1 Introduction
This Advisory Note is an update to our 2023 report, Cyber Risks from China: How Contract Negotiations Can Mitigate IT Risks, and includes new insights and perspectives based on recent developments.
Deng Xiaoping’s famous saying, “If you open the window, both fresh air and flies will be blown in,” serves as the political and ideological foundation of China’s internet governance strategy, particularly the Golden Shield Project. When China connected to the internet in 1994, it was introduced as both an inevitable consequence of economic modernization and a crucial tool for supporting the country's "socialist market economy."
With this openness, however, came the perception of risk from foreign influences and the establishment of strict controls over cyberspace. Anyone familiar with Chinese history will recognize that the country has repeatedly faced foreign interference, shaping its deep-seated emphasis on sovereignty and social control. It is not surprising that Chinese scholars and policymakers frequently invoke the Century of Humiliation in academic papers and speeches, as it remains a key historical reference shaping China's modern political and security outlook.
However, the pursuit of independence does not justify enabling cybercrime, stealing intellectual property, or violating international norms. Many cyberattacks are believed to originate in China, and Chinese-made components are suspected of containing hidden cyber capabilities. There are also commercial and geopolitical risks. For example, China is now a major source of components used in all industries, creating supply chain risks.
From a cyber security perspective, the components could contain hidden backdoors or undocumented functionality that would allow data theft or remote control. Additionally, recent cyberattacks targeting critical infrastructure and government agencies have been linked to Chinese operations. These attacks demonstrate that China has well-developed and effective cyber offensive capabilities. These capabilities appear to be centrally controlled and strategically targeted. For more information on this topic, check out this blog post and podcast.
With bilateral trade reaching €739 billion in 2023, China is the EU's second largest trading partner for goods after the United States. As a result, European businesses must take proactive steps to mitigate the cybersecurity and operational risks associated with engaging in China’s digital and economic ecosystem. A key aspect of this risk management strategy is understanding the behaviors, priorities, and strategic interests of their Chinese counterparts. Organizations should not only anticipate these behaviors but also develop structured approaches to manage and negotiate with them effectively.
As my colleague Mike Small highlighted in the previous Advisory Note, “Trading creates a mutual dependency where each side stands to lose if the other is deterred from trading. Organizations must use this knowledge as a negotiating strength.” This interdependence offers European businesses a strategic advantage—by recognizing the leverage that mutual reliance creates, companies can set clearer expectations, strengthen contractual safeguards, and implement strong cybersecurity measures to protect their operations.
