China Newsletter | Q4 2025 Issue No. 66

This China Newsletter provides an overview of key developments in the following areas:

1. Corporate
   • China Introduces Mandatory Company Deregistration Rules
   • Two Ministries Issue Credit Repair Administrative Measures
2. Data Privacy & Cybersecurity
   • China Issues Measures for the Certification of the Cross-Border Transfer of Personal Information
   • New Compliance Focus Under Amendments to China's Cybersecurity Law
3. Foreign Investment
   • Government Releases the 2025 Edition of the Catalogue of Industries for Encouraging Foreign Investment (Catalogue)
4. International Trade
   • Maritime Law Undergoes First Comprehensive Overhaul in Three Decades
   • Regulators Adopt Revisions to the Foreign Trade Law of the People's Republic of China
5. Labor
   • MOHRSS Issues Opinions on Several Issues Concerning the Implementation of the Regulations on Work-Related Injury Insurance

Corporate

China Releases New Rules for Compulsory Cancellation of Company Registration 《强制注销公司登记制度实施办法》

On Oct. 10, 2025, China formally implemented the Administrative Measures for the Compulsory Deregistration of Company Registration (measures), issued by the State Administration for Market Regulation (SAMR). The regulation establishes a statutory framework for governmental authorities to forcibly deregister companies that have remained inactive for extended periods. As of the date of this GT Newsletter, the government has already targeted over 290,000 companies for compulsory deregistration nationwide, signaling that strong regulatory enforcement may continue.

Background and Purpose

The measures build on 2023 amendments to the People's Republic of China Company Law, which introduced the concept of compulsory deregistration to address "zombie companies"— entities that remain registered but are effectively defunct. The primary objective of such compulsory deregistration mechanism is to clean up the corporate registry by removing long-dormant companies that fail to voluntarily deregister after regulatory actions, such as license revocation. By eliminating these inactive entities, the measures aim to free up market resources, reduce administrative burdens, and promote fair competition.

Scope of Application

The measures apply to companies that have had their business license revoked, have been ordered to close down, or have faced similar administrative sanctions, and subsequently fail to apply for voluntary deregistration within three years of such actions.

Procedures for Compulsory Deregistration

The process involves the following steps:

• Initiation by Registration Authority: The SAMR or local registration authorities identify eligible companies and prepare for action.
• Public Announcement: Authorities publish a 90-day notice on the National Enterprise Credit Information Publicity System, allowing stakeholders to review and respond.
• Objection Period: Creditors, shareholders, or other interested parties may submit objections in writing or via the online system. Valid objections (e.g., unresolved debts or ongoing litigation) will halt the process.
• Decision and Execution: If no parties raise valid objections, the authority issues a deregistration decision, invalidating the business license and terminating the company's legal status. The authority serves its decision via public announcement if it cannot make direct contact.

The company will be formally dissolved after the compulsory deregistration procedure, and its name will be struck off in the company registry systems.

Safeguards and Reliefs for Stakeholders

Importantly, compulsory deregistration does not relieve shareholders, directors, or other responsible parties of ongoing liabilities related to the dissolved company, including joint and several liabilities for unpaid debts of the company, unfulfilled capital contributions, or other legal obligations.

Even after the SAMR has dissolved through compulsory deregistration, creditors or other stakeholders may apply to the local SAMR for restoration of the company registration within three years following the completion of compulsory deregistration. This relief may be available when the dissolved company is still involved in:

• ongoing investigation, administrative enforcement, or unexecuted administrative penalties;
• ongoing litigation, arbitration, mediation, enforcement or other legal proceedings; or
• ongoing liquidation or bankruptcy proceedings.

Furthermore, restoration does not resume a company's normal business operations. Instead, the restored company must promptly initiate liquidation procedures in accordance with the law and apply for deregistration upon completion of liquidation. During this period, the company is prohibited from engaging in any business activities unrelated to liquidation. If the company does not complete liquidation procedures within three years upon restoration, the SAMR is still entitled to forcibly deregister the company.

Potential Implications

Foreign investors should remain vigilant if they have dormant subsidiaries in China to potentially avoid involuntary deregistration, which could complicate asset recovery or liability management. On the other hand, stakeholders or creditors may also leverage the relief mechanisms available under the measures to seek remedies from dormant debtors.

Two Ministries Issue Credit Repair Administrative Measures 国家两部委发布两部信用修复管理办法

In November 2025, in line with central policies on credit system development and corresponding administrative regulations, the National Development and Reform Commission (NDRC) and the SAMR respectively issued the Credit Repair Administrative Measures and the revised Administrative Measures for Credit Repair in Market Regulation. Together, these policies cover both nationwide credit repair and sector-specific scenarios in market regulation. They unify rules, simplify procedures, and provide enterprises with clear grounds to correct dishonest conduct. The NDRC and SAMR have started phasing in these new rules, and companies should pay attention to scope and operational details.

The NDRC's Credit Repair Administrative Measures, released Nov. 20, 2025, take effect April 1, 2026, and apply across the national credit platform, Credit China, and local credit platforms, with industry systems able to adopt them by reference. These measures classify dishonest information as minor, general, or serious: minor cases are generally not disclosed; general cases are disclosed for three months to one year; serious cases are disclosed for one to three years. Only after the disclosure period expires may stakeholders request repair. Stakeholders may submit applications through Credit China and forward them to the relevant authority, with results due within 10 working days. Applicants must provide proof of fulfilling legal obligations and a credit commitment letter. Enterprises undergoing bankruptcy reorganization may apply for temporary shielding of dishonest information with a court ruling. Fraudulent applications will be revoked and disclosure periods recalculated.

SAMR's revised Administrative Measures for Credit Repair in Market Regulation, issued Nov. 21, 2025, took effect Dec. 25, 2025, and apply only to market regulation scenarios, such as removal from the business anomaly list or cessation of administrative penalty disclosures. Dishonest information is also divided into minor, general, and serious categories, with fines below RMB 50,000 for business entities defined as minor. The time limit for repairing entries in the business anomaly list is five working days, while administrative penalties and serious dishonesty lists require 15 working days. Applications must include a credit commitment letter and proof of obligations fulfilled and can be processed both online and offline free of charge. The measures establish a collaborative mechanism to ensure that "repair in one place is recognized across the network." Fraudulent applications will be revoked.

Data Privacy & Cybersecurity

China Issues Measures for the Certification of the Cross-Border Transfer of Personal Information 《个人信息出境认证办法》

China's cyberspace regulator, Cyberspace Administration of China (CAC), and the market regulator, SAMR, jointly issued the Measures for the Certification of Personal Information Cross-Border Transfer (Certification Measures), which took effect Jan. 1, 2026. Building on the Personal Information Protection Law (PIPL), this voluntary framework offers a certification pathway for covered companies transferring personal information collected while doing business in mainland China overseas for further processing. In practice, the certification path is most relevant for organizations that frequently engage in cross-border transfer of personal information within a defined and repeatable scope (including intra-group scenarios), and that meet the Certification Measures' eligibility thresholds. While Standard Contractual Clauses (SCC) have been popular, the Certification Measures provide an alternative for cross-border data transfers (CBDT), enabling a seal of approval from accredited certification institutions.

The PIPL made certification a compliance path for personal information exports in 2021 by listing "personal information protection certification" as one of the mechanisms for lawful cross-border data transfer. But in practice, there has been limited clarity on how companies might operationalize this pathway. For example, certain tech companies obtained certifications from the China Cybersecurity Review Certification and Market Regulation Big Data Center (CCRC) in early 2024. However, those early certifications were issued against a backdrop of evolving technical specifications and lacked a comprehensive regulatory framework. The Certification Measures now provide a dedicated, binding implementation framework for the certification path — including eligibility thresholds, application steps, certificate validity, and regulatory supervision. The new measures add regulatory certainty through clear eligibility criteria, procedures, and professional standards, and should be read together with CAC's 2024 "cross-border data flow" rules, which set the current threshold-based allocation among security assessment, standard contract/certification, and exemptions.

Key Features for the Certification Mechanism and the Certification Measures

1. Target Users: particularly suitable in practice for multinational corporate groups with frequent and regular intra-group transfers of personal information (such as human resources-related personal information and customer personal information), provided that such transfers will not trigger a mandatory security assessment by CAC. A mandatory security assessment will be triggered in any of the following circumstances:

• the data export being a critical information infrastructure operator (CIIO);
• exporting more than 1 million individuals' personal information annually; or
• exporting sensitive personal information of more than 10,000 individuals.

2. Oversight by Accredited Third Party: Unlike the standard contract regime (which centers on executing the CAC "standard contract" and filing under CAC rules), certification is issued by a "professional certification institution" that has obtained the relevant certification qualification and completed CAC filing. The certification covers data exporters' overall cross-border transfer program rather than requiring transaction-by-transaction documentation.

3. Continuous Compliance: Certification involves ongoing monitoring to ensure data protection remains at the PIPL-standard level required for overseas recipients (i.e., exporters must take "necessary measures" to ensure overseas processing meets the PIPL's personal information protection standards). Certificates are valid for three years, with renewal applications due six months before expiration. Certification bodies must conduct post-certification supervision (with frequency determined by the certifier) and report any material non-compliance to the CAC.

Accredited Certification Bodies

As of this article, CAC has published three authorized certification bodies that can accept export certification applications, with all institutions having governmental background:

1. CCRC, an affiliate of SAMR, the key market regulator in China;
2. CAC Data and Technology Support Center, an affiliate of CAC;
3. Beijing CESI Certification Co., Ltd., a subsidiary of China Electronic Standardization Institute under the Ministry of Industry and Information Technology (MIIT).

Continuing Obligations Under Certification

Opting for certification does not relieve data exporters of their substantive obligations under PIPL. Companies using the certification approach to legitimize a cross-border data transfer must still:

• Obtain separate consent from data subjects for the outbound transfer;
• Complete a Personal Information Protection Impact Assessment (PIA) prior to certification application;
• Fulfill notification obligations to data subjects regarding the transfer purpose, recipient identity, and processing methods;
• Maintain records of the PIA and certification materials for three years.

Conclusion

In practice, the certification path is typically more "programmatic" than a one-off filing for CBDT, but it also introduces third-party assessment and ongoing supervision expectations. For multinational companies, certification demands more intensive upfront work than SCCs, but the long-term payoff may prove substantial: a holistic, group-wide compliance framework more efficient than managing dozens or hundreds of individual SCCs. Companies with mature privacy programs, stable intra-group data architectures, and sufficient scale to justify the higher professional fees (typically more than SCC preparation) may wish to consider the certification option.

New Compliance Focus Under Amendments to China' Cybersecurity Law. 《中华人民共和国网络安全法》修订

In October 2025, China passed the first major amendments to its Cybersecurity Law (CSL) since the legislation came into force in 2017. The updated rules took effect on Jan. 1, 2026. The amendments bring sharper teeth to enforcement — fines may now reach RMB 10 million for companies and RMB 1 million for individuals — while expanding regulatory reach beyond China's borders and express statutory treatment of AI governance within the cybersecurity framework.

Expanded Extraterritorial Jurisdiction

The amended CSL broadens extraterritorial reach beyond critical information infrastructure (CII) to cover all activities endangering China's cybersecurity. This amendment provides Chinese regulators with clearer statutory footing to assert jurisdiction over (i) overseas network activities affecting Chinese networks or users, (ii) cross-border data-processing arrangements deemed to pose cybersecurity risks and (iii) foreign entities or individuals involved in cyberattacks or other harmful digital conduct targeting China.

Chinese regulators now hold the power to (i) investigate and fine overseas organizations/individuals for cyber threats targeting China, (ii) impose countermeasures, including asset freezes; and (iii) issue travel bans on executives of non-compliant foreign entities. Strengthened Penalty Regime The amended CSL introduces a more graduated penalty system, with higher maximum fines for serious violations compared with those under the 2017 version:

• General network operators may face fines of up to RMB 2 million for severe violations (such as those causing a large amount of data leakage);
• Critical Information Infrastructure Operators may face fines of up to RMB 10 million in particularly serious cases (where the critical information infrastructure partially loses its function).

The amendments also increase personal liability exposure. Responsible personnel — including directly incharge executives and other accountable individuals — may face fines up to RMB 1 million where violations lead to serious consequences. The amended CSL also clarifies that Chinese regulators have the authority to order rectification, suspend related business operations, revoke permits or business licenses, and shut down unlawful applications or services in serious cases.

To read this article in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.