China

China's data protection or cyber security laws and regulations are as follows:

• Cyber Security Law: approved by the Standing Committee of the National People's Congress (NPC) in 2016 As the legal basis of cybersecurity, the law stipulates the obligations of network operators, network product and service providers, and established security requirements for critical information infrastructures. The Cyber Security Law went into effect on June 1, 2017.

• Civil Code of the People's Republic of China: passed by the Third Session of the 13th National People's Congress On May 28, 2020, which came into force on January 1, 2021 In this code, a separate article for personality rights is set up to protect the citizens' privacy rights and right to reputation.

• Personal Information Protection Law: reviewed by the NPC's Standing Committee on October 13, 2020 for a more systematic and standardized regulation for personal information protection The NPC's Standing Committee approved the law on August 20, 2021, which went into effect on November 1, 2021. The law describes the rules for processing personal information and providing personal information across borders, and stipulates the rights of personal information subjects.

• Data Security Law: incorporated into the legislative plan by NPC's Standing Committee in 2018 for standardizing data processing activities, ensuring data security, and promoting data development and utilization. Established on June 10, 2021, the Data Security Law describes requirements on data classification and hierarchical protection and data security review, and specifies security protection obligations of data processors. The law went into effect on September 1, 2021.

• GB/T 35273-2020 Information Security Technology - Personal Information Security Specifications: established by the State Administration for Market Supervision and the National Information Security Standardization Administration Committee to replace its early version GB/T 35273-2017 for the implementation of the Cyber Security Law. GB/T 35273-2020 is an important guideline for protecting personal information security and strictly regulates personal information processing, including data controllers' activities, such as collection, storage, use, sharing, transfer, and disclosure.

Huawei Cloud is committed to providing you with secure and compliant infrastructure and services. Each service has built-in security features and is guaranteed to run securely through continuous O&M. Huawei Cloud ensures that the infrastructure and services it provides have been assessed by authoritative, independent, third-party agencies and reviewed by the relevant certifying bodies.

When using Huawei Cloud services, you are responsible for the security and compliance of internal applications and custom configurations of your workloads on the cloud. As the owner and controller of your data, you are responsible for data security configuration, confidentiality, integrity, availability, as well as identity authentication and authorization for data access.

You are also responsible for compliance with the applicable regulatory requirements for your workloads on the cloud.

You can download HUAWEI CLOUD Security White Paper to view details about the responsibilities of Huawei Cloud and yours.

For more security and compliance issues, contact your account manager or Huawei Cloud.

• Classified Cybersecurity Protection, or DJCP, issued by China's Ministry of Public Security, is used to provide organizations with cybersecurity standards. It has been widely adopted by a range of industries in China. Huawei Cloud has earned level-3 cybersecurity certification, and key regions and nodes of Huawei Cloud have earned level-4 cybersecurity certification.

• Cloud Service Security Certification is a third-party security certification conducted by the Cyberspace Administration of China (CAC) under the Chinese national standard Information security technology — Security capability requirements of cloud computing services. The Huawei Cloud e-government cloud platform has earned enhanced level certification, from national cybersecurity management organizations in recognition of the platform's security and controllability.

• The cloud computing service capability assessment is based on the Chinese national standards such as General Requirements for Cloud Computing Cloud Service Operation. Huawei private cloud and public cloud have obtained the level-1 compliance certificate on cloud computing service capability.

• TRUCS, one of the most authoritative assessments in the cloud computing field in China, is run by the Data Center Alliance (DCA) and the China Academy of Information and Communications Technology (CAICT).

• TRUCS Gold O&M Assessment is a special assessment on the O&M capabilities of cloud service providers who have already earned TRUCS certification. Huawei Cloud has earned the TRUCS Gold O&M certification, a testament to Huawei Cloud's comprehensive O&M management system. It demonstrates that Huawei Cloud has met the certification standards of one of the most authoritative cloud service operations and maintenance assurance organizations in China.

• Certification for the Capability of Protecting Cloud Service User Data is a mechanism for evaluating user data security of cloud services. The evaluation key indicators cover pre-event prevention, in-event protection, and post-event tracing.

Huawei Cloud is committed to building secure and trusted cloud services. The infrastructure and services provided by Huawei Cloud have been assessed by authoritative, independent, third-party agencies and reviewed by the relevant certifying bodies.

Huawei Cloud is compliant with a wide range of international standards and practices, including:

• Security standards: ISO 27001, ISO 27017, CSA STAR, PCI DSS, PCI 3DS, ISO 27034, and NIST cyber security framework (CSF), and more

• Privacy standards: ISO 27018, ISO 27701, BS 10012, ISO 29151, and ISO 27799

• Other standards: ISO 22301 (for business continuity management), ISO/IEC 20000 (for IT service management), TL 9000 and ISO 9001 (for quality management), SOC 1, SOC 2, and SOC 3 (for audit)

Learn more from Compliance Certificates in the Compliance Center.