Internet information services in China involve much more than building a site or shipping an app. Once a product is accessible to users in China, compliance quickly expands into filings, permits, data handling, content rules, and in some cases sector-specific licensing. This is not legal advice, but it is a practical way to understand the main issues that commonly come up.

Accessing overseas internet resources

A basic question appears surprisingly early: if a service needs to access overseas resources such as GitHub, is that access using a lawful channel?

China’s interim rules on international networking of computer information networks require direct international network access to use international gateway channels provided by the state public telecommunications network. Organizations and individuals are not allowed to establish or use other channels for international networking on their own. Violations can lead to orders to stop the connection, warnings, and fines of up to RMB 15,000, with illegal gains confiscated if any exist.

For products that rely on overseas platforms, APIs, repositories, models, or infrastructure, this issue cannot be treated as a mere technical detail.

Website filings and operating permits

If a website is accessible to the public in China, it generally cannot just go online without paperwork. At a minimum, a non-commercial website typically needs both an ICP filing and a public security filing. If the service is commercial in nature, additional permits such as an ICP license may be required.

Non-commercial internet information services

For non-commercial internet information services provided within China, filing is required by law. Without filing, the service cannot legally operate in China. This applies to organizations or individuals in China using a website accessed through a domain name or even only through an IP address to provide non-commercial internet information services.

Public security filing is also required. Under the rules on security protection for international networking of computer information networks, the relevant entities must complete filing with the designated public security authority within 30 days after the network is formally connected.

In practice, that means a website aimed at Chinese users usually needs:

• ICP filing
• Public security filing

Commercial internet information services

If the service is commercial, filing alone is not enough. Operating without the required business permit, or providing services beyond the approved scope, may trigger penalties from telecom regulators. Those penalties can include an order to correct, confiscation of illegal gains, fines based on the illegal income, or if there is no illegal income or the amount is below the threshold, fines ranging from RMB 100,000 to RMB 1,000,000. Serious cases may lead to the website being shut down.

After obtaining an ICP license, the operator must also apply to add business scope such as “internet information services” in its business registration.

App filing is separate from website filing

Apps also require filing, but app filing is not the same thing as website ICP filing. An app is not simply treated as a website.

A practical consequence is important here: domestic server providers, app distribution platforms, and mobile manufacturers offering cloud-based services such as push notification services generally cannot provide services to apps that have not completed the required filing.

For apps already operating, filing had to be completed before April 2024. For apps not yet launched, filing must be completed before the business begins.

The underlying rule is straightforward: an app organizer providing internet information services within China must complete filing under the applicable laws and regulations, and if filing has not been completed, the app may not legally provide internet information services. Network access providers, distribution platforms, and smart terminal manufacturers are not allowed to provide network access, distribution, pre-installation, and similar services to unfiled apps. These service providers are also expected to verify the real identity of the applicant and relevant network resource information, and may not handle filing on behalf of an applicant when they know or should know the information is inaccurate.

How app filing works

The source material describes two separate filing-related processes.

1. Mobile application information service registration

This is the basic registration of the app and the operating entity with a designated service institution under the Ministry of Industry and Information Technology. It applies to all apps that provide internet information services.

Materials to prepare

The following materials are typically needed:

主体资质证明：如果你是个人开发者或者运营者，你需要提供个人身份证复印件；如果你是企业开发者或者运营者，你需要提供企业营业执照复印件。
​
应用基本信息：包括应用名称、图标、简介、截图、版本号、大小、分类等。
​
应用功能说明：包括应用主要功能、特色功能、用户群体等。
​
应用安全保障措施：包括应用是否有安全检测报告、是否有用户协议和隐私政策等。
​
其他相关材料：根据不同类型的应用，可能还需要提供其他相关材料，例如：提供金融、医疗、教育等服务的应用，需要提供相应的行业许可证或资质证明；提供地图、导航等服务的应用，需要提供地理信息服务许可证或备案证明；提供音乐、视频、游戏等服务的应用，需要提供版权授权或许可证明等。

Where to submit

The materials can be submitted to one of the designated service institutions. The listed options are:

中国移动互联网应用安全检测：网址为http://www.msa-alliance.cn/。
​
中国互联网协会移动互联网应用程序自律公约：网址为http://www.cnnic.cn/。
​
中国通信标准化协会移动互联网应用程序信息服务登记平台：网址为http://www.ccsa.org.cn/。

Submission may be handled either online or by mail.

• Online submission: register an account on the institution’s website, fill in the relevant information, upload the materials, and submit.
• Mail submission: print the required materials and send them to the designated address according to the institution’s requirements.

Review timeline

After submission, the materials are reviewed by the service institution. Depending on the institution and the case, review is generally completed within 5 to 15 working days. If approved, the applicant receives a registration number and certificate for mobile application information service registration. If not approved, the materials may be returned or supplementary documents may be requested.

Completion

Once the registration number and certificate are issued, the registration step is complete. The registration number should be properly retained and displayed prominently within the app.

2. Mobile application content review

This second step does not apply to every app. It is for apps whose services involve certain types of content.

When content review is required

According to the rules referenced in the source text, content review is required for apps in categories such as:

新闻类：指提供时政新闻、社会新闻、经济新闻等内容服务的app。
​
出版类：指提供图书、报刊、音像制品等内容服务的app。
​
教育类：指提供学前教育、基础教育、高等教育、职业教育、继续教育等内容服务的app。
​
医疗类：指提供医疗保健、健康管理、疾病预防等内容服务的app。
​
其他类：指国家新闻出版署认为需要进行内容审查的其他类型的app。

If an app falls into one of those categories, content review may be required in addition to the basic registration step.

Record-keeping obligations

Internet information service providers and internet access service providers are required to retain certain records.

For internet information service providers, the records should include:

• the information content provided
• the time it was published
• the internet address or domain name involved

For internet access service providers, the records should include:

• the user’s internet access time
• the user account
• the internet address or domain name
• the calling telephone number, among other items

These records must be retained for 60 days.

Prohibited content

Anyone providing internet information services must avoid publishing content that falls into prohibited categories. The nine categories listed in the source material are essentially these:

1. content opposing the fundamental principles established by the Constitution
2. content endangering national security, leaking state secrets, subverting state power, or undermining national unity
3. content harming national honor or interests
4. content inciting ethnic hatred or discrimination, or undermining ethnic unity
5. content undermining state religious policy, or promoting cults or feudal superstition
6. content fabricating or spreading rumors, disrupting social order, or undermining social stability
7. content spreading obscenity, pornography, gambling, violence, murder, terror, or instigating crime
8. content insulting or defaming others, or infringing others’ lawful rights and interests
9. other content prohibited by laws or administrative regulations

This is not a niche requirement for media platforms alone. It applies broadly to internet information services.

Cross-border data transfers

If data is transferred outside China and the circumstances meet the legal thresholds, a security assessment for cross-border data transfer may be required.

For products handling user information, operational data, or model-related data flows across borders, this becomes a major compliance topic rather than an afterthought.

AIGC and algorithm-related compliance

If an AIGC product uses overseas data or overseas models, the earlier issues around international network access and cross-border data handling also come into play.

Beyond that, algorithm-related rules may apply. The source material specifically points to filing requirements under the rules on internet information service algorithm recommendation. Under Article 24, the filing obligation applies to providers of algorithm recommendation services that have the ability to influence public opinion or perform social mobilization. The filing duty is limited to the algorithm service provider, and does not extend to algorithm researchers, designers, or end users simply by virtue of using the algorithm. The key threshold is whether the service has public-opinion attributes or social mobilization capacity.

Depending on the product, there may also be filing and security assessment requirements under rules related to algorithm recommendation management and deep synthesis management.

Some sectors need additional qualifications

General internet filings do not replace sector licenses. If a product touches regulated industries such as education, finance, news, culture, or entertainment, the operator may also need the corresponding industry qualifications or permits. Without those, the service can still be illegal even if the basic internet-side filings are complete.

In other words, compliance for internet information services in China is layered. A website may need ICP and public security filing. A commercial service may need an operating license. An app needs its own filing path. Certain content-heavy apps may need additional content review. Providers may have to retain logs for 60 days, avoid prohibited content, manage cross-border data transfers properly, and in some cases handle algorithm filing or deep synthesis security obligations. Add industry licensing on top, and the compliance picture becomes much broader than simply getting a domain or launching an app store build.