Sector Regulators: Beyond the CAC
The CAC leads China’s AI regulatory apparatus, but five sector-specific agencies enforce their own rules on financial AI, market competition, automotive autonomy, healthcare data, and cybersecurity.
Multi-Agency Oversight Structure
The CAC is the primary AI regulator. Sector-specific agencies enforce rules within their jurisdictions, creating overlapping compliance obligations for AI operators.
Dashed lines represent jurisdictional overlaps. An AI system operating in financial services, for example, must satisfy CAC filing requirements, PBoC data rules, and CSRC trading system obligations simultaneously.
Sector Regulators and Their AI Jurisdiction
Click each card to see the specific regulations and enforcement powers.
The PBoC regulates AI used in financial services, with binding requirements for algorithmic transparency, personal financial data handling, and domestic data storage.
- Guidelines on Information Disclosure of Financial Applications Based on AI Algorithms (JR/T 0287-2023) require financial institutions to disclose how AI algorithms influence customer-facing decisions
- Measures for Security Management of Data in Business Areas of the PBoC mandate classification, grading, and domestic storage for personal financial information
- Compliance Guidelines for Promoting and Regulating Cross-border Data Flow in Financial Industry (April 2025) establish sector-specific transfer mechanisms
- Personal financial information must be stored domestically; cross-border transfer requires PBoC-specific authorization in addition to PIPL Art. 38 mechanisms
The CSRC oversees AI in securities trading, algorithmic market-making, and automated investment advisory services. AI-driven trading systems fall under both CSRC market conduct rules and CAC algorithm filing obligations.
- Algorithmic trading systems must comply with market manipulation prohibitions and circuit-breaker compliance
- AI-powered robo-advisory services require CSRC licensing as investment advisory entities
- Overlap with CAC: algorithmic recommendation filing applies to securities platforms that personalize investment content for users
SAMR enforces anti-unfair-competition and consumer protection rules against AI-enabled commercial practices. In February 2026, SAMR published its first batch of AI-specific enforcement cases.
- 5 published AI unfair competition cases (February 2026), with fines ranging from 5,000 to 360,000 RMB
- Cases included DeepSeek brand abuse and AI voice fraud, establishing enforcement precedent for AI-specific misconduct
- Joint enforcement with CAC on algorithmic discrimination (November 2024) targeting AI-driven differential pricing
- Consumer protection jurisdiction over AI-powered customer service, product recommendations, and automated dispute resolution
MIIT handles industrial AI standards, automotive AI market access, telecom licensing, and data security for the industrial sector. It collaborates with TC260 (a standards committee under SAC, not a regulatory body) on technical standards development.
- Implementation Plan for Enhancing Data Security Capabilities in Industrial Sector (2024-2026) establishes sector-specific data classification and protection requirements
- Co-leads the April 2026 Science and Technology Ethics Review Measures with MOST, requiring AI ethics review committees across enterprises and research institutions
- Automotive AI: granted L3 autonomous driving market access in December 2025 to Changan and Arcfox brands
- Telecom licensing authority for cloud service providers that host AI training infrastructure
The MPS enforces the Cybersecurity Multi-Level Protection Scheme (MLPS), conducts network security inspections, and handles criminal enforcement for cybersecurity violations. AI systems classified as critical infrastructure fall under MLPS requirements.
- MLPS enforcement: AI systems processing sensitive data or operating critical infrastructure must complete multi-level protection classification and assessment
- January 2026: published two new data security standards (GA/T 2380-2026 and GA/T 2381-2026), effective June 1, 2026
- Criminal enforcement authority for cybersecurity law violations, including unauthorized AI data collection and deepfake-enabled fraud
- Network security inspections can result in operational shutdowns for non-compliant AI platforms
Healthcare AI faces dual regulation: NHC data protection requirements for medical institutions plus standard CAC filing and content obligations.
- Measures for Security Management of Data and Personal Information Protection in Medical and Health Institutions (Trial, February 2026) impose healthcare-specific data classification and access controls
- AI diagnostic systems must comply with medical device registration in addition to CAC algorithm filing
- Patient data used for AI training requires explicit consent under both PIPL and the healthcare-specific measures
Sector-Specific AI Rules Matrix
Four sectors, three requirement dimensions. All operate in addition to baseline CAC and data law obligations.
| Sector | Data Classification | Cross-Border Rules | AI-Specific Regulation | Lead Agency |
|---|---|---|---|---|
| Finance | Mandatory grading, domestic storage for personal financial data | PBoC cross-border guidelines (Apr 2025), PIPL Art. 38 | JR/T 0287-2023: AI algorithm disclosure | PBoC / CSRC |
| Automotive | Vehicle data classification per MIIT guidelines | Automotive Data Cross-border Guidance (2026 Edition) | L3 market access (Dec 2025); MIIT standards | MIIT |
| Healthcare | Medical data classification, patient consent required | Standard PIPL Art. 38 mechanisms apply | Medical Data Measures (Trial, Feb 2026) | NHC |
| Energy | Energy data classification per NEA rules | Standard PIPL Art. 38 mechanisms apply | Energy Data Measures (Trial, effective Jul 1, 2026) | NEA |
= Sector-specific rules enacted and enforced. = Rules published but in trial or early implementation. All sectors remain subject to PIPL, DSL, and CSL baseline obligations.
SAMR AI Unfair Competition Cases (February 2026)
SAMR published 5 enforcement cases in February 2026, establishing the first wave of AI-specific market regulation precedent. Fines ranged from 5,000 to 360,000 RMB.
Unauthorized use of the DeepSeek brand name to market unrelated AI products, constituting unfair commercial practices under the Anti-Unfair Competition Law.
AI-generated voice cloning used in commercial deception, prosecuted under both unfair competition and consumer protection provisions.
Three additional cases covered AI-driven unfair commercial practices, with fines starting at 5,000 RMB. Together with the DeepSeek and voice fraud cases, these 5 cases form SAMR’s first AI enforcement batch.
SAMR also conducted joint enforcement with the CAC on algorithmic discrimination in November 2024, targeting AI systems that deliver different pricing or service levels to different users based on their data profiles.
Automotive AI: From Standards to Market Access
Automotive AI exemplifies how sector rules, data transfer restrictions, and technical standards converge.
Which Regulator Applies to Your AI System?
Start with your sector. The CAC always applies. Sector-specific obligations stack on top.
MPS applies to all sectors
Any AI system classified as critical information infrastructure must complete MLPS assessment regardless of sector.
Need Help with Sector-Specific AI Compliance?
TJS advisors help teams identify which sector regulators apply to their AI systems and build compliance programs for sector-specific enforcement.
Talk to a TJS Advisor →