I. The Rise of Central Bank Digital Currency and Its Challenges

(1) The Unique Nature of Central Bank Digital Currency

Central Bank Digital Currency (CBDC), as a new form of currency carried by cryptographic strings, functions both as a means of valuation and payment, and possesses the characteristics of value storage, with its legal status equivalent to that of traditional fiat currency. However, CBDC is fully digitized in form, which significantly distinguishes it from the physical form of traditional fiat currency.
Taking China's central bank digital currency as an example, it not only inherits the authority of fiat currency but also integrates the convenience of electronic cash, the privacy protection of controllable anonymity, the simplicity of payment pathways, and the capability for offline payments. Since 2014, China has initiated in-depth research on the CBDC project and has continuously conducted multiple pilot programs, showcasing its leading position in the field of digital currency research and development.

(2) The Urgent Need for Cybersecurity Risks and Legal Regulation

In the promotion and application of central bank digital currency, cybersecurity risks and legal regulation issues have become increasingly prominent, becoming important factors that restrict its development.
First, the security of CBDC credentials cannot be ignored. Due to the unclear legal status of digital currency, it is difficult to define the legal responsibilities of the parties involved in cases of credential theft or loss, thereby threatening the security of users' funds.
Second, the "controllable anonymity" feature, while protecting user privacy, also brings the risk of personal information leakage, which may infringe on users' privacy rights, and traditional litigation remedies seem inadequate in addressing such issues.
Moreover, for users with licensed roles, their regulation faces many challenges, such as the lack of clear legal basis for authorities when taking coercive measures, and the blurred boundaries between financial regulation and private rights protection. These issues indicate that establishing a sound legal system is crucial for ensuring the safe issuance and circulation of CBDC, which is key to ensuring that central bank digital currency can operate stably and efficiently.


II. Analysis of Cybersecurity Risks Faced by Central Bank Digital Currency

(1) Security Risks of CBDC Credentials

In the promotion and application of central bank digital currency (CBDC), the security risks of credential theft and loss cannot be overlooked. Due to the ambiguous legal status of digital currency, the current regulations on the management of Renminbi mainly focus on paper money and coins, excluding digital currency from their management scope, which leads to a lack of clear legal basis for handling issues of CBDC credential theft and loss.
Once a user's digital wallet is stolen, the uncertainty of the legal status of digital currency poses many challenges for accountability and loss recovery. Additionally, the ambiguity in the allocation of legal responsibilities among the parties involved further exacerbates this risk. Compared to the relatively clear responsibility allocation mechanism in traditional currency transactions, the issue of responsibility attribution for stolen or lost CBDC credentials appears complex and variable due to the lack of specific legal provisions.
This may involve vulnerabilities in the bank's security system or improper user operations, and the ambiguity in responsibility definition poses significant challenges for risk prevention.

(2) Personal Information Protection Risks under "Controllable Anonymity"

Under the manifestation of "controllable anonymity," while central bank digital currency protects user privacy to some extent, risks to personal information and privacy security still exist. During the operation of digital Renminbi, sensitive data such as users' transaction records and identity information may face risks of hacking or leakage during transmission, storage, and usage.
Criminals may exploit technological means to steal user information and subsequently engage in fraudulent activities, causing serious economic losses and psychological stress to users.
Moreover, traditional litigation remedies seem inadequate in addressing incidents of personal information leakage in the digital currency field. On one hand, the technical complexity and anonymity of digital currency increase the difficulty of identifying infringing parties and complicate evidence collection; on the other hand, the lagging existing legal system in personal information protection for digital currency also restricts effective responses in judicial practice.

(3) Regulatory Risks for Licensed Role Users

In the central bank digital currency system, users with licensed roles, such as central banks, government personnel, and law enforcement officers, enjoy certain privileges. However, these authorities often lack clear legal basis and operational procedure regulations when taking coercive measures. This may lead to a lack of effective constraints on the exercise of power, thereby infringing on users' legitimate rights and interests.
Additionally, the blurred boundaries between financial regulation and private rights protection are also an important issue currently faced. When conducting financial regulation, users with licensed roles may need to obtain users' personal information and transaction data to fulfill their regulatory responsibilities.
However, how to balance the relationship between financial regulation and private rights protection in this process remains to be clearly defined. Excessive regulation may infringe on users' privacy rights and other legitimate interests; while insufficient regulation may fail to effectively curb illegal activities, affecting the normal operation of central bank digital currency and the protection of users' legitimate rights and interests.


III. Legal Regulatory Paths for Addressing Cybersecurity Risks of Central Bank Digital Currency Abroad

(1) United Kingdom: Risk-Based Management of Transaction Regulation

As a pioneer in the development of the digital currency industry, the UK’s policies encourage financial innovation while emphasizing real-time monitoring of potential risks. The UK clearly defines digital currency as a data representation of value, granting it monetary attributes and tax exemptions. For digital currency transactions, the UK government adopts a multi-dimensional strategy, including risk assessment, supervisory guidance, and public education, to ensure healthy market development.
In terms of addressing cybersecurity risks of central bank digital currency, the UK implements a risk-based management system, adopting differentiated regulatory measures based on different levels of transaction risk. Specifically, low-risk transactions enjoy a more relaxed regulatory environment to promote innovation, while high-risk transactions face stricter regulation to ensure transaction safety and stability. This system effectively reduces cybersecurity risks while stimulating the vitality of the digital currency market.

(2) United States: Upholding the "Reasonable Expectation of Privacy Principle"

Federal Reserve Governor Brainard emphasizes that the development of digital currency must balance family privacy protection with the prevention of illegal activities. The U.S. central bank digital currency policy follows the "reasonable expectation of privacy principle," aiming to seek a delicate balance between user privacy and crime prevention. Based on ensuring user privacy, the U.S. central bank digital currency system is committed to effectively preventing and tracking illegal transactions such as money laundering and terrorist financing.
Additionally, the white paper on central bank digital currency released by the Federal Reserve clearly states that the issuance plan for central bank digital currency will be suspended in the absence of explicit support from administrative departments and Congress, and emphasizes that specific legal authorization should ideally be obtained. Furthermore, cybersecurity, financial crime prevention, and meeting future demands are all considered important factors prior to the issuance of central bank digital currency.

(3) European Union: Separation of User Information and Payment Information Storage

The European Union adopts a cautious approach in the digital currency field, striving to build a secure, efficient, convenient, and legally compliant digital euro system. Fabio Panetta, a member of the Executive Board of the European Central Bank, points out that the digital euro will fully protect consumer privacy and prevent the potential threat of competitive cryptocurrencies to the monetary sovereignty of the eurozone. To achieve this goal, the EU adopts a strategy of separating the storage of user information and payment information to alleviate public concerns about data collection and processing.
For example, the European Central Bank has attempted to handle personal identity information and payment details separately, thereby maximizing user privacy protection while ensuring payment security. Recently, the European Central Bank has made significant progress in advancing the digital euro, including the completion of the first cross-border payment experiment with digital currency in Europe, conducted in collaboration with the central banks of France and Switzerland. Moreover, European Central Bank officials have repeatedly emphasized the importance of the digital euro in protecting personal privacy, maintaining financial stability, and ensuring system compatibility, in order to reduce the risks of the payment system in the digital age.

IV. Legal Regulatory Paths for Addressing Cybersecurity Risks of Central Bank Digital Currency in China

(1) Accelerating the Development of Specialized Laws and Regulations for CBDC

To align with the development trend of the digital economy era, China should clarify the legal status of digital Renminbi. Currently, the definitions of Renminbi in the "People's Bank of China Law" and "Regulations on the Management of Renminbi" are limited to paper money and coins, excluding digital Renminbi from their scope. Therefore, it is urgent to amend relevant laws and regulations to establish digital Renminbi as a form of legal currency and grant it the same legal status as physical Renminbi. At the same time, it is necessary to clearly define the legal responsibilities of relevant parties in accordance with the characteristics of CBDC.
In the transaction process of digital Renminbi, the responsibilities of banks, users, and other parties should be clearly defined. For example, if a digital Renminbi credential is stolen due to a vulnerability in the bank's security system, the bank should bear corresponding compensation responsibilities; conversely, if a credential is lost due to user operational errors, the user should also bear the corresponding consequences. By clarifying legal responsibilities, a solid legal guarantee can be provided for the safe and stable operation of digital Renminbi.

(2) Improving the Legal Framework for "Controllable Anonymity" at the Technical Level

1. Establishing a legal basis for personal information processing based on the "Notice-Consent" principle.
   In the operation of digital Renminbi, the "Notice-Consent" principle should be strictly followed, clearly disclosing to users the purpose of collecting personal information, the scope of use, and the storage methods, and processing personal information only with the explicit consent of users. For example, during the registration and use of digital Renminbi wallets, operating institutions should thoroughly explain the processing methods of personal information to users and provide clear options for users to choose.
2. Establishing a system of reversed burden of proof in public remedies.
   Given that users are relatively disadvantaged in terms of technology and information access, the traditional allocation of the burden of proof may make it difficult for users to obtain effective remedies. Therefore, it should be clearly stipulated that a reversed burden of proof system is implemented in the field of personal information protection for digital Renminbi. When disputes arise over personal information leakage, the operating institutions and other responsible parties should bear the burden of proof, demonstrating that they were not at fault in the processing of personal information. This aims to effectively reduce the burden of proof on users and increase the likelihood of users obtaining remedies.

(3) Strengthening the Regulatory Capacity Building of Relevant Regulatory Agencies

1. Clearly defining the scope of responsibilities and powers of regulatory agencies.
   The responsibilities and powers of the central bank, financial regulatory departments, and others in the regulation of digital Renminbi should be clearly defined to avoid regulatory overlaps or gaps. For example, the central bank should be responsible for the issuance and macro regulation of digital Renminbi, while financial regulatory departments should implement daily supervision of digital Renminbi operating institutions.
2. Improving the communication mechanism between regulatory departments.
   A sound regulatory coordination mechanism should be established to strengthen communication and cooperation among regulatory agencies, forming a regulatory synergy. Specifically, a regular information exchange and consultation mechanism can be established to timely share experiences and issues in the regulation of digital Renminbi. For example, joint meetings and the establishment of information-sharing platforms can be used to promote communication and cooperation among regulatory departments.
   Additionally, communication and cooperation with international regulatory agencies should be strengthened, actively drawing on international advanced experiences to enhance the regulatory level of digital Renminbi in China.

V. Looking Ahead

As an important innovation in the digital economy era, central bank digital currency has enormous potential in terms of technology and application. However, due to its digital characteristics and complex network environment, it faces numerous cybersecurity risks. China has made certain achievements in actively exploring legal regulatory paths, but still faces some challenges.
First, the continuous development and innovation of technology pose ongoing challenges to the cybersecurity of central bank digital currency. With the emergence of new technologies such as quantum computing, traditional encryption methods may face the risk of being cracked. Therefore, it is necessary to continuously strengthen technological research and development to enhance the security and risk resistance of central bank digital currency.
Second, international cooperation is crucial in addressing cybersecurity risks of central bank digital currency. Due to the cross-border transaction characteristics of digital currency, countries need to strengthen cooperation and jointly formulate international standards and rules to ensure the stability and security of the global digital currency market.
China should actively participate in international cooperation, share experiences, and jointly address global cybersecurity challenges. Additionally, public education is also an important aspect of ensuring the security of central bank digital currency. The public needs to understand the characteristics and risks of central bank digital currency and master the correct usage methods and safety precautions. The government and relevant institutions should strengthen public education to raise public awareness of risks and self-protection capabilities.
In the future, it is expected that China will continue to pay attention to the cybersecurity risks of central bank digital currency and continuously improve legal regulatory paths. Strengthening technological research and development to enhance security; strengthening international cooperation to jointly address challenges; and enhancing public education to raise risk awareness. Only in this way can the safe and stable operation of central bank digital currency be ensured, promoting the healthy development of the digital economy.