Chinese firm and obtain an Internet data centre license.

Art. 4 of the Provisions on the Management of Internet Post Comments Services outlines the requirements for "post comment service providers" to verify the real identity information of registered users, adhering to the principle of "using a real name in the back end, while allowing either an alias or a real name at the front end." For individual users, identity verification may be conducted using mobile phone numbers and identification numbers. For corporate users, identity verification may be conducted through the use of uniform social credit codes. "Post comment services" refers to services provided by Internet websites, applications, and other website platforms of a public opinion nature or with the capacity to mobilize the public, for users to express text, code, emojis, pictures, audio, video, or other information through methods such as commenting, responding, leaving messages, realtime streaming comments, "liking", and so forth. Therefore, they include blogs, microblogs, instant messaging services, online discussion forums, news comment sections, among others.
The Provisions repealed a 2017 legislation of the same name, which already included a similar restriction in Art. 5.

According to the Administrative Measures on Internet Forum Community Service and the Administrative Measures on Internet Comment, providers of Internet forum community services and providers of comment functions (together known as 'Speech Function Providers') are required to obtain and verify the identity information of users and enter into service agreements with them.

According to Art. 19 of the Counter-Terrorism Law issued in 2016, telecom operators and Internet service providers shall establish content monitoring and network security programs. Likewise, companies are required to adopt precautionary security measures to prevent the dissemination of information on extremism, report terrorism information to the authorities in a timely manner, keep original records, and promptly delete such messages to prevent further circulation. The law introduces both pecuniary fines and detentions up to 15 days for telecommunications operators and ISPs personnel who fail to “stop transmission” of terrorist or extremist content, “shut down related services,” or implement “network security” measures to prevent the transmission of such content.

According to Art. 7 of the Administrative Provisions on Information Services of Mobile Internet Application Programs, app providers are required to monitor online content and report violations to government authorities. App providers and app stores must not use apps to endanger national security, disrupt the public order, or produce, reproduce, publish, or disseminate content banned by laws and regulations, according to the Provisions. In addition, app providers must monitor banned content and take action against users that publish banned content by issuing warnings, restricting functions, stopping updates, or terminating accounts. They must also keep a record of the violations and report the matters to relevant government authorities. In addition, according to Art. 8, app stores are required to verify the legitimacy of app providers and ensure app providers protect user information and publish lawful content. App stores are required to take action against offending app providers by issuing warnings, suspending their publications, or removing the aberrant apps from the stores. App stores are also required to keep records of the violations and report them to the relevant government authorities.

Under Chapter III of the Provisions on the Governance of the Online Information Content Ecosystem, content service platforms are obligated to establish and implement a governance framework aimed at fostering a "network information content ecology" in accordance with the Provisions. The platforms are also encouraged to promote permissible information and prohibit forbidden content, while being required to prevent the dissemination of information deemed necessary to suppress. Art. 34 further mandates that platforms adopt appropriate measures against individuals or entities responsible for producing, copying, or disseminating prohibited information. These measures may include issuing warnings, requiring corrections or other forms of rectification, imposing functional restrictions, suspending updates, and closing accounts, in accordance with relevant laws and contractual obligations. Additionally, under Art. 10, platforms are required to promptly remove illegal content, maintain records of such activities, and report these matters to the relevant authorities. Furthermore, Arts. 13, 14 and 15 stipulate that platforms must, among other obligations, develop and provide online products and services suitable for minors, enhance the monitoring and regulation of displayed advertisements, and establish a credit management system for user accounts, along with providing corresponding services as necessary.
Art. 41 of the Provisions specifies that the content service platforms mentioned in these Provisions refer to network information service providers that offer services for the dissemination of network information content.

According to the Administrative Measures on Internet Forum Community Service and the Administrative Measures on Internet Comment, providers of Internet forum community services and providers of comment functions (together known as 'Speech Function Providers') are required to monitor the posts and comments, take action and report to the Cyberspace Administration of China if prohibited information has been published or discovered. In such situations, Speech Function Providers are required to cease transmission of the content, delete content or comments, restrict the comment function, close user accounts or sub-forums and revoke administrator powers (in the case of a forum). For news-related comment functions, the comments must be censored before being published. Speech Function Providers are also required to set up a complaints procedure in relation to posts and comments.