Corporate Compliance in China

Why Corporate Compliance in China Is Different

Corporate compliance in China differs from most other jurisdictions in three structural respects: the breadth of authorities, the pace at which underlying rules change, and the asymmetry between what is written in regulation and how it is actually enforced on the ground.

Foreign-invested enterprise (FIE) compliance in China involves dealing with several authorities in parallel. AMR supervises market behavior, registration, and antitrust compliance under the Anti-Monopoly Law. MOFCOM and its local branches handle foreign-investment record-filing under the Negative List for Foreign Investment (2024 edition, in force since 1 November 2024). CAC supervises data-related obligations under the CSL, the DSL, and the PIPL. Tax administration sits with the State Taxation Administration; foreign exchange with SAFE; sector-specific regulators — NMPA for medical products, the financial regulators for licensed financial business, MIIT for telecoms — add their own approval and reporting layers. Regulatory compliance in this environment is the work of holding all of these tracks aligned at once.

On the pace side, the rules move. The revised Company Law (effective 1 July 2024) introduced a mandatory five-year capital-contribution rule for limited liability companies. The State Council’s transitional arrangement gives existing FIEs until 30 June 2027 to align their articles of association. They have until 30 June 2032 to complete the capital contributions. The CAC’s Provisions on Promoting and Regulating Cross-Border Data Flows (March 2024) raised the thresholds for data-export filings, while the new Measures for Certification of Cross-Border Personal Information Transfer (effective 1 January 2026) added a third compliance pathway alongside security assessment and the standard contract.

On the enforcement side, written regulation and enforced regulation are not always the same document. Compliance programs built on a literal reading of the statute, without visibility into how the relevant authority actually applies it, can simultaneously over-comply and under-comply — overspending on requirements the regulator does not actively pursue, while missing items that surface in inspections. China compliance services that work in practice require local visibility into both the rule and its enforcement.

Regulatory Framework & Risk Assessment

China regulatory risk assessment for an FIE in China starts with mapping which authorities reach the company’s specific operations. A trading WFOE selling consumer goods will face AMR (registration, market conduct, advertising), the State Taxation Administration, the customs authority, and — if its e-commerce footprint passes the relevant thresholds — the CAC under PIPL. A manufacturing FIE adds environmental authorities under the Ministry of Ecology and Environment, occupational-safety supervision, and — for regulated products — sector-specific licensing (NMPA, NEA, and others depending on the sector).

The risk-assessment step converts this map into a working register. Each applicable regime is matched against (1) the company’s actual operating activities, (2) its registered scope and licenses, (3) the regulator’s current enforcement priorities for its sector, and (4) the practical consequences of non-compliance, ranging from administrative penalties and corrective orders to license suspension and inclusion on credit-status records that constrain future operations. The result is a prioritized list the business can actually work through, rather than a generic compliance audit checklist.

Legal & Regulatory Compliance

Compliance management for FIEs in China is the day-to-day work of keeping the company in good standing across registration, filings, employment, and tax. Each layer has its own cycle, its own authority, and its own evidentiary requirements.

• Corporate registration and license compliance — The FIE’s business scope must match its actual activities; expansion into new lines of business typically requires a scope amendment with AMR before operations begin. Changes in registered capital, legal representative, directors, or registered address are filed through the enterprise registration system. Under the 2024 Company Lawf, registered capital must now be fully contributed within five years of incorporation, with existing FIEs given a transition through 30 June 2027 to align their articles of association.
• Annual filings and compliance audits — FIEs file an annual report through the enterprise credit-information publicity system, an annual tax reconciliation with the State Taxation Administration, and — depending on size and sector — additional reports under the Foreign Investment Law’s annual reporting regime. A periodic compliance audit against the company’s licenses, contracts, and HR records is the practical mechanism for catching drift before it surfaces in an inspection.
• Labor and employment compliance — The Labor Contract Law, the Social Insurance Law, and the local-level implementing rules govern employment relationships. Standard written contracts, social insurance and housing fund contributions, working-hours administration, and adherence to the local minimum wage are the recurring compliance items; arrangements involving labor dispatch, non-competes, and confidentiality clauses each carry their own statutory limits.
• Tax compliance and social contributions — Corporate income tax filings, VAT, individual income tax withholding, and social insurance contributions run on monthly, quarterly, and annual cycles. Legal regulatory compliance in tax is closely tied to invoicing discipline — the fapiao system — and to the alignment between contractual arrangements and their tax characterization.

Data & Cybersecurity Compliance

China data protection and cybersecurity compliance on three statutes operating in parallel: the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the Personal Information Protection Law (“PIPL”). Each addresses a different angle — network security and critical information infrastructure under the CSL, data classification and security obligations under the DSL, and personal information handling under the PIPL — and a single operational activity (e.g., handling customer records on a cloud system) typically engages all three at once.

Practical compliance work for foreign-invested enterprises typically covers privacy notices and separate consents under the PIPL, data classification and security measures under the DSL, an internal data inventory, and personal information protection impact assessments (PIPIAs) before high-risk processing activities. Where personal information is transferred outside mainland China, a cross-border transfer mechanism is required.

The CAC’s Provisions on Promoting and Regulating Cross-Border Data Flows (March 2024) consolidated three available pathways: security assessment by the CAC, the standard contract for cross-border transfer of personal information, and certification. The 2024 Provisions raised the volume thresholds for triggering each pathway, with quantitative ranges applying to non-sensitive personal information, sensitive personal information, and important data. The Measures for Certification of Cross-Border Personal Information Transfer (effective 1 January 2026) made certification a fully operational third option.

Sectoral and important data overlays are then applied on top. Operators of critical information infrastructure face additional procurement and localization obligations under the CSL; companies handling “important data” (as defined by sectoral catalogs) face their own transfer restrictions. Data compliance is, in practice, a continuous review against rules that are still being supplemented by implementation guidance.

Corporate Governance & Reporting

China corporate governance of foreign-invested enterprises in China is now governed by the revised Company Law, which replaced the FIE-specific governance regime that previously sat under the Foreign Investment Law’s transitional arrangements. Existing FIEs were required to align their corporate-governance documents — articles of association, board structure, and shareholder meeting rules.

• Board composition and authority — Limited liability companies are typically governed by a shareholders’ meeting and a board of directors (or, in smaller companies, a single executive director). Listed companies and certain sectors have additional supervisory board or audit committee requirements. The legal representative carries personal exposure for the company’s regulatory standing and is registered with AMR.
• Annual reporting and disclosure — FIEs file an annual report through the enterprise credit-information publicity system, accessible to regulators and counterparties. Material changes — registered capital, equity transfers, directors and senior officers, registered address — require filing within the statutory timeframe. Corporate governance compliance also requires coordination with parent-company governance: board resolutions, intercompany transactions, and dividend distributions each have downstream filing and tax consequences in China.

Ongoing Compliance Management

Ongoing compliance management in China is structurally a tracking exercise, not a one-time setup. Three workstreams run continuously: monitoring regulatory change, managing the compliance calendar, and preparing for the regulator interactions that arrive — sometimes scheduled, sometimes not.

• Monitoring regulatory change — Across AMR, the CAC, the State Taxation Administration, sector regulators, and the local government implementations of national rules, the practical change rate is high. The revision of Company Law in 2024, the March 2024 CAC cross-border data provisions, the 2024 Negative List, and the 2026 cross-border data certification measures each required existing FIEs to revisit their setups. The mechanism that catches the next change is a process, not a memory.
• Compliance calendar and deadlines — Monthly tax filings, quarterly reporting, annual reports, statutory audits, and license renewals run on different clocks. A consolidated calendar — with owners for each item — is the practical defense against the most common compliance failure: missing a deadline that no one was tracking.
• Inspections and regulator engagement — Regulator visits, on-site inspections, and information requests should be handled through a defined internal protocol: who speaks, what is produced, and what is recorded. Preparation here makes the difference between a routine visit and a finding that triggers downstream consequences.

Our Role as a China Corporate Compliance Law Firm

As a regulatory compliance law firm with a resident China practice, we work alongside foreign-invested clients on the full compliance lifecycle — from initial setup through ongoing management and through the difficult moments when something has gone wrong. Our PRC-licensed lawyers in Shanghai handle the local regulator interactions; our European and broader Asian network — across Italy, Hong Kong, India, Vietnam, and the UAE — handles the parent-group and home-jurisdiction overlay that any cross-border compliance program sits on top of.

Our China compliance services are built around integrated delivery: legal, tax, HR, and corporate advisory under one engagement, so a single compliance question never bounces between three providers before it gets answered. Compliance frameworks are designed for the company’s actual operating reality, not a generic FIE template, and they are revisited as regulations and the company itself evolve.

Working with the right corporate compliance lawyer on a China engagement is, in practice, the difference between a compliance program that runs in the background and one that requires firefighting whenever a regulator calls. For most clients, this means being served — from the initial gap analysis, through ongoing monitoring, to the inspection conversations — by one firm, which delivers greater continuity and consistency end-to-end.