Cyberspace Administration of China Releases Draft Amendment to Cybersecurity Law for Public Comment
Published 3 April 2025
Yu Du
On 28 March 2025, the Cyberspace Administration of China (CAC) released the Draft Amendment to the PRC Cybersecurity Law (Second Round of Public Comment) (Draft Amendment), seeking public opinions until 27 April 2025. The current Cybersecurity Law came into effect on 1 June 2017, and this amendment aims to enhance the integration with relevant laws, such as the Data Security Law, the Personal Information Protection Law, and the Administrative Penalty Law, and to make reasonable adjustments regarding the types, scope, and severity of administrative penalties.
The main content of the amendment includes:
1. Legal Responsibilities for Network Operation Security
In light of the practical consequences of harming network security, the Draft Amendment adds provisions for situations that cause significant data breaches, loss of partial functions of critical information infrastructure, and loss of main functions of critical information infrastructure, which result in particularly severe consequences. It also adjusts the fine amounts in Article 59 of the current Cybersecurity Law to align with the Data Security Law and adds corresponding penalty provisions. Further, it introduces legal responsibilities for the sale or provision of network critical equipment and cybersecurity products that have not been certified, tested, or fail to meet safety certification and testing requirements. It also clarifies the disposal and penalties for operators of critical information infrastructure using network products or services that have not undergone security review or have failed security review.
According to Article 59 of the Draft Amendment: “Network operators who fail to fulfill the cybersecurity protection obligations prescribed in Article 21 and Article 25 of this Law will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB10,000 to RMB50,000; failure to rectify or causing harm to network security will result in a fine of RMB50,000 to RMB500,000, and a fine for the directly responsible personnel ranging from RMB10,000 to RMB100,000.
Operators of critical information infrastructure who fail to fulfill the cybersecurity protection obligations prescribed in Articles 33, 34, 36, and 38 of this Law will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB50,000 to RMB100,000; failure to rectify or causing harm to network security will result in a fine of RMB100,000 to RMB1,000,000, and a fine for the directly responsible personnel ranging from RMB10,000 to RMB100,000.
In cases of the above actions, which result in significant data breaches or the loss of partial functions of critical information infrastructure, the relevant authorities may impose a fine of RMB500,000 to RMB2,000,000, and may order the suspension of related businesses, business rectification, closure of websites or applications, or the revocation of relevant business licenses or operating permits. Directly responsible personnel may face fines ranging from RMB50,000 to RMB200,000. If the loss of the main functions of critical information infrastructure occurs, the relevant authorities may impose a fine of RMB2,000,000 to RMB10,000,000 and may order the suspension of related businesses, business rectification, closure of websites or applications, or the revocation of relevant business licenses or operating permits. Directly responsible personnel may face fines ranging from RMB200,000 to RMB1,000,000.”
2. Legal Responsibilities for Network Information Security
To prevent new risks and challenges to national security and political security posed by network information content security, the Draft Amendment adjusts the legal responsibilities for violations under Articles 68 and 69 of the current Cybersecurity Law. These adjustments are in line with the enforcement practices of network information content laws in recent years and incorporate changes to foreign legislative models. The amendment clarifies penalties for failing to report to relevant authorities or for not taking action to stop the transmission or transmission of information that is prohibited by laws and administrative regulations.
The Draft Amendment combines Articles 68 and 69 of the Cybersecurity Law as follows:
“Network operators who violate the provisions of Article 47 of this Law by failing to stop the transmission or take removal actions for information prohibited by laws or administrative regulations, failing to save relevant records, or failing to report to the relevant authorities, or who violate Article 50 of this Law by not taking actions as required by authorities, will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB50,000 to RMB500,000. Failure to rectify or in case of serious circumstances, a fine of RMB500,000 to RMB2,000,000 may be imposed, and the relevant authorities may order the suspension of business, closure of websites or applications, or revocation of related business licenses or operating permits. Directly responsible personnel and other directly responsible individuals may face fines ranging from RMB50,000 to RMB200,000.
In cases where the violations result in particularly severe consequences, the relevant authorities may impose fines of RMB2,000,000 to RMB10,000,000, and order the suspension of business, closure of websites or applications, or revocation of related business licenses or operating permits. Directly responsible personnel and other directly responsible individuals may face fines ranging from RMB200,000 to RMB1,000,000.
Electronic information transmission service providers and application software download service providers who fail to fulfill the security management obligations prescribed in the second paragraph of Article 48 of this Law will be penalized in accordance with the provisions of the previous two paragraphs.”
3. Legal Responsibilities for Personal Information and Important Data Security
Given that the Data Security Law and Personal Information Protection Law have introduced new specific provisions regarding the penalties for violations related to personal information and important data under Articles 64 and 66 of the current Cybersecurity Law, the Draft Amendment clarifies the applicable provisions as follows: “Any of the following actions will be handled and punished in accordance with relevant laws and administrative regulations:
(1) The publication or transmission of information prohibited by this Law, Article 12, paragraph 2, and other laws and administrative regulations;
(2) Violating the provisions of Article 22, paragraph 3, and Articles 41 to 43, and infringing upon the rights of personal information protected by law;
(3) Violating the provisions of Article 37, by storing personal information and important data abroad or providing them to foreign entities.”
4. Circumstances for Reduced, Mitigated, or No Administrative Penalties
The Draft Amendment introduces a new provision (Article 72) that harmonizes the application of the Cybersecurity Law and the Administrative Penalty Law. It clarifies that network operators who actively eliminate or mitigate the harmful consequences of their violations, who make prompt corrections without causing harm, or who commit initial violations with minor consequences and rectify them in time may receive reduced, mitigated, or no penalties. It also specifies that relevant authorities will develop appropriate administrative penalty guidelines based on their responsibilities.
Comment
The Draft Amendment provides more detailed legal responsibility provisions for the cybersecurity field, particularly in strengthening the legal liabilities for network operators and the protection of critical information infrastructure. Overall, the amendment not only clarifies the boundaries of responsibility in cybersecurity management but also increases the penalties for violations, aiming to encourage companies to pay more attention to network security and data protection.
From a legal compliance perspective, companies should enhance their understanding and implementation of relevant laws and regulations in their daily operations, especially regarding information security management and data protection, to ensure compliance with the latest amendments and avoid facing significant fines or penalties for failure to meet cybersecurity obligations. Additionally, companies involved in cross-border data transmission or storage should pay close attention to compliance requirements, especially when dealing with personal information and critical data, to ensure they do not violate data security regulations.
The main content of the amendment includes:
1. Legal Responsibilities for Network Operation Security
In light of the practical consequences of harming network security, the Draft Amendment adds provisions for situations that cause significant data breaches, loss of partial functions of critical information infrastructure, and loss of main functions of critical information infrastructure, which result in particularly severe consequences. It also adjusts the fine amounts in Article 59 of the current Cybersecurity Law to align with the Data Security Law and adds corresponding penalty provisions. Further, it introduces legal responsibilities for the sale or provision of network critical equipment and cybersecurity products that have not been certified, tested, or fail to meet safety certification and testing requirements. It also clarifies the disposal and penalties for operators of critical information infrastructure using network products or services that have not undergone security review or have failed security review.
According to Article 59 of the Draft Amendment: “Network operators who fail to fulfill the cybersecurity protection obligations prescribed in Article 21 and Article 25 of this Law will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB10,000 to RMB50,000; failure to rectify or causing harm to network security will result in a fine of RMB50,000 to RMB500,000, and a fine for the directly responsible personnel ranging from RMB10,000 to RMB100,000.
Operators of critical information infrastructure who fail to fulfill the cybersecurity protection obligations prescribed in Articles 33, 34, 36, and 38 of this Law will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB50,000 to RMB100,000; failure to rectify or causing harm to network security will result in a fine of RMB100,000 to RMB1,000,000, and a fine for the directly responsible personnel ranging from RMB10,000 to RMB100,000.
In cases of the above actions, which result in significant data breaches or the loss of partial functions of critical information infrastructure, the relevant authorities may impose a fine of RMB500,000 to RMB2,000,000, and may order the suspension of related businesses, business rectification, closure of websites or applications, or the revocation of relevant business licenses or operating permits. Directly responsible personnel may face fines ranging from RMB50,000 to RMB200,000. If the loss of the main functions of critical information infrastructure occurs, the relevant authorities may impose a fine of RMB2,000,000 to RMB10,000,000 and may order the suspension of related businesses, business rectification, closure of websites or applications, or the revocation of relevant business licenses or operating permits. Directly responsible personnel may face fines ranging from RMB200,000 to RMB1,000,000.”
2. Legal Responsibilities for Network Information Security
To prevent new risks and challenges to national security and political security posed by network information content security, the Draft Amendment adjusts the legal responsibilities for violations under Articles 68 and 69 of the current Cybersecurity Law. These adjustments are in line with the enforcement practices of network information content laws in recent years and incorporate changes to foreign legislative models. The amendment clarifies penalties for failing to report to relevant authorities or for not taking action to stop the transmission or transmission of information that is prohibited by laws and administrative regulations.
The Draft Amendment combines Articles 68 and 69 of the Cybersecurity Law as follows:
“Network operators who violate the provisions of Article 47 of this Law by failing to stop the transmission or take removal actions for information prohibited by laws or administrative regulations, failing to save relevant records, or failing to report to the relevant authorities, or who violate Article 50 of this Law by not taking actions as required by authorities, will be ordered to rectify by the relevant authorities, be warned, and may face fines ranging from RMB50,000 to RMB500,000. Failure to rectify or in case of serious circumstances, a fine of RMB500,000 to RMB2,000,000 may be imposed, and the relevant authorities may order the suspension of business, closure of websites or applications, or revocation of related business licenses or operating permits. Directly responsible personnel and other directly responsible individuals may face fines ranging from RMB50,000 to RMB200,000.
In cases where the violations result in particularly severe consequences, the relevant authorities may impose fines of RMB2,000,000 to RMB10,000,000, and order the suspension of business, closure of websites or applications, or revocation of related business licenses or operating permits. Directly responsible personnel and other directly responsible individuals may face fines ranging from RMB200,000 to RMB1,000,000.
Electronic information transmission service providers and application software download service providers who fail to fulfill the security management obligations prescribed in the second paragraph of Article 48 of this Law will be penalized in accordance with the provisions of the previous two paragraphs.”
3. Legal Responsibilities for Personal Information and Important Data Security
Given that the Data Security Law and Personal Information Protection Law have introduced new specific provisions regarding the penalties for violations related to personal information and important data under Articles 64 and 66 of the current Cybersecurity Law, the Draft Amendment clarifies the applicable provisions as follows: “Any of the following actions will be handled and punished in accordance with relevant laws and administrative regulations:
(1) The publication or transmission of information prohibited by this Law, Article 12, paragraph 2, and other laws and administrative regulations;
(2) Violating the provisions of Article 22, paragraph 3, and Articles 41 to 43, and infringing upon the rights of personal information protected by law;
(3) Violating the provisions of Article 37, by storing personal information and important data abroad or providing them to foreign entities.”
4. Circumstances for Reduced, Mitigated, or No Administrative Penalties
The Draft Amendment introduces a new provision (Article 72) that harmonizes the application of the Cybersecurity Law and the Administrative Penalty Law. It clarifies that network operators who actively eliminate or mitigate the harmful consequences of their violations, who make prompt corrections without causing harm, or who commit initial violations with minor consequences and rectify them in time may receive reduced, mitigated, or no penalties. It also specifies that relevant authorities will develop appropriate administrative penalty guidelines based on their responsibilities.
Comment
The Draft Amendment provides more detailed legal responsibility provisions for the cybersecurity field, particularly in strengthening the legal liabilities for network operators and the protection of critical information infrastructure. Overall, the amendment not only clarifies the boundaries of responsibility in cybersecurity management but also increases the penalties for violations, aiming to encourage companies to pay more attention to network security and data protection.
From a legal compliance perspective, companies should enhance their understanding and implementation of relevant laws and regulations in their daily operations, especially regarding information security management and data protection, to ensure compliance with the latest amendments and avoid facing significant fines or penalties for failure to meet cybersecurity obligations. Additionally, companies involved in cross-border data transmission or storage should pay close attention to compliance requirements, especially when dealing with personal information and critical data, to ensure they do not violate data security regulations.