On 28 October 2025, the Standing Committee of the 14th National People’s Congress passed the revised <span class="news-text_italic-underline">Cybersecurity Law</span> of the People’s Republic of China (the “<span class="news-text_medium">Cybersecurity Law</span>”). This marks the first substantive revision of the <span class="news-text_italic-underline">Cybersecurity Law</span> since its entry into force in 2017. The amendments will come into effect on 1 January 2026.
The <span class="news-text_italic-underline">Cybersecurity Law</span> sits alongside the <span class="news-text_italic-underline">Data Security Law of the People’s Republic of China</span> and the <span class="news-text_italic-underline">Personal Information Protection Law of the People’s Republic of China</span> as one of the three cornerstone statutes of China’s cyber and data governance framework. Since its enactment, rapid digitalisation, the widespread adoption of emerging technologies and increasing cybersecurity risks have exposed gaps in the original regulatory design. The revised law responds to these developments by modernising regulatory tools, clarifying enforcement mechanisms and strengthening deterrence.
The amendments signal a shift towards more comprehensive and technology-aware regulation and are intended to support national security objectives while raising baseline compliance standards for network operators and digital service providers.
<span class="news-text_medium"><span class="news-text_italic-underline">Introduction of an AI Development and Governance Framework</span>
For the first time, the revised <span class="news-text_italic-underline">Cybersecurity Law</span> expressly addresses AI. Article 20 introduces a framework that balances support for AI innovation with enhanced governance obligations.
On the development side, the law affirms state support for fundamental AI research, the development of key technologies and the construction of supporting infrastructure. At the same time, it requires the strengthening of ethical norms, risk monitoring and security oversight for AI systems.
The provision also encourages enterprises to deploy AI technologies to enhance cybersecurity protection. This creates an explicit legal basis for the use of AI-driven security tools, while making clear that such deployment must align with broader risk and ethics requirements.
<span class="news-text_medium"><span class="news-text_italic-underline">Expanded and Strengthened Regulatory Oversight</span></span></span>
Previously, the <span class="news-text_italic-underline">Cybersecurity Law</span> required certification and testing of critical network equipment and cybersecurity products but lacked specific penalty provisions for non-compliance. The revised law introduces clear administrative liabilities for network product providers and service providers. Sanctions may include confiscation of illegal gains, fines ranging from RMB 20,000 to up to five times the amount of illegal gains and revocation of business licences. These measures are designed to prevent defective or non-compliant products from entering the market at an early stage.
Recognising the growth of mobile applications, mini-programs and platform-based services, the revised law expressly introduces “shutdown of applications” as an administrative penalty. This addresses a previous enforcement gap and enables regulators to impose sanctions that go beyond financial penalties. By extending oversight from traditional websites to all forms of digital platforms, the amendments significantly broaden the scope of regulatory supervision.
The extraterritorial application of the <span class="news-text_italic-underline">Cybersecurity Law</span> has been widened. Whereas the earlier version focused primarily on conduct endangering critical information infrastructure, the revised law now covers all activities that undermine China’s cybersecurity, including cyberattacks, data theft and unauthorised system access. Authorities are empowered to impose countermeasures such as asset freezes on relevant entities or individuals, signalling a more assertive stance on cross-border cybersecurity threats.
<span class="news-text_medium"><span class="news-text_italic-underline">Refinement of Penalty Standards</span></span>
The revised law replaces the former two-tier penalty structure with a four-tier framework that distinguishes between general violations, failure to rectify, serious consequences and exceptionally serious consequences. This approach aligns penalties more closely with the severity of harm, particularly in cases involving critical information infrastructure operators.
Penalty ceilings have been substantially raised. For non-critical operators, maximum fines now reach RMB 500,000 for companies and RMB 100,000 for responsible individuals. In cases involving exceptionally serious consequences, fines may reach RMB 10 million for companies and RMB 1 million for individuals. These increases substantially elevate the financial and personal exposure associated with non-compliance.
The revised law clarifies circumstances in which penalties may be mitigated, reduced or waived by reference to the <span class="news-text_italic-underline">Administrative Penalty Law</span>. These include voluntary elimination of harmful consequences, first-time violations causing minimal harm with prompt rectification and absence of subjective fault. The provisions encourage proactive compliance, rapid incident response and effective internal documentation.
The revised <span class="news-text_italic-underline">Cybersecurity Law</span> significantly raises the stakes for network and data protection compliance in China. Organisations must reassess risk exposure, strengthen internal controls and ensure that cybersecurity governance frameworks are robust and well-documented. Senior management should be alert to heightened personal liability risks and ensure that compliance is embedded in operational decision-making.
The first amendment to China’s <span class="news-text_italic-underline">Cybersecurity Law</span> represents a decisive step towards stricter, more comprehensive digital regulation. With enhanced enforcement powers, broader jurisdictional reach and explicit recognition of AI-related risks, the revised law reinforces the message that cybersecurity and data protection are core regulatory priorities. For businesses operating in China, proactive compliance is no longer optional but a critical component of sustainable operations.
