ARTICLE
10 November 2025

China's Revised Cybersecurity Law: Key Changes Enterprises Need To Know

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
The 2025 revision of China's Cybersecurity Law (the Amendment) was adopted on October 28, 2025, and will take effect on January 1, 2026.
China Technology
Justina Zhang and Tracy Chen
Your Author LinkedIn Connections
Justina Zhang’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology topic(s)
  • in United States
Herbert Smith Freehills Kramer LLP are most popular:
  • within Technology, Environment and Coronavirus (COVID-19) topic(s)

The 2025 revision of China's Cybersecurity Law (the Amendment) was adopted on October 28, 2025, and will take effect on January 1, 2026. This marks the first major update since the law's enactment in 2017. The Amendment addresses emerging cybersecurity risks, introduces governance for rapidly advancing AI technologies, and aligns with existing legislation such as the Data Security Law and the Personal Information Protection Law.

Key Amendments Overview

1. Introduction of AI Governance Framework – New Article 20

The Amendment introduces a dedicated provision on artificial intelligence governance. Article 20 now stipulates that the state:

  • Supports fundamental research on AI theories and the development of key technologies such as algorithms;
  • Promotes the construction of infrastructure, including training data resources and computing power;
  • Enhances ethical standards for AI, strengthens risk monitoring and safety supervision, and fosters the healthy development and application of AI;
  • Encourages innovative approaches to cybersecurity management by leveraging new technologies such as AI to improve protection capabilities.

2. Enhanced Personal Information Protection – Article 42 (formerly Article 40)

In addition to the existing requirements for maintaining the confidentiality of personal information and establishing a robust personal information protection system, the Amendment introduces a new obligation:

  • Network operators must process personal information in accordance with this law, the Civil Code, the Personal Information Protection Law, and other applicable administrative regulations.

This change consolidates previously scattered requirements into a unified legal framework, ensuring formalized compliance and reducing regulatory gaps.

3. Strengthened Legal Liability – Article 61 (formerly Article 59)

Previously, enforcement followed a sequential model: authorities would first order rectification and issue a warning, with fines imposed only upon refusal or resulting harm.

The Amendment introduces a parallel enforcement model, allowing authorities to issue warnings, order rectification, and impose fines simultaneously. The amount of fines has also been significantly increased:

For Network Operators failing to fulfil the obligations under the Articles 23 or 27:

  • General violations: RMB 10,000 – 50,000
  • Refusal to rectify or causing cybersecurity harm:
    • Enterprises: RMB 50,000 – 500,000
    • Responsible persons: RMB 10,000 – 100,000

Network operators' obligations under these provisions mainly include:

  • Implementing the Multi-Level Protection Scheme (MLPS) for cybersecurity.
  • Timely detection, response, and reporting of cybersecurity incidents.

For Critical Information Infrastructure Operators (CIIOs) failing to fulfil the obligations under the Articles 35, 36, 38 or 40:

  • General violations: RMB 50,000 – 100,000
  • Refusal to rectify or causing cybersecurity harm:
    • Enterprises: RMB 100,000 – 1,000,000
    • Responsible persons: RMB 10,000 – 100,000

CIIOs' obligations under these provisions mainly include:

  • Ensuring synchronized planning and deployment of security technologies during infrastructure construction.
  • Establishing dedicated cybersecurity teams and conducting background checks for key personnel.
  • Providing regular cybersecurity training and skill assessments.
  • Implementing disaster recovery backups and incident response drills.
  • Signing security and confidentiality agreements when procuring network products/services.
  • Conducting annual security assessments and reporting findings to authorities.
  • Undergoing national security reviews for sensitive procurements.

For violation causing severe consequences, such as large-scale data breaches or partial CIIO functionality loss:

  • Enterprises: RMB 500,000 – 2,000,000
  • Responsible persons: RMB 50,000 – 200,000

For violation causing extremely severe consequences,such as major CIIO functionality loss:

  • Enterprises: RMB 2,000,000 – 10,000,000
  • Responsible persons: RMB 200,000 – 1,000,000

 4.  New Enforcement Measures——Shutdown of applications(apps)

Authorities may now impose shutdown of applications for the following violations:

  • Failure to verify user identity or continued service to unverified users (Article 64): Penalties include suspension of business, app or website shutdown, and license revocation.
  • Unauthorized cybersecurity certification, testing, or public disclosure of cybersecurity threats (Article 65): Fines range from RMB 10,000 – 1,000,000, with potential business suspension, app or website shutdown or license revocation.
  • Failure to act on prohibited contentincluding failure to stop transmission, remove content, preserve records, or report to authorities (Article 69): Severe cases may result in fines up to RMB 2,000,000 and shutdown of apps or websites.

This change places apps and websites on equal footing in terms of regulatory enforcement and ensures that all service platforms, regardless of format, are subject to consistent legal oversight

5. Penalties for Selling Uncertified Cybersecurity Products – New Article 63

The new Article 63 introduces penalties for entities selling or providing critical network equipment or cybersecurity products that lack security certification or testing or fails to meet testing standards. Such entities may face:

  • Warnings, confiscation of illegal gains;
  • Fines: RMB 20,000 – 100,000 (if gains < RMB 100,000), or 1–5 times illegal gains (if > RMB 100,000);
  • Severe cases: suspension of business, license revocation.

6. Leniency in Administrative Penalties – New Article 73

Violations may be subject to reduced or waived penalties if they meet conditions under the PRC Administrative Penalty Law

This introduces a legal basis for discretionary enforcement under the Cybersecurity Law, allowing authorities to reduce or waive penalties for minor or first-time violations, or where corrective actions have been taken.

7. Expanded Extraterritorial Liability – Article 77

The Amendment significantly broadens the scope of extraterritorial enforcement. Previously limited to foreign entities' acting that endangers the critical information infrastructures (CII), the Amendment now applies to any activity that endangers China's cybersecurity, regardless of whether CII is involved.

Where serious consequences are caused, the public security departments under the State Council and other relevant departments may decide to impose asset freezes  or other necessary sanctions on the foreign entities.

Compliance Implications for Enterprises

The revised Cybersecurity Law of the People's Republic of China will officially take effect on January 1, 2026. Although updated implementation rules have not yet been released, we recommend that enterprises proactively take the following measures—among others—to mitigate compliance risks and avoid severe penalties. We will continue to monitor for any new implementation rules and provide timely updates.

  • Reviewing and updating enterprises' cybersecurity governance policies and internal control measures, especially for CIIOs;
  • Ensuring AI systems comply with ethical and safety standards;
  • Verifying the certification status of all cybersecurity products before sale or deployment;
  • Assessing operations involving critical infrastructure, important data, or personal information.

Given that the amendment expands enforcement powers—including the authority to freeze assets or impose other sanctions regardless of the violator's location—overseas enterprises should also pay close attention to compliance obligations under the law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Justina Zhang
Justina Zhang
Photo of Tracy Chen
Tracy Chen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More