According to Art. 10 of the Administrative Regulations for Online Publishing Services, Chinese-foreign equity joint ventures, Chinese-foreign cooperative ventures, and foreign-funded entities are prohibited from engaging in online publishing services. Moreover, according to Art. 8, any publisher of online content, including texts, pictures, maps, games, animations, audio, and videos, must store its necessary technical equipment, related servers, and storage devices in China. Furthermore, any online publication service unit needs to get prior approval from the State Administration of Radio, Film, and Television (SARFT) if they want to cooperate on a project with any foreign company, joint venture, or individual.

According to Art. 7 of the Telecom Regulations, a telecom operator must obtain a proper license for its telecom business. In accordance with Art. 8, telecom business is divided into basic telecom business and value-added telecom business. The Classification Catalogue of Telecom Business, attached to these Regulations, further divides basic telecom business and VAT business into different sub-categories, each requiring a corresponding license. One of the essential sub-categories of VAT business is called “Information Service”. The information service provided through the Internet is called “Internet Information Service”, which is usually referred to as Internet Content Provision (ICP) service. This is a very broad category and covers a wide range of online services, such as instant messaging, app stores, search engines, online communities, and online anti-virus services, among others. An ICP license is required for the ICP service. All websites with their own domain name that are hosted on the Chinese mainland territory are required to obtain an ICP license. Websites that are hosted outside of the Chinese mainland territory do not need to obtain it.
ICP filing is regulated by local regulations in each province. In general, requirements are similar in every province; for example, the core requirement fixed by Beijing municipality is that the website abides by the content laws in China and "should not contain materials related to terrorism, explosives, drugs, jurisprudence, gambling, and other illegal acts”. In addition, the following requirements and documents shall be prepared and provided:
- The domain name must be registered with a China-based domain name provider.
- The ICP Filing subject must be the domain name owner.
- For personal, a scanned copy or photo of the front and back of the ID card is required.
- For the company, a scanned copy or photo of the company’s registration certificate and scanned copies or photos of the front and back of the ID cards of the persons in charge of ICP Filing and the website.
- Other documents required by the local communications administration, such as a domain name certificate.
Websites are shut down, and companies can be blacklisted by the Chinese Ministry of Industry and Information Technology if they do not comply with the ministry's requirements.

According to Art. 5 of the Provisions on the Administration of Internet News Information Services, Internet news providers are required to obtain a permit to provide Internet news information services to the social public through Internet websites, application software, forums, blogs, microblogs, public account, instant messaging tools, online live streaming and other such methods. In addition, pursuant to Art. 6 of the Provisions, the applicant’s person-in-charge or chief editor must be a Chinese citizen, and the applicant shall have a legal person legally established within the territory of the People's Republic of China. Furthermore, the applicant must separately obtain an Internet Content Provider (ICP) license or an ICP filing from telecom industry regulators. According to Art. 16 of the law, without an ICP number, a website can be shut down by the hosting provider with no notice.
Furthermore, all privately operated news services are obligated to have their operations overseen by personnel endorsed by the ruling party. Editorial staff working on these platforms need approval from national or local government internet and information offices, and their employees are required to undergo training and obtain reporting credentials from the central government. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.

According to Art. 6 of the Interim Provisions of the People's Republic of China on the Management of International Networking of Computer Information Networks, computer information networks for direct international networking must use the international channels provided by the national public telecommunications network of the Ministry of Posts and Telecommunications. No unit or individual may establish or use other channels for international networking on their own. The public security authorities may issue a warning and impose a fine of up to RMB 15,000 (USD 2,200) on anyone who violates this provision. In addition, institutions or individuals are not allowed to use the international network to endanger national security, divulge state secrets, infringe upon national, social, and collective interests and the legitimate rights and interests of citizens, or engage in illegal and criminal activities. Institutions and individuals engaged in international networking services are required to file procedures in designated public security agencies within 30 days of the connection and accept the security supervision, inspection, and guidance of the public security authorities; for those who violate the measures, individuals and institutions can be fined in serious cases. The Provisions on Administrative Law Enforcement Procedures for Internet Information Content Management set out the procedural and administrative processes for the Cyberspace Administration of China to enforce the laws and regulations relating to Internet content.

The Circular on Clearing up and Regulating the Internet Access Service Market imposes government approval for telecom and Internet access providers to set up or rent a VPN. There are reports since 2017 that VPNs have been shut down, and individuals who set up or use VPNs have been punished.

Pursuant to Art. 21 of the Counter-Terrorism Law, providers of telecommunications, internet, and financial services are obligated to verify the identities of their customers or clients and to withhold services from those who refuse to supply such information.

Art. 4 of the Provisions on the Management of Internet Post Comments Services outlines the requirements for "post comment service providers" to verify the real identity information of registered users, adhering to the principle of "using a real name in the back end, while allowing either an alias or a real name at the front end." For individual users, identity verification may be conducted using mobile phone numbers and identification numbers. For corporate users, identity verification may be conducted through the use of uniform social credit codes. "Post comment services" refers to services provided by Internet websites, applications, and other website platforms of a public opinion nature or with the capacity to mobilize the public, for users to express text, code, emojis, pictures, audio, video, or other information through methods such as commenting, responding, leaving messages, realtime streaming comments, "liking", and so forth. Therefore, they include blogs, microblogs, instant messaging services, online discussion forums, news comment sections, among others.
The Provisions repealed a 2017 legislation of the same name, which already included a similar restriction in Art. 5.

According to the Administrative Measures on Internet Forum Community Service and the Administrative Measures on Internet Comment, providers of Internet forum community services and providers of comment functions (together known as 'Speech Function Providers') are required to obtain and verify the identity information of users and enter into service agreements with them.

According to Art. 19 of the Counter-Terrorism Law issued in 2016, telecom operators and Internet service providers shall establish content monitoring and network security programs. Likewise, companies are required to adopt precautionary security measures to prevent the dissemination of information on extremism, report terrorism information to the authorities in a timely manner, keep original records, and promptly delete such messages to prevent further circulation. The law introduces both pecuniary fines and detentions up to 15 days for telecommunications operators and ISPs personnel who fail to “stop transmission” of terrorist or extremist content, “shut down related services,” or implement “network security” measures to prevent the transmission of such content.

According to Art. 7 of the Administrative Provisions on Information Services of Mobile Internet Application Programs, app providers are required to monitor online content and report violations to government authorities. App providers and app stores must not use apps to endanger national security, disrupt the public order, or produce, reproduce, publish, or disseminate content banned by laws and regulations, according to the Provisions. In addition, app providers must monitor banned content and take action against users that publish banned content by issuing warnings, restricting functions, stopping updates, or terminating accounts. They must also keep a record of the violations and report the matters to relevant government authorities. In addition, according to Art. 8, app stores are required to verify the legitimacy of app providers and ensure app providers protect user information and publish lawful content. App stores are required to take action against offending app providers by issuing warnings, suspending their publications, or removing the aberrant apps from the stores. App stores are also required to keep records of the violations and report them to the relevant government authorities.

Under Art. 55 of the Personal Information Protection Law, a personal information handler must conduct a personal information protection impact assessment prior to: processing sensitive personal information; using personal information in automated decision-making; engaging an entrusted party to process personal information on the personal information handler's behalf; providing personal information to another personal information handler; disclosing personal information to the public; transferring personal information outside of China; or any processing activity that will have a material impact on the personal rights and interests of an individual. The personal information protection impact assessment must specify: whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary; the impact of the processing on individuals' rights and interests, and the level of risk involved; and whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.

The 2020 Personal Information Security Specification provides that personal information controllers shall appoint a person and a department responsible for personal information (PI) protection. The person responsible for PI protection must have relevant management experience and personal information protection expertise, participate in important decisions on personal information processing activities, and report directly to the principal of the organization.

Art. 21 of the Cybersecurity Law requires network operators to appoint persons in charge of cybersecurity. Critical information infrastructure operators (CIIO) are also required to set up specialised security management bodies and persons responsible for security management. Further, CIIO's must conduct security background checks on those responsible persons and personnel in critical positions.

Art. 35 of the Data Security Law stipulates that where public security or national security authorities need to consult any data in order to safeguard national security or investigate a crime, the relevant organizations and individuals must provide such data. The same article stipulates that before getting access to the data held by private organizations, public security or national security authorities must go through strict approval formalities in advance.

The Counter-espionage Law of the People's Republic of China permits security authorities to inspect the baggage, electronic devices and facilities of individuals suspected of espionage and obliges logistics and telecommunications companies in China to provide “technical support” to fight espionage (Art. 41). It is reported that the Law’s broad definition of agents may offer an avenue to justify gathering data from foreign firms and their employees while they conduct business in China. This could reportedly give the Chinese authorities access to sensitive company data or trade secrets under the guise of preventing foreign cyber espionage.