Key updates on the amended cybersecurity law of China

[co-author: Xun Li]

On October 28, 2025, China adopted the first major amendments to the 2017 Cybersecurity Law, which took effect on January 1, 2026. The revised Law establishes an additional tiered penalty regime featuring stricter fines for material cybersecurity violations. It further aligns liability-related provisions with the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), and incorporates a statutory provision that supports AI innovation while emphasizing requirements for improving AI ethics governance and strengthening risk monitoring and assessment.

On October 28, 2025, the Standing Committee of the National People’s Congress adopted the first significant amendments to the Cybersecurity Law of the People’s Republic of China, which originally took effect on June 1, 2017 (the “2017 CSL”). The 2017 CSL established the foundational regulatory framework for cybersecurity in China. The newly amended version (the “Amended CSL”), which came into force on January 1, 2026, introduces stricter compliance requirements, higher penalties, and expanded regulatory powers. Below are the key takeaways we would like to draw your attention to.

1. What types of non‑compliance will be subject to heightened penalties under the Amended CSL?

Compared to the 2017 CSL, the latest amendments primarily focus on strengthening and restructuring the penalty regime.

The Amended CSL introduces a supplemental tiered penalty framework to address the non-compliance with cybersecurity protection obligations set out below, aligned with the severity of harm, thereby enhancing the deterrent effect and promoting stricter compliance with cybersecurity obligations.

1. non-compliance with the Multi-Level Protection Scheme;
2. mishandling of cybersecurity incidents;
3. non-compliance with specific cybersecurity protection obligations by critical information infrastructure operators (CIIO);
4. non-compliance with cybersecurity protection obligations by network products/services providers, including deployment of malicious programs, failure to promptly remedy security defects or vulnerabilities in its products or services, and failure to timely notify users and report to the competent authorities;
5. carrying out activities such as cybersecurity certification, testing, and risk assessment, and disseminating to the public information endangering cybersecurity including system vulnerabilities, computer viruses, cyberattacks, and cyber intrusions, in violation of applicable provisions.

For a clear overview of how the violation and penalty framework has changed under the Amended CSL, please see the comparison table below (with the changes highlighted in bold).

In addition, the Amended CSL increases the upper limit of applicable fines for network operators' non-compliance with information content management obligations, including:

1. failure to cease the transmission of, remove, or otherwise take disposition measures in respect of information published by its users that is prohibited from publication or dissemination under laws and administrative regulations, as well as failure to retain relevant records (with the Amended CSL further adding “failure to report to the competent authorities” as a violation);
2. failure by electronic messaging service providers and application software distribution service providers to fulfil their security management obligations, including failure to stop providing services, take disposition measures, retain relevant records, and report to the competent authorities when they know that their users have set up malicious programs or disseminated information prohibited by laws and administrative regulations;
3. failure to cease the transmission of, remove, take disposition measures, or retain relevant records regarding prohibited information as required by the competent authorities.

For a clear overview of how the penalty framework has changed under the Amended CSL, please see the comparison table below (with the changes highlighted in bold).

2. How does the Amended CSL affect the provision of “network critical equipment” and “cybersecurity dedicated products” to the China market

The Amended CSL underscores China’s growing commitment to equipment and supply chain security. It introduces penalties for selling or providing network critical equipment or cybersecurity dedicated products without undergoing security certification or testing, or with fake security certification or non-compliant security testing results.

Violating entities may face sales bans, warnings, confiscation of illegal gains, fines (RMB 20,000 to 100,000 if there are no illegal gains or the illegal gains are less than RMB 100,000; or one to five times the illegal gains if the illegal gains are RMB 100,000 or more), and, in severe cases, suspension of relevant business or business suspension for rectification, or revocation of relevant business permits or business licenses.

3. What are the implications of the Amended CSL for the PIPL and the DSL?

The Amended CSL streamlines the legal liability framework for non-compliance with personal information protection and data protection obligations under the law. It explicitly refers all such liability to specialized laws and administrative regulations, primarily the PIPL, DSL and their implementing rules, covering the full scope of relevant violations. This revision eliminates fragmented liability provisions across different laws and achieves seamless alignment with specialized personal information protection and data protection legislation, ensuring consistent and rigorous enforcement of legal liabilities in this domain.

4. How does the Amended CSL interact with China’s emerging AI regulatory framework?

The Amended CSL explicitly supports artificial intelligence (AI) innovation and security within China’s cybersecurity framework. Notably, it introduces—for the first time at the statutory level—an exclusive clause addressing AI. It encourages the advancement of foundational AI research, algorithmic innovation, and the deployment of new technologies, including AI, to enhance cybersecurity management. While these provisions remain high‑level and do not establish technical standards, they articulate a clear policy direction and are likely to be supplemented by more detailed, sector‑specific rules in due course.

Importantly, this clause also emphasizes requirements for improving AI ethics governance, strengthening risk monitoring and assessment, enhancing safety supervision, and promoting the healthy development and application of AI. This signals a holistic regulatory approach in which technological development and robust oversight are expected to progress in parallel.

5. What are the implications for companies outside of China?

Although companies outside of China are not required to comply with the requirements of the Amended CSL that companies in China are, the Amended CSL grants regulators significant new powers to take action against companies outside of China whose actions compromise cybersecurity inside China. Under the 2017 CSL, enforcement was primarily focused on overseas activities that harmed CII within China. The Amended CSL significantly broadens its extraterritorial reach, now covering any overseas organizations or individuals whose actions compromise China’s cybersecurity more generally. Authorities are empowered to investigate and fine such overseas actors. In cases of serious consequences, the Public Security Bureau and other agencies may impose sanctions such as asset freezes or other necessary measures. This shift signals China’s more assertive approach to cross-border cyber activities and highlights the importance for multinational companies to assess cybersecurity risks that may have a nexus to China, even if their operations are offshore.

6. What should enterprises do to comply?

While the Amended CSL does not impose entirely new obligations, it reflects a continued tightening of China’s cybersecurity regulatory environment. Enterprises should consider the following actions:

• Review and Update Compliance Programs

  Enterprises should closely monitor legislative developments and ensure that their cybersecurity and data compliance programs are up to date. This includes conducting internal audits, addressing any compliance gaps, and documenting efforts to support mitigation if violations occur.

• Strengthen Incident Response and Cooperation Mechanisms

  Enterprises should establish clear procedures for incident containment, self-reporting, and cooperation with regulatory investigations. Proactively eliminating harm and cooperating with authorities can help mitigate penalties in the event of a violation.

• Assess and Manage Cross-Border Risks

Given the expanded extraterritorial application of the Amended CSL, companies with overseas operations connected to China should evaluate their potential exposure. This includes preparing for possible cross-border law enforcement actions and ensuring that supplier and product compliance is robust.

[View source.]