Executive Summary

In May 2026, China's Cyberspace Administration of China (CAC), National Development and Reform Commission (NDRC), and Ministry of Industry and Information Technology (MIIT) jointly released the "Implementation Opinions on Standardized Application and Innovative Development of Intelligent Agents"—the nation's first comprehensive policy framework specifically targeting AI Agents. For developers, startups, and enterprises building or deploying Agent-based services in China, understanding the hard legal boundaries versus soft policy signals is not optional. It is a survival imperative. This guide breaks down the six non-negotiable legal red lines, the exact penalties for non-compliance (including criminal liability), and a step-by-step operational roadmap with government portals, timelines, and required documentation.

1.1 Algorithm Registration (Mandatory Filing)

Under the "Interim Measures on the Management of Generative Artificial Intelligence Services" (effective August 2023), any AI Agent with "public opinion attributes or social mobilization capabilities" must complete algorithm registration within 10 business days of public launch. Agents utilizing deep synthesis technology (text, image, audio, video generation or editing) require a separate deep-synthesis algorithm filing. The registration portal is beian.cac.gov.cn, operated by the Cyberspace Administration of China. Penalties for non-compliance include: formal warnings; fines ranging from RMB 10,000 to RMB 100,000; service suspension; and mandatory product removal from distribution platforms. There is no grace period. There is no "small company exemption." The 10-day clock starts the moment your Agent becomes publicly accessible.

1.2 AI-Generated Content Labeling (GB 45438-2025)

Effective September 1, 2025, the "Measures for the Labeling of Artificial Intelligence Generated Synthetic Content" plus mandatory national standard GB 45438-2025 establish a dual-labeling regime. Every piece of AI-generated text, image, audio, video, or virtual scene must carry: (a) explicit labels—visible text prompts, watermarks, or audio announcements such as "This content is AI-generated"; and (b) implicit labels—digital watermarks or metadata embedded at the file level that survive compression, format conversion, and screenshotting. For Agent service providers, this means your output pipeline must integrate labeling modules before any content reaches the end user. Non-compliance is not a regulatory gray area; it is a direct violation of a mandatory national standard, exposing the provider to administrative penalties and platform-level takedown.

1.3 User Authorization Boundaries (Civil & Criminal Liability)

The May 2026 Opinion explicitly states that users retain the right to know and the final right to decide on any autonomous Agent action. Before an Agent executes high-risk operations—payments, contract signing, email dispatch, database modification, or government form submission—it must obtain explicit user authorization. The legal consequence of unauthorized execution is severe. Under Article 287-1 of China's Criminal Law ("Illegal Use of Information Networks"), deploying an Agent that performs unauthorized financial or legal transactions can trigger criminal prosecution, not merely civil liability. Additionally, under the Civil Code, the service provider bears tort liability for any damages caused by unauthorized Agent actions. This is not a theoretical risk; it is a direct statutory obligation with criminal teeth.

1.4 Personal Information Protection (PIPL)

The Personal Information Protection Law (PIPL) applies to Agent systems with full force. Processing personal information requires a lawful basis—typically user consent, contractual necessity, or statutory duty. For sensitive personal information (biometric data, financial accounts, location trajectories, medical records), the law mandates separate, explicit consent with clear purpose limitation. The financial exposure is staggering: maximum administrative fines reach RMB 50 million or 5% of the preceding year's annual revenue, whichever is higher. For startups, this is often a death sentence. For enterprises, it triggers board-level governance crises. Furthermore, cross-border data transfers require completion of either a security assessment, a standard contractual filing, or a personal information protection certification—processes that take 1 to 6 months and require engagement with provincial cyberspace authorities.

1.5 Content Safety & Illegal Information Filtering

Article 47 of the Cybersecurity Law and Article 9 of the Generative AI Interim Measures impose an affirmative duty on Agent service providers to establish illegal and harmful content filtering mechanisms. This is not a suggestion; it is a statutory obligation. The system must detect, intercept, and block content involving false news, violence, pornography, discrimination, or incitement to illegal acts. Upon discovery, the provider must immediately cease generation, remove the content, prevent dissemination, and report to the competent authorities. Penalties under the Cybersecurity Law include fines from RMB 5,000 to RMB 50,000 for directly responsible individuals, with criminal prosecution for serious cases. The provider must also maintain a user complaint and reporting channel with guaranteed response mechanisms.

1.6 Multi-Level Protection Scheme (MLPS 2.0)

Under Article 21 of the Cybersecurity Law, any Agent system operating as a "network operator"—which includes websites, mobile apps, mini-programs, and API services—must complete the Multi-Level Protection Scheme (MLPS 2.0) classification, filing, and assessment. Most Agent systems fall under Level 2 (guidance protection) or Level 3 (supervision protection). The process involves: self-assessment of security level; filing with local public security cyber departments; and engagement of a certified third-party assessment organization for Level 3 systems. Failure to complete MLPS filing results in warnings, fines, and service suspension orders from public security authorities. For B2B Agent providers, MLPS certification is often a prerequisite for enterprise procurement contracts.

Beyond the six hard red lines, the May 2026 Opinion introduces several forward-looking concepts that, while not yet legally binding, signal the regulatory trajectory. These include: (a) an intelligent agent registration platform providing digital identity management, capability declaration, and retrieval services; (b) the Agent Interconnection Protocol (AIP) for standardized cross-Agent communication; (c) a tiered governance framework classifying Agents by application scenario and risk level; (d) third-party evaluation and certification mechanisms for Agent functionality, performance, and compliance; and (e) a supply-chain security information sharing and early-warning system. These measures are currently in the exploration and pilot promotion phase. However, the policy language is unambiguous: they are expected to transform into industry entry barriers within one to two years. Smart operators are already building these capabilities into their product roadmaps to avoid reactive scrambling when the rules harden.

3. Step-by-Step Compliance Action Guide: Portals, Timelines, and Documents

Step 1: Algorithm Registration

Portal: beian.cac.gov.cn (Cyberspace Administration of China algorithm filing system). Required documents: business license (scanned copy); algorithm description (technical architecture, input/output logic, training data overview); product description (functionality, user scenarios, deployment scope); commitment letter (legal compliance undertaking signed by legal representative). Process: submit to provincial CAC for preliminary review (10-15 working days); upon approval, submit to national CAC for final review (10-25 working days). Total timeline: 20-40 working days. Cost: no government fee; third-party documentation assistance ranges from RMB 5,000-30,000 depending on complexity.

Step 2: MLPS Filing

Authority: Local Public Security Bureau Cybersecurity Division. Required documents: MLPS classification report (self-assessment of security level based on system importance and data sensitivity); MLPS assessment report (for Level 3+, conducted by certified third-party assessment organization); network topology diagram; data flow description; security management system documents. Timeline: Level 2 systems take 1-2 months; Level 3 systems take 2-3 months (including third-party assessment). Cost: third-party assessment fees range from RMB 20,000-80,000 for Level 2, and RMB 50,000-200,000 for Level 3, depending on system scale and complexity.

Step 3: Content Labeling Implementation

Technical approach: either self-developed labeling modules or procurement of third-party digital watermarking services. For explicit labels, integrate text overlays, corner watermarks, or audio announcements into the output pipeline. For implicit labels, embed C2PA-compliant or GB 45438-5-compliant digital watermarks and metadata at the generation layer. Recommended tools: content moderation systems (e.g., Baidu AI Content Moderation, Alibaba Cloud Content Security); log audit systems (e.g., ELK Stack, Splunk); digital watermarking tools (e.g., Digimarc, proprietary solutions). No government filing required for labeling implementation, but self-audit documentation should be maintained for inspection.

Step 4: Cross-Border Data Compliance (If Applicable)

Authority: Provincial Cyberspace Administration. Required documents: data export security assessment application (including data types, volume, recipient, purpose, security measures); or standard contractual measures filing (for non-critical data exports); or personal information protection certification. Timeline: security assessment takes 3-6 months; standard contract filing takes 1-2 months. Cost: legal and consulting fees range from RMB 30,000-150,000 depending on data volume and jurisdiction complexity. Note: even temporary testing data exports may trigger filing requirements if personal information is involved.

Required Tools & Qualification Documents Summary

Tools: Content moderation system (input/output filtering); Log audit system (behavior traceability); Digital watermarking tools (implicit labeling); Vulnerability scanning system (security baseline); Identity and access management (IAM) system (authorization control). Documents: Business license; ICP filing certificate (or ICP license for commercial platforms); Algorithm filing number (post-registration); MLPS assessment report (post-filing); Privacy policy (user-facing, legally reviewed); User service agreement (with explicit authorization clauses); Cross-border data assessment report (if applicable).

4. The Self-Check List: screenshot and save

Conclusion: Compliance as Competitive Moat

The May 2026 Opinion is not merely a regulatory document; it is a market restructuring signal. Companies that treat compliance as a checkbox exercise will face existential risk. Companies that build compliance into their product architecture—permission control planes, behavioral audit trails, supply-chain security, and certification readiness—will gain trust, win enterprise contracts, and survive the inevitable regulatory tightening. The hard lines are already law. The soft signals are becoming law. The only question is whether your team is prepared before the deadline arrives.