On 28 October 2025, China’s National People’s Congress amended its Cybersecurity Law (CSL), which will take effect on 1 January 2026, for the first time since the law’s enactment on 1 June 2017. The Amendment enhances enforcement powers, tightens legal liabilities for enterprises and relevant responsible personnel, specifies the severity of violations and imposes stricter requirements on operators of critical information infrastructure.
Passage of the Amendment reflects China’s continued focus on cybersecurity risk management, regulatory accountability, and the governance of emerging technologies.
Key points
Expansion of jurisdiction and sanctions for foreign entities
Article 77 of the Amendment broadens the scope of legal deterrence and lowers the threshold for liability. Specifically, the Amendment expands the scope of the CSL’s original Article 75 regarding the legal liabilities of foreign entities and individuals. Liability now extends to any activities that endanger China’s cybersecurity, and not only those targeting critical information infrastructure through attack, intrusion, interference, or damage “resulting in serious consequences”. Under the Amendment, for those violations “resulting in serious consequences”, the public security department under the State Council and other relevant authorities can impose measures such as freezing assets or other sanctions against foreign actors.
This expansion heightens compliance obligations for foreign entities with operations, users, or data linked to China. The specific criteria for determining what constitutes “activities that endanger the cybersecurity” of China have not yet been officially clarified. Law-Now will monitor regulators and report the release of a guidance or enforcement precedents.
More refined and stringent penalty mechanisms
- Introduction of a tiered penalty framework: The Amendment introduces a tiered penalty framework, moving away from uniform penalties towards legal consequences calibrated by the severity and consequences of violations. This refinement requires enterprises to align their internal compliance policies with a more granular enforcement posture.
- Introduction of administrative fines for general violations: Under the original CSL, Article 59 (now Article 61 under the Amendment) provided only for corrective orders and warnings where entities failed to fulfil cybersecurity protection obligations, and fines were only imposed if the entities fail to rectify the issue or cause consequences such as compromising network security. The Amendment adds administrative fines ranging from RMB 10,000 to RMB 50,000 for general breaches.
- Increased maximum penalty: Compared with the previous caps, the Amendment raises the maximum penalties to different violations. Where violations lead to severe consequences, such as the loss of primary functions of critical information infrastructure or the failure of network operators to take mandated measures for prohibited information (including halting transmission, removing content, preserving records, and reporting), fines can reach up to RMB 10 million.
- Increased personal liability: The Amendment increases penalties for directly responsible persons-in-charge. Depending on the severity of the violation, fines may range from RMB 10,000 to RMB 1 million, a marked increase from the previous range of RMB 5,000 to RMB 100,000. This aligns with recent enforcement trends emphasising personal accountability, and underscores the importance of clear governance structures, documented decision-making, and robust training for personnel with cybersecurity responsibilities.
- Incorporation of application shutdown penalties: The Amendment formalises enforcement for apps by adding “shutdown of applications (apps)” alongside website shutdowns, indicating that apps and app stores are now included as key regulatory targets. Developers and operators of apps may face delisting or suspension where breaches occur.
For many companies in the internet and technology sectors, mobile apps serve as a crucial vehicle for their business models and a key gateway to their digital operations. Compared with the significant fines imposed under the Amendment, the suspension or removal of an app may have an even more detrimental impact on a company’s operations. This revision also aligns with the recent enforcement priorities of regulatory authorities. It is clear from the current trend seen in reported cases that going forward data compliance for apps will continue to be a key focus of enforcement.
Introduction of AI governance principles
For the first time, the Amendment sets out framework-level requirements for the security and development of artificial intelligence in the CSL. While detailed rules have not yet been established under the Amendment, these requirements signal a more systematic and comprehensive approach to AI governance, encompassing safety, accountability, and risk management. AI enterprises should align their governance and compliance frameworks with these emerging principles, including data security, model risk assessment, and content management controls.
Summary
The Amendment indicates a legislative trajectory towards stricter enforcement, more detailed regulatory expectations, and comprehensive oversight across the digital ecosystem. Both enterprises and senior management will face heightened compliance requirements and legal risks, including increased exposure for overseas operations and personal accountability. Businesses should consider strengthening governance and accountability frameworks and perform gap assessments vis-à-vis enhanced obligations.
The original publication can be found here (Chinese only).
For more information on the Amendment and regulatory developments in China’s cybersecurity, contact your CMS client partner or the CMS experts who wrote this article.
