On 12 September 2025, the Standing Committee of the 14th National People’s Congress of China announced the Cybersecurity Law of the People’s Republic of China (Draft Amendment) (“Draft Law”), which was reviewed and adopted at its 17th Session, initiating a 30-day public comment period. The Draft comprises nine articles that amend, consolidate, and supplement the legal liability provisions under Chapter VI of the Cybersecurity Law of the People’s Republic of China (“Cybersecurity Law”) enacted in 2016. It primarily refines the current cybersecurity legal framework by addressing four aspects: failure to fulfill cybersecurity protection obligations, failure to dispose of illegal information, infringement of personal information rights, and circumstances warranting mitigated penalties, thereby strengthening penalties for relevant violations.
The Draft Law further refines the legal liability for failures to fulfill cybersecurity protection obligations at four aspects. Firstly, it amends Article 59 of the Cybersecurity Law by increasing the range of fines for failures to fulfill cybersecurity protection obligations and adding penalties for severe consequences such as large-scale data breaches and functional failure of critical information infrastructure. According to the Draft Law, acts resulting in severe consequences—including large-scale data leaks or partial functional failure of critical information infrastructure—may incur fines between RMB 500,000 (equivalent to US$ 70,250) and RMB 2 million (equivalent to US$ 281,000). Acts resulting in particularly severe consequences—such as major functional failure of critical information infrastructure—may incur fines between RMB 2 million (equivalent to US$ 281,000) and RMB 10 million (equivalent to US$ 1.4 million). Additionally, the Draft Law introduces a new provision broadening the scope of Article 59 to cover other acts leading to severe or particularly severe consequences, including embedding malicious programs; failing to implement remedial measures or promptly report security flaws or vulnerabilities in products or services; engaging in activities endangering cybersecurity, or providing programs, tools, technical support, advertising, promotion, payment settlement, or other assistance for such activities.
Secondly, the Draft Law adds a new article as Article 61, stipulating that acts involving the sale or provision of non-security-certified, non-security-tested, or failing to meet required certification or testing standards for critical network equipment or specialized cybersecurity products may be subject to orders to cease sales or provisions, warnings, and confiscation of illegal gains. Where the illegal gains are less than RMB 100,000 (equivalent to US$ 14,050), a fine between RMB 30,000 (equivalent to US$ 4,215) and RMB 100,000 (equivalent to US$ 14,050) may also be imposed; where the illegal gains exceed RMB 100,000 (equivalent to US$ 14,050), a fine of one to three times the amount of illegal gains may be imposed.
Thirdly, the Draft Law renumbers Article 62 of the Cybersecurity Law as Article 63 and introduces amendments. It stipulates that engaging in unauthorized cybersecurity certification, testing, risk assessment activities, or publicly disclosing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or network intrusions may result in orders to rectify, warnings, and fines ranging from RMB 10,000 (equivalent to US$ 1,405) to RMB 100,000 (equivalent to US$ 14,050). Where rectification is refused or the circumstances are serious, fines ranging from RMB 100,000 (equivalent to US$ 14,050) to RMB 1,000,000 (equivalent to US$ 140,500) may be imposed, accompanied by potential penalties including suspension of relevant operations, business shutdowns for rectification, closure of websites or applications, revocation of relevant business licenses, or revocation of business permits. Individuals directly responsible may face fines ranging from RMB 10,000 (equivalent to US$ 1,405) to RMB 100,000 (equivalent to US$ 14,050).
Fourthly, the Draft Law renumbers Article 65 of the Cybersecurity Law as Article 66 and amends it as follows: Where critical information infrastructure operators use network products or services that have not undergone security review or have failed security review, they may be ordered to make corrections within a specified period, cease usage, eliminate the impact, and be fined between one to ten times the procurement amount. Individuals directly responsible may be fined between RMB 10,000 (equivalent to US$ 1,405) and RMB 100,000 (equivalent to US$ 14,050).
The Draft Law enhances the legal liability for failures to dispose of illegal information, imposing stricter penalties for violations that cause particularly severe impacts or consequences. Articles 68 and 69(1) of the Cybersecurity Law are consolidated into a new Article 68, stipulating that network operators (including providers of electronic information sending services and application software download services) that fail to fulfill or inadequately fulfill safety management obligations (e.g., ceasing transmission, taking elimination measures, preserving records, reporting to competent authorities) regarding prohibited information may face warnings, public reprimands, and fines ranging from RMB 50,000 (equivalent to US$ 7,025) to RMB 500,000 (equivalent to US$ 70,250). Where rectification is refused or the circumstances are serious, fines ranging from RMB 500,000 (equivalent to US$ 70,250) to RMB 2,000,000 (equivalent to US$ 281,000) may be imposed, accompanied by potential penalties such as suspension of relevant operations, business shutdowns for rectification, closure of websites or applications, revocation of relevant business licenses, or revocation of business permits. Individuals directly responsible may face fines ranging from RMB 50,000 (equivalent to US$ 7,025) to RMB 200,000 (equivalent to US$ 28,100). Where particularly severe impacts or consequences occur, fines may increase to between RMB 2,000,000 (equivalent to US$ 281,000) and RMB 10,000,000 (equivalent to US$ 1.4 million), while directly responsible individuals may face fines between RMB 200,000 (equivalent to US$ 28,100) and RMB 1,000,000 (equivalent to US$ 140,500).
The Draft Law aligns the legal liability for infringements of personal information rights with the Personal Information Protection Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China by consolidating Articles 64, 66, and 70 of the Cybersecurity Law into a revised Article 70. According to the Draft Law, any of the following acts shall be penalized in accordance with relevant laws and regulations:1. Any individual or organization publishing or transmitting information that endangers cybersecurity, national security, infringes upon others’ lawful rights and interests, promotes terrorism or ethnic hatred, disseminates violent or obscene content, or fabricates/spreads false information.2. Providers of network products or services collecting user information without consent or unlawfully collecting users’ personal information.3. Network operators unlawfully collecting or using personal information; leaking, altering, or destroying collected personal information; providing personal information to others without consent; refusing to delete or correct others’ personal information; stealing or obtaining personal information through illegal means; or illegally selling or providing personal information to others.4. Operators of critical information infrastructure storing personal information or important data abroad without security assessment or in violation of regulations, or providing such information or data overseas.
The Draft Law introduces a new Article 72 providing for mitigated, reduced, or exempted administrative penalties. It stipulates that network operators may receive mitigated, reduced, or exempted administrative penalties in accordance with the Administrative Sanctioning Law of the People’s Republic of China under the circumstances such as voluntarily eliminating or mitigating the harmful consequences of the violation; minor violations promptly corrected without causing harmful consequences; first-time violations with minor consequences that are promptly corrected; and evidence proving absence of subjective fault.
In response to the increasingly complex and dynamic landscape of cybersecurity, the Draft Law specifically strengthens legal liabilities for cybersecurity violations based on the categorization of unlawful acts. This signals that China’s next step following the refinement of the cybersecurity legal liability framework will likely involve rigorous enforcement against cybersecurity violations.
The Draft Law further refines the legal liability for failures to fulfill cybersecurity protection obligations at four aspects. Firstly, it amends Article 59 of the Cybersecurity Law by increasing the range of fines for failures to fulfill cybersecurity protection obligations and adding penalties for severe consequences such as large-scale data breaches and functional failure of critical information infrastructure. According to the Draft Law, acts resulting in severe consequences—including large-scale data leaks or partial functional failure of critical information infrastructure—may incur fines between RMB 500,000 (equivalent to US$ 70,250) and RMB 2 million (equivalent to US$ 281,000). Acts resulting in particularly severe consequences—such as major functional failure of critical information infrastructure—may incur fines between RMB 2 million (equivalent to US$ 281,000) and RMB 10 million (equivalent to US$ 1.4 million). Additionally, the Draft Law introduces a new provision broadening the scope of Article 59 to cover other acts leading to severe or particularly severe consequences, including embedding malicious programs; failing to implement remedial measures or promptly report security flaws or vulnerabilities in products or services; engaging in activities endangering cybersecurity, or providing programs, tools, technical support, advertising, promotion, payment settlement, or other assistance for such activities.
Secondly, the Draft Law adds a new article as Article 61, stipulating that acts involving the sale or provision of non-security-certified, non-security-tested, or failing to meet required certification or testing standards for critical network equipment or specialized cybersecurity products may be subject to orders to cease sales or provisions, warnings, and confiscation of illegal gains. Where the illegal gains are less than RMB 100,000 (equivalent to US$ 14,050), a fine between RMB 30,000 (equivalent to US$ 4,215) and RMB 100,000 (equivalent to US$ 14,050) may also be imposed; where the illegal gains exceed RMB 100,000 (equivalent to US$ 14,050), a fine of one to three times the amount of illegal gains may be imposed.
Thirdly, the Draft Law renumbers Article 62 of the Cybersecurity Law as Article 63 and introduces amendments. It stipulates that engaging in unauthorized cybersecurity certification, testing, risk assessment activities, or publicly disclosing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or network intrusions may result in orders to rectify, warnings, and fines ranging from RMB 10,000 (equivalent to US$ 1,405) to RMB 100,000 (equivalent to US$ 14,050). Where rectification is refused or the circumstances are serious, fines ranging from RMB 100,000 (equivalent to US$ 14,050) to RMB 1,000,000 (equivalent to US$ 140,500) may be imposed, accompanied by potential penalties including suspension of relevant operations, business shutdowns for rectification, closure of websites or applications, revocation of relevant business licenses, or revocation of business permits. Individuals directly responsible may face fines ranging from RMB 10,000 (equivalent to US$ 1,405) to RMB 100,000 (equivalent to US$ 14,050).
Fourthly, the Draft Law renumbers Article 65 of the Cybersecurity Law as Article 66 and amends it as follows: Where critical information infrastructure operators use network products or services that have not undergone security review or have failed security review, they may be ordered to make corrections within a specified period, cease usage, eliminate the impact, and be fined between one to ten times the procurement amount. Individuals directly responsible may be fined between RMB 10,000 (equivalent to US$ 1,405) and RMB 100,000 (equivalent to US$ 14,050).
The Draft Law enhances the legal liability for failures to dispose of illegal information, imposing stricter penalties for violations that cause particularly severe impacts or consequences. Articles 68 and 69(1) of the Cybersecurity Law are consolidated into a new Article 68, stipulating that network operators (including providers of electronic information sending services and application software download services) that fail to fulfill or inadequately fulfill safety management obligations (e.g., ceasing transmission, taking elimination measures, preserving records, reporting to competent authorities) regarding prohibited information may face warnings, public reprimands, and fines ranging from RMB 50,000 (equivalent to US$ 7,025) to RMB 500,000 (equivalent to US$ 70,250). Where rectification is refused or the circumstances are serious, fines ranging from RMB 500,000 (equivalent to US$ 70,250) to RMB 2,000,000 (equivalent to US$ 281,000) may be imposed, accompanied by potential penalties such as suspension of relevant operations, business shutdowns for rectification, closure of websites or applications, revocation of relevant business licenses, or revocation of business permits. Individuals directly responsible may face fines ranging from RMB 50,000 (equivalent to US$ 7,025) to RMB 200,000 (equivalent to US$ 28,100). Where particularly severe impacts or consequences occur, fines may increase to between RMB 2,000,000 (equivalent to US$ 281,000) and RMB 10,000,000 (equivalent to US$ 1.4 million), while directly responsible individuals may face fines between RMB 200,000 (equivalent to US$ 28,100) and RMB 1,000,000 (equivalent to US$ 140,500).
The Draft Law aligns the legal liability for infringements of personal information rights with the Personal Information Protection Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China by consolidating Articles 64, 66, and 70 of the Cybersecurity Law into a revised Article 70. According to the Draft Law, any of the following acts shall be penalized in accordance with relevant laws and regulations:1. Any individual or organization publishing or transmitting information that endangers cybersecurity, national security, infringes upon others’ lawful rights and interests, promotes terrorism or ethnic hatred, disseminates violent or obscene content, or fabricates/spreads false information.2. Providers of network products or services collecting user information without consent or unlawfully collecting users’ personal information.3. Network operators unlawfully collecting or using personal information; leaking, altering, or destroying collected personal information; providing personal information to others without consent; refusing to delete or correct others’ personal information; stealing or obtaining personal information through illegal means; or illegally selling or providing personal information to others.4. Operators of critical information infrastructure storing personal information or important data abroad without security assessment or in violation of regulations, or providing such information or data overseas.
The Draft Law introduces a new Article 72 providing for mitigated, reduced, or exempted administrative penalties. It stipulates that network operators may receive mitigated, reduced, or exempted administrative penalties in accordance with the Administrative Sanctioning Law of the People’s Republic of China under the circumstances such as voluntarily eliminating or mitigating the harmful consequences of the violation; minor violations promptly corrected without causing harmful consequences; first-time violations with minor consequences that are promptly corrected; and evidence proving absence of subjective fault.
In response to the increasingly complex and dynamic landscape of cybersecurity, the Draft Law specifically strengthens legal liabilities for cybersecurity violations based on the categorization of unlawful acts. This signals that China’s next step following the refinement of the cybersecurity legal liability framework will likely involve rigorous enforcement against cybersecurity violations.