ICP Licence
MANDATORY
All internet-accessible services hosted in CN require an ICP licence. Commercial ICP requires full CN legal entity. Without ICP, the website/app cannot be legally hosted in China.
Regional Deep Dive/APAC
Tax & Regulatory // China
Entity type: WFOE (Wholly Foreign-Owned Enterprise) or VIE Structure
Core Compliance
Corporate Tax
25%
Standard rate; High-Tech Enterprise (HNTE) status reduces to 15%
VAT
6–13%
6% for technology services; 13% for goods. Complex multi-tier system.
ICP Licence
MANDATORY
Internet Content Provider licence required to operate any internet-facing service in CN
Regulatory Vectors
urgent
PIPL Compliance
REQUIRED
Personal Information Protection Law (2021) is the most comprehensive data law in APAC. Requires explicit consent, purpose limitation, cross-border transfer security assessments, and DPO appointment. Active enforcement.
Cybersecurity Law / Data Localisation
MANDATORY
All data collected in China must be stored in China. Cross-border data transfers for critical data and personal information require a Cyberspace Administration of China (CAC) security assessment.
VIE Structure (for internet/tech)
STANDARD PRACTICE
Foreign ownership of internet and value-added telecommunications services is prohibited. Variable Interest Entity (VIE) structure via a trusted CN partner is the standard approach for foreign tech companies.
Key Legislation
Personal Information Protection Law (PIPL) 2021
China's comprehensive data privacy law — the strictest in the region.
Cybersecurity Law 2017
Network operators must store data in China and may not transfer it overseas without security assessment.
Data Security Law 2021
Governs data classification, data security obligations, and cross-border transfer restrictions.
Telecom and Internet Regulations
ICP licensing and internet service operation regulations.
Entry Recommendation
CN requires a completely separate product strategy, legal structure, and operational team. Do not attempt China entry as a secondary market. Commit fully or defer until the core APAC business is generating sufficient cash to fund a China-specific operation.
Regulatory Flashpoints — Evidence Base
Primary regulatory flashpoint
confidence 40PIPL cross-border and lawful-basis constraints for personal information.
Needs human review