Key Amendments To China's Cybersecurity Law

A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.

Explore Firm Details

On October, 28, 2025, the Standing Committee of the National People's Congress approved amendments to the Cybersecurity Law of the PRC (the CSL).

China Technology

Article Insights

A&O Shearman are most popular:

within Insurance, Consumer Protection and Real Estate and Construction topic(s)

On October, 28, 2025, the Standing Committee of the National People's Congress approved amendments to the Cybersecurity Law of the PRC (the CSL). The amended CSL will become effective on January, 1, 2026, marking the 10-year anniversary of the original CSL. The CSL, the Data Security Law and the Personal Information Protection Law form the core framework of China's data and network regulation.

The latest amendments adopt a "small-incision" approach, as explained by the Legislative Affairs Commission, and touch on artificial intelligence, liabilities and extraterritorial application.

Key takeaways

Integrating AI into the CSL

The amendments express support for foundational AI research, core technologies such as algorithms, and infrastructure including resources for training data and computing. They emphasize AI ethics, risk monitoring and assessment, and safety oversight, while encouraging robust and responsible AI deployment.

These objectives are consistent with the State Council's directive issued earlier this year to promote the broad and deep integration of AI across economic and social sectors, with the goal of achieving an AI application penetration rate on all smart terminals exceeding 70% by 2027 and 90% by 2030.

While these provisions remain principle-based, they signal that AI considerations may be embedded across network and data security regulation, in the absence of a more comprehensive AI legislation.

Increased liability and penalty

The amendments substantially increase fines and sanctions. The general cap on administrative fines rises from RMB1 million to RMB10 million, depending on the nature and severity of violations.

Two areas see material increase:

Data leakage

Where a network operator fails to discharge obligations to manage vulnerabilities, viruses, cyberattacks, or intrusions, and the failure results in serious consequences (such as large-scale data leakage or partial loss of functionality of critical information infrastructure), fines increase from a prior range of RMB10,000–500,000 to RMB500,000–10m.

Content governance

Where a network operator fails to stop transmission, remove prohibited information, preserve relevant records, or report to regulators as required, the maximum fine, if the circumstances or consequences are particularly serious, increases from RMB500,000 to RMB10m.

Another point to note is that the amendments expressly refer to mitigating circumstances under the Administrative Penalties Law to allow mitigated or waived penalties where statutory conditions are met. That means taking measures such as timely remediation, prompt correction, and evidence of absence of subjective fault (e.g., clear trails of measures taken for cybersecurity protections) can meaningfully reduce sanction.

Expanded extraterritorial reach

The original CSL previously only targets specific adverse activities (attack, infiltration, interference, and destruction) by overseas actors against domestic critical information infrastructure. It now extends to any activities by overseas actors that "endanger China's cybersecurity" more generally, likely in an effort to further build out China's countermeasures toolkit.

What this means for organizations doing business in China？

The amendments elevate both the expectations and the stakes for entities operating or offering network products and services in China. The integration of AI considerations into the CSL suggests that AI governance will increasingly be treated as a core dimension of cybersecurity and data compliance. The broadened extraterritorial reach also heightens exposure for overseas entities whose activities intersect with China-based users or infrastructure. The ten-fold increase in potential fines, coupled with express recognition of mitigating factors, raises the importance of demonstrable, documented compliance programs and rapid remediation capabilities.

In practical terms, organizations should reassess their China compliance posture through the lens of AI, incident preparedness, content governance, and cross-border operations. Management of organizations doing business in China should be briefed on the enhanced penalty regime and the importance of prompt, well-documented corrective action to qualify for mitigation under the Administrative Penalties Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.