As 2026 begins, organisations operating in or targeting the Chinese market are entering a new phase of regulatory accountability. Several important regulatory milestones have either already come into effect on 1 January 2026 or have been scheduled to become effective in the opening weeks of the year. Together, these developments signal a move beyond high-level legal alignment toward procedural, regulator-facing enforcement. 

China’s data protection regime, anchored in the Personal Information Protection Law (PIPL), has always emphasised state oversight, national security and protection of vulnerable groups. What is new in early 2026 is the formalisation of routine reporting obligations that require organisations to evidence compliance on a recurring basis, particularly in relation to minors’ personal information and cross-border data transfers. 

This blog highlights the most significant developments now in force and what organisations should be doing to prepare. 

Annual minors’ data audit filings (effective January 2026) 

On 29 December 2025, the Cyberspace Administration of China (CAC) issued a formal notice introducing a new procedural obligation for any organisation that processes the personal information of minors. 

From 2026 onward, all personal information processors that handle minors’ data must submit an annual compliance audit status report to the CAC by 31 January each year. The first filing applies to the 2025 audit year and is therefore due by 31 January 2026. This requirement applies regardless of organisational size, revenue, industry or processing volume. Any organisation that has processed minors’ personal information in China is within scope. 

While the protection of children’s data has been a feature of the PIPL since 2021, this is the first time the CAC has imposed a mandatory, calendar-driven reporting obligation. The change reflects a broader regulatory shift from post-incident enforcement to proactive compliance verification. The filing must be completed through the CAC’s Personal Information Protection Business System, which is accessible only from a China-based IP address. This introduces a practical hurdle for multinational organisations without local infrastructure and requires early planning to ensure in-country execution capability. 

The obligation is legally grounded in the PIPL, the Regulations on the Online Protection of Minors, and the Measures for the Compliance Audit of Personal Information Processing, making it a binding requirement rather than guidance. 

Cybersecurity Law amendments (iforce January 2026) 

Amendments to China’s Cybersecurity Law also entered into force on 1 January 2026, reinforcing alignment with the PIPL and tightening obligations for network operators and critical information infrastructure providers. 

The amendments strengthen regulatory oversight, refine classification obligations, and sharpen expectations around security controls, data localisation and cross-border transfers. For many organisations, this requires renewed attention to infrastructure mapping, data flow classification and internal escalation pathways. 

These changes reinforce China’s strategic emphasis on data sovereignty and risk-based supervision, particularly where personal information intersects with national security interests. 

China’s cross-border certification mechanism 

China’s Measures for the Certification of the Cross-Border Transfer of Personal Information, issued by the CAC and the State Administration for Market Regulation, are also shaping compliance strategy in early 2026. 

Certification provides a third lawful pathway for transferring personal data outside China, alongside standard contracts and CAC security assessments. It is designed primarily for lower-risk, non-critical transfers, particularly within corporate groups. 

Certification focuses on the organisation’s governance framework rather than individual transfers. It requires robust internal policies, safeguards, completed Personal Information Protection Impact Assessments, appropriate consent mechanisms, and continuous oversight. Certification is granted by accredited third-party bodies and remains subject to regulatory supervision. 

For organisations with recurring, lower-volume cross-border transfers, certification offers a scalable alternative, but only where governance maturity can be clearly demonstrated. 

What organisations should be doing now, and how a Data Protection Officer (DPO) can support 

  • Confirm the applicability of the minors’ data audit requirement 
    Identify whether any personal information relating to minors was processed in China during the 2025 calendar year, including via digital platforms, customer accounts, marketing, education, gaming, or employee systems. Even limited or indirect processing may trigger the obligation. A DPO can support with interpreting regulatory scope, assessing applicability across business units, and ensuring that less visible minors’ data processing activities are not overlooked. 

  • Prepare or refresh a PIPL-aligned privacy compliance audit 
    Conduct a focused audit addressing PIPL’s enhanced protections for minors, including lawful bases, parental or guardian consent, purpose limitation, data minimisation, retention controls, and organisational safeguards. A DPO can guide audit methodology in line with CAC expectations, identify compliance gaps, and ensure findings are documented in a regulator-ready format that evidences accountability. 

  • Plan for CAC submission logistics 
    As filings must be completed via a CAC system accessible only from a China-based IP address, organisations without an onshore presence should identify trusted local personnel, subsidiaries, or external counsel well in advance. A DPO can support with coordinating legal, IT, local operations, and external partners to ensure responsibilities are clearly assigned and submissions are completed accurately and on time. 

  • Review broader governance under the amended Cybersecurity Law 
    Validate infrastructure classifications, review technical and organisational security measures, update incident response procedures, and confirm that cross-border data flows are mapped and justified. A DPO can help integrate these activities into a coherent governance framework, ensuring privacy, cybersecurity, and operational risk controls reinforce one another. 

  • Reassess cross-border data transfer strategy 
    Evaluate whether certification offers a viable alternative to standard contracts or security assessments, considering eligibility, governance maturity, and long-term scalability. A DPO can provide strategic oversight on transfer mechanisms, coordinate Personal Information Protection Impact Assessments, and ensure that transfer decisions can be credibly defended in the event of regulatory scrutiny. 

At HewardMills, we act as an external, independent DPO for organisations navigating the complexity of privacy regulations within China and across the globe. We support organisations with scoping exposure to minors’ data obligations, coordinating audit preparation and CAC filings, advising on PIPL-aligned governance frameworks, and determining the most appropriate cross-border transfer mechanisms, including certification readiness.  

Whether you’re looking to enhance compliance readiness, mature your governance model, or reduce your organisation’s regulatory exposure, we’re ready to support you. Get in touch today.