China’s New Digital Measures Likely to Affect International Businesses and Travelers

The amended Cybersecurity Law strengthens state oversight of network operations and establishes a broader set of obligations for international companies operating in China.  The Chinese government now requires international companies to implement technical measures to protect data, report cybersecurity incidents within defined timeframes, conduct periodic security assessments, and maintain records of compliance for inspection. International companies are expected to integrate compliance into daily operations, maintain logs and audit trails, and be prepared for government inspections or requests for additional information.  

As an example of tighter restrictions international businesses can anticipate in the year ahead, Chinese authorities in September 2025 issued an administrative penalty, including a fine, to Christian Dior’s Shanghai subsidiary after it purportedly transferred Chinese customers’ personal information to its headquarters in France without completing the allegedly required data export procedures, including security assessments, standard contracts, or consent processes.  

International firms must also carefully understand areas where the law is ambiguous or enforcement guidelines are not fully public. Noncompliance can result in administrative penalties, operational restrictions, or suspension of services.  

The Measures for the Certification of Outbound Personal Information Transfer have established a formal process for international companies to obtain approval for exporting personal information from China. Organizations transferring certain volumes of personal data outside China must apply for certification, conduct risk assessments, implement technical protections such as encryption or desensitization, and maintain monitoring and documentation of the transfers.  

The measures build on guidance provided by the Cyberspace Administration of China in October 2025 stating that companies engaged in cross-border transfers, including technology firms and travel-related service providers, should complete certification before exporting data. The measures suggest that companies handling personal information for international transactions or operations are required to integrate certification procedures into their processes, including internal audits and coordination with regulators. Failure to comply may result in administrative penalties, restrictions on cross-border transfers, or temporary suspension of services.  

The new data export and cybersecurity measures are likely to influence operational planning for international businesses and travel-related service providers, as well as the handling of travelers’ personal information. Travelers’ data may be subject to additional verification and processing requirements by Chinese authorities when exported for services such as hotel bookings, airline reservations, and payment processing.  

International businesses, especially those in technology, cloud services, finance, e-commerce, and travel, will likely prioritize compliance by updating IT systems, implementing internal audit and reporting mechanisms, and documenting consent and security procedures. Service providers transferring large volumes of personal data outside China, including multinational corporations with headquarters abroad, are likely to be most affected.  

In 2026, companies may experience phased adjustments as Chinese regulators provide additional guidance, conduct inspections, and assess certification applications. Organizations handling sensitive categories of data, such as financial, travel-related, or similar information, and conducting operations involving non-Chinese nationals are likely to face closer scrutiny.  

International businesses can anticipate ongoing monitoring, audits, and potential operational restrictions if compliance measures are deemed to be incomplete, which may influence the planning of IT infrastructure, data storage, and international services.  

Learn more about leveraging intelligence to stay ahead of risks to your people and operations.