The China Cybersecurity Law amendment introduces the first revisions to the law since 2017, expanding state support for AI development while tightening compliance obligations for network operators and critical information infrastructure. The amendment also aligns cybersecurity provisions with the PIPL and increases penalties for violations involving data handling, emergency response, prohibited content, and cross-border data transfers. Together, these changes signal a more rigorous, integrated regulatory environment for companies operating in China’s digital ecosystem.

On October 28, 2025, the Standing Committee of the National People’s Congress (NPC) adopted a set of amendments to the Cybersecurity Law, updating several provisions to strengthen oversight of artificial intelligence (AI) and refine regulatory obligations for network operators and critical information infrastructure. 

First enacted in 2017, the Cybersecurity Law established China’s core legal framework governing online activities, data handling, and network security. The newly approved amendments represent the most significant adjustments to the law since its adoption and will take effect on January 1, 2026.

Support for AI research 

A key amendment is expanded state support for the development of AI technologies. 

The revision removes the former clause stating that the state “supports innovative methods of cybersecurity management and the use of new technologies such as AI to improve the level of cybersecurity protection” and instead introduces a new article – Article 20 – providing broader support for AI research and development (R&D). 

Under the new provision, the state will support: 

• Basic theoretical AI research and the development of key technologies such as algorithms;
• Construction of infrastructure such as training data resources and computing power;
• Improvement of AI ethical norms;
• Strengthening of risk monitoring, assessment, and security supervision; and
• Promotion of the application and healthy development of artificial intelligence. 

Aligning the Cybersecurity Law with the PIPL on personal information processing 

A new clause has been added under Chapter IV (“Cybersecurity”) to align the Cybersecurity Law with the Civil Code, the Personal Information Protection Law (PIPL), and related regulations. The PIPL, enacted in 2021, is China’s comprehensive data protection law that establishes rules for the collection, storage, use, transfer, and disclosure of personal information. It sets out principles such as data minimization, purpose limitation, and transparency, imposes strict consent and security requirements on processors, and provides individuals with rights over their personal data. 

The new clause requires network operators to comply with these laws when processing personal information:

“Network operators shall comply with the provisions of this Law and the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and administrative regulations when processing personal information.” 

Changes to penalties and liabilities

Higher penalties for violating cybersecurity and emergency response obligations 

The amended Article 61 (formerly Article 59) raises penalties for entities that violate the cybersecurity and emergency response obligations under Articles 23 and 27 (formerly Articles 21 and 25).

Find Business Support

Under the new provisions, internet operators may be fined RMB 10,000 to RMB 50,000 (US$1,400 to US$7,000) for a first-time violation, whereas previously a fine was issued only if the company refused to correct the violation following a warning. 

If a company refuses to correct the violation, the fine has increased from RMB 10,000 to RMB 100,000 (US$1,400 to US$14,000) to RMB 50,000 to RMB 500,000 (US$7,000 to US$70,000). 

Fines for responsible individuals have also increased from RMB 5,000 to RMB 50,000 (US$700 to US$7,000) to RMB 50,000 to RMB 500,000 (US$7,000 to US$70,000). 

Penalties have also increased for critical information infrastructure operators (CIIOs) that violate Articles 35, 36, 38, and 40 (formerly Articles 33, 34, 36, and 38), which address the secure construction, management, procurement, and regular risk assessment of critical information infrastructure. CIIOs now face fines of RMB 50,000 to RMB 100,000 (US$7,000 to US$14,000) for a first violation, whereas previously they would only receive a warning. 

Additional liability for violations involving malicious programs and security defects 

The amended Article 62 (formerly Article 60) extends the above fines to certain behaviors that violate Article 24(1) and (2) and Article 50(1) (formerly Article 22(1) and (2) and Article 48(1)) of the Company Law. 

• Article 24(1) and (2) require network product and service providers to meet national standards, remediate and report security risks, notify users, and continue required security maintenance.
• Article 50(1) prohibits distributing electronic information or software containing malicious programs or content banned by law. 

The behaviors subject to penalties if they cause “serious” or “particularly serious” consequences are: 

• Setting up malicious programs;
• Failing to take immediate remedial measures for security defects, vulnerabilities, or other risks, or failing to promptly inform users and report to authorities; and
• Unauthorized termination of required security maintenance

Penalties include: 

• RMB 500,000 to RMB 2 million (US$70,000 to US$280,000) for serious consequences;
• RMB 2 million to RMB 10 million (US$280,000 to US$1.4 million) for particularly serious consequences; and
• RMB 200,000 to RMB 1 million (US$28,000 to US$140,000) for responsible personnel. 

Penalties for selling uncertified critical network and security products 

A new article – Article 63 – sets penalties for violating Article 25 (formerly Article 23) by selling or providing uncertified cybersecurity products. 

Article 25 requires internet operators to formulate cybersecurity emergency response plans, promptly address risks (such as vulnerabilities, viruses, attacks, and intrusions), activate emergency measures during incidents, and report to authorities as required. 

Under the new Article 63, any party that sells or provides critical cyber equipment or dedicated cybersecurity products that have not undergone required security certification or testing, or that fail such certification or testing, will face: 

• An order to cease sales or provision, a warning, and confiscation of illegal gains;
• If there are no illegal gains or the gains are below RMB 100,000 (US$14,000), a fine of RMB 20,000 to RMB 100,000 (US$2,800 to US$14,000);
• If illegal gains are RMB 100,000 (US$14,000) or more, a fine of one to five times the illegal gains; and
• In serious cases, suspension of business, an order to cease operations for rectification, or revocation of a business license or permit. 

Clarifying penalties for failure to verify users’ real identity 

Article 61 has been renumbered as Article 64, with an editorial amendment to the types of sanctions that may be imposed. The phrase “closure of the website” has been revised to “closure of the website or application,” clarifying that penalties may apply not only to traditional websites but also to app-based services.

Find Business Support

Substantively, the provision continues to govern violations of the real-identity (“real-name”) registration requirement. Under the former Article 61, network operators that failed to require users to provide authentic identity information, or that continued providing services to users who refused to do so, could be ordered to correct the violation. If the operator refused to comply or if the circumstances were serious, authorities could impose fines and order measures such as suspension of business, rectification, website closure, or license revocation. 

The amendment maintains the same enforcement structure while updating the terminology to reflect contemporary service formats. 

Penalties for unauthorized release of cybersecurity information and activities 

Article 62 has been renumbered as Article 65 and substantially revised. The provision continues to regulate unauthorized cybersecurity certification, testing, and risk assessment activities, as well as the release of cybersecurity-related information, including system vulnerabilities, computer viruses, network attacks, and network intrusions, to the public, as set out under Article 28 (formerly Article 26). 

The amended text increases penalties and clarifies enforcement measures: 

• Entities that conduct such activities in violation of Article 28, or that release the above types of cybersecurity information, may be ordered to rectify the violation, issued a warning, and fined between RMB 10,000 and RMB 100,000 (US$1,400 to US$14,000).
• If the entity refuses to correct the violation or the circumstances are serious, the fine increases to between RMB 100,000 and RMB 1 million (US$14,000 to US$140,000), and authorities may order business suspension, business rectification, closure of the website or application, or license revocation.
• Directly responsible supervisors and other responsible personnel may be fined between RMB 10,000 and RMB 100,000 (US$1,400 to US$14,000)

The amendment also links these violations to the enhanced penalty regime under Article 61(3). If the activities described above result in “serious” or “particularly serious” cybersecurity consequences, such as large-scale data leaks or loss of critical infrastructure functionality, penalties will be imposed in accordance with Article 61(3), which provides for significantly higher corporate and individual fines. 

Penalties for using network products or services not passing security review 

Article 65 has been renumbered as Article 67 and updated in line with the current Article 37 (formerly Article 35). Article 37 requires critical information infrastructure operators (CIIOs) to ensure that any network products or services they procure that may affect national security undergo and pass the national cybersecurity review organized by the national cybersecurity and informatization authorities. 

The amended article establishes the following enforcement measures: 

• If a CIIO uses network products or services that have not undergone security review or have failed security review, the competent authority shall order rectification within a specified period, require cessation of use, and require elimination of any adverse impact on national security.
• Operators may be fined between one and ten times the procurement amount.
• Directly responsible supervisors and other responsible personnel may be fined between RMB 10,000 and RMB 100,000 (US$1,400 to US$14,000).

Compared with the former Article 65, the amendment adds explicit language requiring rectification within a specified period and clarifies that the operator must take steps to eliminate the national security impact, while retaining the same fine structure. 

Penalties for failure to address prohibited information and related violations 

Articles 68 and 69(1) have been merged and renumbered as Article 69, with revisions that consolidate the enforcement framework for handling information prohibited by laws or administrative regulations. 

Under Article 49 (formerly Article 47), network operators must manage user-posted information and, upon discovering prohibited content, must immediately stop transmission, take elimination and control measures, preserve relevant records, and report to the competent authorities. Article 52 (formerly Article 50) requires operators to comply with instructions from relevant departments to take these measures and, when necessary, block dissemination of such information originating outside China. 

The amended Article 69 strengthens penalties for violations of these obligations: 

• If a network operator fails to cease transmission, fails to eliminate prohibited information, fails to preserve relevant records, or fails to report to authorities – as required by Article 49 – or fails to comply with departmental instructions under Article 52, authorities may order rectification, issue a warning, and publish a public notice. A fine of RMB 50,000 to RMB 500,000 (US$7,000 to US$70,000) may also be imposed.
• If the operator refuses to rectify the violation or the circumstances are serious, the fine increases to RMB 500,000 to RMB 2 million (US$70,000 to US$280,000), and authorities may order suspension of business, business rectification, closure of the website or application, or license revocation.
• Directly responsible supervisors and other responsible personnel may be fined between RMB 50,000 and RMB 200,000 (US$7,000 to US$280,000)

Where these violations cause “particularly serious” impact or consequences, such as major harm to cybersecurity, the penalties further increase: 

• Operators may be fined between RMB 2 million and RMB 10 million (US$70,000 to RMB 1.4 million), in addition to potential suspension, rectification, website or application closure, and license revocation.
• Directly responsible supervisors and other responsible personnel may be fined between RMB 200,000 and RMB 1 million (US$28,000 to US$140,000)

The revised article also specifies that providers of electronic information transmission services and application software download services that fail to fulfill the security management obligations under Article 50(2) will be penalized according to the same two-tier penalty structure. 

Consolidated penalties for prohibited information, personal information violations, and cross-border data transfers 

Articles 64, 66, and 70 have been merged into a single provision – Article 71 – which brings together penalties for violations involving prohibited information, personal information protection, and cross-border data requirements. The new article specifies that the following acts will be handled and punished in accordance with the relevant laws and administrative regulations: 

1. Publishing or transmitting prohibited information, as set out in Article 13(2) (previously Article 12(20), which forbids using the network to disseminate content that harms national security, public order, or others’ lawful rights and interests.
2. Violating personal information protection requirements under Article 24(3) and Articles 43 to 45 (previously Article 22(3) and Articles 41 to 41), which require providers to inform users and obtain consent when collecting information, restrict collection and use to lawful and necessary purposes, ensure the security of personal information, and allow individuals to request deletion or correction.
3. Illegally storing or providing personal information and important data overseas, contrary to Article 39 (previously Article 37), which requires CIIOs to store such data within China and undergo a security assessment before transferring it abroad. 

The article further provides that: 

• Anyone who violates Article 46 (formerly Article 44), which prohibits stealing, illegally obtaining, illegally selling, or illegally providing personal information, and whose conduct does not constitute a crime, will be punished by public security authorities in accordance with the relevant laws and regulations. 

Leniency, mitigation, or exemption from penalties under the administrative penalty law 

A new Article 73 has been added to clarify the application of the Administrative Penalty Law. The new provision states that where a violation of the Cybersecurity Law falls under circumstances that qualify for leniency, mitigation, or exemption from punishment – as defined in the Administrative Penalty Law – authorities shall apply those outcomes accordingly. 

The amendment therefore expressly incorporates the Administrative Penalty Law’s mechanisms for reduced or waived penalties (such as voluntary rectification, cooperation, or minor circumstances) into the enforcement of the Cybersecurity Law. 

Liability for overseas actors endangering China’s cybersecurity 

Article 75 has been renumbered as Article 77 and updated to broaden and clarify liability for overseas actors. Under the amended article, any overseas institution, organization, or individual that engages in activities endangering the cybersecurity of the People’s Republic of China will be held legally responsible. 

This maintains, but expands beyond, the former provision, which focused specifically on attacks, intrusions, interference, or damage targeting China’s critical information infrastructure. Under the amendment, the scope now encompasses any activity that endangers national cybersecurity. 

Where such conduct causes serious consequences, the public security authorities and other competent departments under the State Council may additionally impose sanctions such as freezing assets or taking other necessary restrictive measures against the overseas entity or individual involved. 

Key takeaways for foreign companies 

The amendments to the Cybersecurity Law signal a clear recalibration of China’s regulatory priorities and carry several implications for foreign companies and investors operating in or engaging with the Chinese market. The strengthened emphasis on AI underscores that development of this technology remains a strategic national priority, and companies involved in AI research, data services, algorithmic development, or related infrastructure should anticipate both expanding opportunities and heightened expectations for compliance.

Related Reading

The explicit support for AI R&D, alongside stricter requirements around ethics, risk monitoring, and security, suggests that firms will need to deepen their technical capabilities, governance structures, and alignment with China’s emerging AI policy architecture. 

At the same time, the revised penalty framework introduces significantly higher liabilities for violations of cybersecurity, personal information protection, and data-handling obligations. Foreign companies – especially those operating online platforms, providing software or network services, or managing high-value data sets – will need to reassess their risk exposure and ensure that internal controls, incident response plans, and security processes meet the heightened standards. The expanded scope of penalties, including for non-compliant cross-border data transfers or failures in emergency response, reinforces the need for proactive compliance rather than reactive remediation. 

Finally, the amendments bring greater regulatory clarity by harmonizing provisions with the PIPL, the Civil Code, and other related regulations. This alignment reduces some areas of ambiguity that have challenged companies in the past, but it also means that obligations under these various laws now operate more tightly in tandem. For foreign businesses, understanding how these frameworks interlock will be essential for structuring operations, designing data governance systems, and managing cross-border data flows.