On 28 October 2025, the 18th Session of the 14th Standing Committee of China’s National People’s Congress reviewed and adopted the decision to amend the Cybersecurity Law of the People’s Republic of China (“Cybersecurity Law”). The decision introduces 14 revisions to the Cybersecurity Law promulgated in 2016, focusing on improving legal liability for acts endangering network operation security, network product and service security, and network information security, increasing the maximum penalty to RMB10 million (equivalent to US$1.4 million); incorporating provisions related to artificial intelligence (“AI”); expanding the law’s extraterritorial application; and aligning with relevant laws such as the Personal Information Protection Law of the People’s Republic of China (“Personal Information Protection Law”), the Data Security Law of the People’s Republic of China (“Data Security Law”), and the Administrative Sanctioning Law of the People’s Republic of China (2021 Revision) (“Administrative Sanctioning Law”), which have been promulgated or revised since 2021. The amended Cybersecurity Law will take effect on 1 January 2026.
The Cybersecurity Law has refined the legal liability for failures to fulfill network operation security protection obligations in accordance with the law, introducing penalties for acts resulting in severe consequences and particularly severe consequences, with the maximum penalty set at RMB10 million (equivalent to US$1.4 million). Firstly, the law has appropriately increased the fines for network operators and critical information infrastructure operators that violate cybersecurity protection obligations. It has also introduced penalties for severe circumstances, such as large-scale data breaches or partial loss of functionality of critical information infrastructure, and for particularly severe circumstances, such as the loss of primary functionality of critical information infrastructure. The penalty for severe circumstances ranges from RMB500,000 to RMB2 million (equivalent to US$70,000 to US$280,000), while the penalty for particularly severe circumstances ranges from RMB2 million to RMB10 million (equivalent to US$280,000 to US$1.4 million). Secondly, the law has established legal liability for the sale or provision of key network equipment and specialized cybersecurity products that have not undergone security certification or testing, or have failed such certification or testing. Penalties include warnings, confiscation of illegal gains, fines, orders to suspend relevant business operations, cease business for rectification, and revocation of relevant business licenses or operating permits. Thirdly, the law has improved penalties for conducting cybersecurity certification, testing, risk assessments, or publicly releasing cybersecurity information in violation of regulations, primarily by increasing the corresponding fines. For general violations, fines range from RMB10,000 to RMB100,000 (equivalent to US$1,400 to US$14,000); for severe violations, fines range from RMB100,000 to RMB1 million (equivalent to US$14,000 to US$140,000). Fourthly, the law has added two additional penalties for critical information infrastructure operators that use network products or services which have not undergone security review or have failed such review: orders to make corrections within a specified period and to eliminate impacts on national security.
Furthermore, the Cybersecurity Law has refined the legal liability for network operators, electronic information sending service providers, and application software download service providers that fail to fulfill their obligations to dispose of illegal information in accordance with the law. Firstly, it has increased the penalties for network operators that, upon discovering illegal network information, fail to take appropriate disposal measures as required by law or refuse to comply with disposal requests from relevant authorities. Secondly, it has introduced penalties for violations resulting in particularly severe impacts or consequences, with fines ranging from RMB2 million to RMB10 million (equivalent to US$280,000 to US$1.4 million).
The Cybersecurity Law has incorporated provisions concerning AI security and development, while removing the stipulation that “the state supports innovative approaches to cybersecurity management, utilizes new network technologies, and enhances the level of cybersecurity protection”. According to the new provisions, “the state supports fundamental theoretical research in AI and the research and development of key technologies such as algorithms, promotes the development of infrastructure including training data resources and computing power, refines ethical norms for AI, strengthens risk monitoring, assessment, and safety supervision, and fosters the application and healthy development of AI. The state supports innovative approaches to cybersecurity management, utilizes new technologies such as AI, and enhances the level of cybersecurity protection”. This provision aligns with the current national objective of promoting a governance framework for AI and addresses societal needs regarding the governance and development of AI.
The Cybersecurity Law has incorporated provisions to enhance alignment with the Personal Information Protection Law, the Data Security Law, and the Administrative Penalty Law in the areas of personal information protection, data security, and administrative penalties. The Personal Information Protection Law establishes legal liability for acts infringing upon personal information rights, the Data Security Law prescribes legal liability for illegally providing important data overseas, and the Administrative Penalty Law introduces provisions on mitigated, reduced, or exempted administrative penalties. Accordingly, the Cybersecurity Law has revised the legal liability for the aforementioned scenarios to referential provisions, specifying that such matters shall be handled and penalized in accordance with the Personal Information Protection Law, the Data Security Law, and other relevant laws and administrative regulations. Additionally, a new Article 73 has been added, stating: “Where a violation of this Law occurs but circumstances for mitigated, reduced, or exempted administrative penalties as prescribed in the Administrative Penalty Law exist, such penalties shall be imposed in accordance with the relevant provisions”.
The Cybersecurity Law has expanded its extraterritorial application scope. The circumstances under which legal liability may be pursued have been extended from overseas institutions, organizations, or individuals “conducting activities that attack, intrude, interfere with, or disrupt the critical information infrastructure of the People’s Republic of China, thereby causing serious consequences” to “engaging in activities that endanger the cybersecurity of the People’s Republic of China”. Additionally, where such activities result in serious consequences, the public security department and relevant authorities under the State Council may adopt asset freezes or other necessary sanction measures.
In conclusion, against the backdrop of increasingly stringent global digital economy regulation, the Cybersecurity Law has refined relevant legal liabilities, substantially increased penalties for violations, clarified the AI governance framework, strengthened extraterritorial applicability, and enhanced alignment with other laws. These amendments further delineate the legal boundaries and regulatory direction in China’s cybersecurity domain.
The Cybersecurity Law has refined the legal liability for failures to fulfill network operation security protection obligations in accordance with the law, introducing penalties for acts resulting in severe consequences and particularly severe consequences, with the maximum penalty set at RMB10 million (equivalent to US$1.4 million). Firstly, the law has appropriately increased the fines for network operators and critical information infrastructure operators that violate cybersecurity protection obligations. It has also introduced penalties for severe circumstances, such as large-scale data breaches or partial loss of functionality of critical information infrastructure, and for particularly severe circumstances, such as the loss of primary functionality of critical information infrastructure. The penalty for severe circumstances ranges from RMB500,000 to RMB2 million (equivalent to US$70,000 to US$280,000), while the penalty for particularly severe circumstances ranges from RMB2 million to RMB10 million (equivalent to US$280,000 to US$1.4 million). Secondly, the law has established legal liability for the sale or provision of key network equipment and specialized cybersecurity products that have not undergone security certification or testing, or have failed such certification or testing. Penalties include warnings, confiscation of illegal gains, fines, orders to suspend relevant business operations, cease business for rectification, and revocation of relevant business licenses or operating permits. Thirdly, the law has improved penalties for conducting cybersecurity certification, testing, risk assessments, or publicly releasing cybersecurity information in violation of regulations, primarily by increasing the corresponding fines. For general violations, fines range from RMB10,000 to RMB100,000 (equivalent to US$1,400 to US$14,000); for severe violations, fines range from RMB100,000 to RMB1 million (equivalent to US$14,000 to US$140,000). Fourthly, the law has added two additional penalties for critical information infrastructure operators that use network products or services which have not undergone security review or have failed such review: orders to make corrections within a specified period and to eliminate impacts on national security.
Furthermore, the Cybersecurity Law has refined the legal liability for network operators, electronic information sending service providers, and application software download service providers that fail to fulfill their obligations to dispose of illegal information in accordance with the law. Firstly, it has increased the penalties for network operators that, upon discovering illegal network information, fail to take appropriate disposal measures as required by law or refuse to comply with disposal requests from relevant authorities. Secondly, it has introduced penalties for violations resulting in particularly severe impacts or consequences, with fines ranging from RMB2 million to RMB10 million (equivalent to US$280,000 to US$1.4 million).
The Cybersecurity Law has incorporated provisions concerning AI security and development, while removing the stipulation that “the state supports innovative approaches to cybersecurity management, utilizes new network technologies, and enhances the level of cybersecurity protection”. According to the new provisions, “the state supports fundamental theoretical research in AI and the research and development of key technologies such as algorithms, promotes the development of infrastructure including training data resources and computing power, refines ethical norms for AI, strengthens risk monitoring, assessment, and safety supervision, and fosters the application and healthy development of AI. The state supports innovative approaches to cybersecurity management, utilizes new technologies such as AI, and enhances the level of cybersecurity protection”. This provision aligns with the current national objective of promoting a governance framework for AI and addresses societal needs regarding the governance and development of AI.
The Cybersecurity Law has incorporated provisions to enhance alignment with the Personal Information Protection Law, the Data Security Law, and the Administrative Penalty Law in the areas of personal information protection, data security, and administrative penalties. The Personal Information Protection Law establishes legal liability for acts infringing upon personal information rights, the Data Security Law prescribes legal liability for illegally providing important data overseas, and the Administrative Penalty Law introduces provisions on mitigated, reduced, or exempted administrative penalties. Accordingly, the Cybersecurity Law has revised the legal liability for the aforementioned scenarios to referential provisions, specifying that such matters shall be handled and penalized in accordance with the Personal Information Protection Law, the Data Security Law, and other relevant laws and administrative regulations. Additionally, a new Article 73 has been added, stating: “Where a violation of this Law occurs but circumstances for mitigated, reduced, or exempted administrative penalties as prescribed in the Administrative Penalty Law exist, such penalties shall be imposed in accordance with the relevant provisions”.
The Cybersecurity Law has expanded its extraterritorial application scope. The circumstances under which legal liability may be pursued have been extended from overseas institutions, organizations, or individuals “conducting activities that attack, intrude, interfere with, or disrupt the critical information infrastructure of the People’s Republic of China, thereby causing serious consequences” to “engaging in activities that endanger the cybersecurity of the People’s Republic of China”. Additionally, where such activities result in serious consequences, the public security department and relevant authorities under the State Council may adopt asset freezes or other necessary sanction measures.
In conclusion, against the backdrop of increasingly stringent global digital economy regulation, the Cybersecurity Law has refined relevant legal liabilities, substantially increased penalties for violations, clarified the AI governance framework, strengthened extraterritorial applicability, and enhanced alignment with other laws. These amendments further delineate the legal boundaries and regulatory direction in China’s cybersecurity domain.