China Goes Extraterritorial (Again): PRC Issues New Expansion Of Its Compliance Architecture

The latest expansion of China’s already complex compliance architecture represents a serious issue for firms in the West. While Chinese frameworks are already present across three distinct stages – export controls, unreliable entities lists, and two rounds of sanctions blocking – the moves announced in April 2026 frame supply chain resilience in the language of national security. For risk leaders across the world, this means that exposure to China is increasingly becoming a structural feature of supply chain design.

Promulgated on 31 March 2026, Decree No. 834 is China’s first dedicated supply chain security regulation. Given that it contains only 18 articles, its broadness appears deliberate. The decree places countersanctions, export controls and investment screening under a single national security mandate. And it is not alone. Shortly after its publication, Decree No. 835 was introduced, to add a “malicious entity list”, aimed at any persons or organization who “promote or implement” foreign extraterritorial measures.  The two provisions must be carefully considered: they prevent foreign entities from gathering supply chain information inside China, and thus place Chinese law in direct conflict with the US Uyghur Forced Labor Prevention Act (UFLPA) and the EU’s Corporate Sustainability Due Diligence Directive (CSDDD). Notably, Article 15 in Decree No. 834 allows the Chinese authorities to investigate foreign entities based on conduct that “poses a threat” of damage to supply chains – a far lower bar than the “actual harm” standard that China’s own unreliable entity list and anti-foreign sanctions law have until now required.

In this new scenario, termination of Chinese suppliers to satisfy EU or US controls could have a significant operational fallout beyond the immediate sourcing disruption. Firms would face the prospect of losing access to Chinese market participants, with the Chinese authorities interpreting any supplier exit as compliance with hostile foreign regulation. A compounding of commercial damage with reputational harm inside China is, in many cases, the more lasting cost. Indeed, the regulation effectively restructures the risk calculus of compliance in such a way as to make adherence to the Chinese regulatory regime increasingly difficult without encountering liability in Western regimes – or vice versa.

It is therefore imperative that risk leaders:

• Map jurisdictional points of conflict before making any supplier exit decision.

  Legal exposure assessments will become increasingly necessary as compliance pain points evolve in, and move beyond, China.

• Encourage more proactive engagement with all global counterparties.

  Where supplier relationships must be wound down, firms that communicate through local legal entities, and frame transitions in commercially neutral terms, can reduce the perception that they are acting in response to foreign government directives.

• Establish a strategy to comply with the new legal framework.
  Firms must work with their legal teams to understand how they can separate due diligence activity from enforcement-facing documentation wherever operationally possible. As data collection inside China in support of foreign regulatory requirements may in itself constitute a triggering act, firms should work to distinguish internal risk intelligence gathering from documentation that could be characterized as implementing an extraterritorial measure.

The situation adds another layer of compliance complexity for firms operating with vendors from China. Ultimately, this is another symptom of an increasingly interconnected world, grappling with the demands of geopolitical uncoupling and the friction this creates for businesses caught between rival regulatory blocs. Building a compliance architecture that can answer to two systems demanding opposite things may be manageable – but only with deliberate design that provides breathing room for tolerance of operating in the grey space between the two.

For more risk management content, check out Verdantix insights.