Open navigation
Search
Search
All Expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS China
All Insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English 简体中文
Legal Update

China releases draft law on preventing cybercrime for public comment

12 Feb 2026 China 4 min read

On 31 January 2026, the Ministry of Public Security of the People’s Republic of China (PRC) released the draft Law on the Prevention and Governance of Cybercrime for public comment. This Cybercrime Law has been listed on the legislative agenda since 2021. Following China’s accession to the UN Convention against Cybercrime (UNCC) in October 2025, the draft Cybercrime Law represents a further step to strengthen its domestic regulatory framework and international cooperation to combat cybercrime. The deadline for submitting public comments is 2 March 2026.

The draft Cybercrime Law is made up of seven chapters and 68 articles and sets out the cybercrime governance framework, obligations for cybercrime prevention, and measures addressing cross‑border cybercrime. While many provisions echo those under the PRC Cybersecurity Law, PRC Data Security Law and other applicable laws and regulations, the draft Cybercrime Law further expands and clarifies the relevant obligations and liabilities of enterprises.

Among the provisions, the following merit the attention of international enterprises and foreign investors:

  • Network operators general prevention obligations: network operators are required to implement necessary measures to ensure the services they provide are not used for illegal or criminal activities or to carry out such activities, including establishing dedicated bodies or designating responsible personnel to oversee cybercrime prevention efforts, preserving records of cybercrime or cyber-attacks, and making prompt reports to public security authorities.
  • Specific prevention obligations for network operators and data processors: the draft Cybercrime Law sets corresponding obligations on network operators and data processors to prevent cybercrime, including establishing and improving network and data security management systems, implementing technical measures and other necessary measures, and specific requirements on data labelling and traceability mechanisms for those processing important data, and for internet information service providers and mobile intelligent terminal manufacturers to promptly address unlabelled AI-generated content.
  • Prevention of cross-border cybercrime : the draft Cybercrime Law provides a legal basis for implementing measures against overseas entities and individuals who commit, or provide assistance with, cybercrime within the territory of the PRC, including technical blocking measures against the provision of internet products or services into China, freezing assets, restricting the entry of relevant personnel, restricting direct or indirect investment within the territory, and restricting their entry.
  • Multi-tiered liabilities: the draft Cybercrime Law provides a multi-tiered liability regime encompassing civil, administrative and criminal liability applicable to liable entities and responsible personnel, including fines, suspension of relevant business operations, revocation of business licences, detention of individuals, and relevant civil compensation and criminal liability, depending on the actual situation.

Summary

The draft Cybercrime Law signals enhanced regulation and compliance obligations for enterprises, with clearer liability exposure. If enacted in its current form, the Cybercrime Law will significantly strengthen regulatory expectations on network operators, data processors and cross-border and overseas service providers, particularly in areas such as real-name management, technical prevention measures, AI-generated content governance, important data traceability, and cross-border management. Enterprises operating in or providing services into China should proactively assess their compliance frameworks, internal controls, contractual arrangements and incident response mechanisms to align with the proposed requirements.

The original publication can be found here (Chinese only).

For more information on China’s Cybercrime Law and cybersecurity regulations, contact your CMS client partner or the CMS experts who wrote this article.

More insights

Explore more

Newsletter China

China Tightens Obligations of CMOs in Drug Contract Manufacturing

11 Mar 2026 1 min read
Event China

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

AI laws and regulation in China

7 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. LawNow have moved to CMS.law. LEXplicite have moved to CMS.law. Blogtt have moved to CMS.law.
Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.