- in United States
- with readers working within the Media & Information industries
- within Technology, Insurance and Corporate/Commercial Law topic(s)
- with Inhouse Counsel
1. Background
On October 28th, 2025, the amendment to China's Cybersecurity Law (the“CSL Amendment”) was officially promulgated during the 18th session of the Standing Committee of the 14th National People's Congress (“NPCSC”). It will take effect on January 1st, 2026.
The CSL Amendment focuses on the following three key areas: first, the alignment between the Cybersecurity Law (“CSL”) and other laws and regulations concerning cybersecurity and data compliance, such as the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”); second, it addresses new technologies like AI and algorithms; and, third, and most importantly, it has increased the penalties for certain well-established cybersecurity violations, and established new penalty standards for other illegal activities.
As a background note, the CSL was first implemented on June 1, 2017. A proposal to amend the CSL was first announced in September 2022, so it has taken more than three years to complete the amendment.
2. Key Summary
More Penalties if an Organization Fails to Safeguard Cybersecurity
Organizations must carry out reasonable cybersecurity protection measures from both technical and organizational perspectives. The CSL Amendment increases penalties for failure to carry out such measures. Strictly speaking, the penalties come in three levels: no harm, harm or substantial harm.
If there is no harm, i.e., the failure is detected by competent regulators but has not resulted in any harmful consequence, then the fine imposed can be anything up to RMB50,000. It is worth noting that under the CSL prior to this amendment, regulators are not permitted to impose fines and the organization can get away with only a warning.
If there is harm, i.e., if the failure resulted in harmful consequence such as business disruption, or the concerned organization fails to put right the situation after being notified by regulators, fines can rise up to RMB500,000, or up to RMB1 million if critical information infrastructure (“CII”) is adversely affected. As a side note, CII is similar to critical infrastructure as defined under cybersecurity laws in other jurisdictions such as US federal laws.
If there is substantial harm, such as circumstances involving massive data breaches or the partial or major loss of functionalities of CII, the fines on the organization can be as high as RMB10 million, and the directly responsible persons-in-charge could have personal liabilities and face fines of up to RMB1 million.
The increased penalty in both corporate liability and personal liability is intended to compel those in charge to take enforcement more seriously by giving them more incentives to invest in cybersecurity or, rather, to deter them from ignoring cybersecurity controls.
New Penalties for Distributing Vulnerable Critical Network Products
The CSL Amendment has put in place a penalty for selling or providing vulnerable critical network products that do not pass mandatory state-certification. This penalty appears to be independent from product liability. Specifically, penalties under the CSL Amendment include: punishments such as orders to stop selling or providing such products; confiscation of illegal gains; and fines of up to five times the illegal gains.
More Penalties on Cybersecurity Firms
Cybersecurity firms that assume a watchdog role, such as those in charge of security assessment, multi-level protection scheme (“MLPS”) audit and publishing threat alerts will bear higher legal obligations for violations, with maximum fines set at RMB1 million for the organization and RMB100,000 for the directly responsible personnel. We understand that due to limited resources of the regulators they are willing to delegate some functions to licensed market organizations. However, they want these organizations to take their roles more seriously to avoid foul play.
More Penalties for Publishing Illegal Content
Those who fail to stop publishing illegal content having been warned not to do so face fines of, in the most severe cases, up to RMB10 million. In the context of AI, leveraging common generative AI tools that are not available on the market in China, such as CoPilot or ChatGPT, may trigger illegal content issues because they don't have content moderation tools that meet Chinese regulatory requirements. For example, if the marketing team uses a generative AI to generate a map of China that gets the borderline wrong and has included it in the marketing materials, it may be seen as disrespectful to China's sovereignty, which could trigger severe repercussions. Human review of all content before publishing is therefore a top priority.
New Leniency Provisions and Penalty Guidelines for Cybersecurity Violations
By linking with the provisions of the Administrative Punishment Law (行政处罚法), the CSL Amendment introduces clauses allowing for lenient treatment, reduced penalties, or exemptions from administrative sanctions in certain circumstances, which can help organizations build up affirmative defenses in case of enforcement. These mitigation factors include: proactively reducing or eliminating harm; proving that the harm is minimal; first-time violation; demonstrating no malicious intent, etc. With these leniency provisions, a company may have less to fear when deciding whether to report a data breach that involves very few people, for example, employees. Note that at the provincial level, in big municipalities such as Beijing and Shanghai, local regulators have already put in place detailed guidelines on how penalties should be applied for cybersecurity violations. We anticipate these local guidelines will be updated to reflect the change in CSL.
Extraterritorial Impact
The CSL Amendment stipulates that the regulators have the power to hold overseas organizations or individuals legally accountable for activities that endanger the cybersecurity of China. This provision gives Chinese regulators power to punish overseas organizations, such as hacker groups, cyber units in foreign government, or private firms collaborating with foreign government to launch cyberattacks on Chinese interests. The possible punishments could be that these entities are put on China'sunreliable entity list, which will subject these organizations to economic sanctions and their executives to travel bans.
3. What do Organizations Need to do to conform to the CSL Amendment?
CSL is amended such that the punishments are standardized for various types of violations. This will make the job of law enforcement agencies easier when apply the penalties for those found to be in violation. This is an indication that we can expect greater levels of enforcement. It is therefore time for organizations to ramp up their affirmative defenses by building a strong China cybersecurity compliance program, following a “know it, do it, test it” approach that we recommend.
Do it
A robust cybersecurity program should combine top-down and
bottom-up approaches. From the top down, leaders should prioritize
key compliance measures such as MLPS certification for local
networks, proper mechanisms for cross-border data transfers, and
oversight of third-party processors. These steps help establish
essential technical and administrative controls. From the bottom
up, those responsible should focus on data governance by
maintaining aRecord of Processing Activities and
conducting Privacy Impact Assessments, where
necessary. This ensures transparency and enables tailored controls,
such as timely privacy notices.
Test it
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
