On 28 October 2025, the 18th session of the Standing Committee of the 14th National People’s Congress passed the revised Cybersecurity Law of the People's Republic of China (“CSL”). It will come into effect on 1 January 2026.
1. Background
The CSL, together with the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China, constitute the three fundamental laws in China’s cyber law framework. With the rapid development of digital technologies and increasing cybersecurity challenges, the CSL has been revised for the first time since its enactment in 2017. This newsletter highlights the key revisions to the CSL to help companies to navigate new development for network and data protection compliance.
2. Key revisions
a) Introducing a framework for AI development and regulation
Article 20 of the CSL for the first time introduces a framework of development and regulation of AI. On one hand, it explicitly states China’s support for fundamental AI research, development of key technologies and construction of related infrastructure. On the other hand, it requires the improvement of ethical guidelines for AI and the strengthening of risk monitoring and security oversight. This article also encourages companies to use AI technologies to strengthen their cybersecurity defenses, providing a clear legal basis for companies to deploy AI-powered cybersecurity solutions.
b) Strengthening and expanding the scope of regulatory oversight
(1) Introducing penalties for network product providers
Previously, the CSL only required that critical network equipment and cybersecurity products shall undergo certification and testing in accordance with applicable national standards. However, due to the absence of corresponding sanction clauses, this obligation lacked enforceability. The CSL now clearly establishes administrative liabilities for network product providers and service providers in Article 63. They include confiscation of illegal gains, fines ranging from RMB 20,000 to five times the amount of illegal gains, revoking a company’s business license, etc. The newly added sanction clause could prevent defective critical network equipment and cybersecurity products from entering the market at the earliest stage.
(2) Introducing regulation of applications
With the rapid evolution of digital platforms, mini-programs and applications are also experiencing rapid growth. To address the previous lack of legal grounds for penalizing unlawful mobile applications, the CSL now explicitly includes “shutdown of applications” as an administrative penalty in multiple liability provisions. Compared to fines, this administrative penalty effectively prohibits the applications to re-enter the market by improvements, making it a powerful tool. The revision also enables regulatory authorities to exercise comprehensive oversight across all current digital platforms, moving beyond the previous focus on websites alone.
(3) Expanding extraterritorial jurisdiction
The CSL's extraterritorial jurisdiction previously applied only to acts that endangered China’s critical information infrastructure. Now it covers all activities that undermine China’s cybersecurity, such as cyberattacks, data theft, unauthorized remote control of systems, etc. Moreover, the competent Chinese authorities are empowered to impose countermeasures such as asset freezes on related entities or individuals. By extending extraterritorial application and imposing corresponding countermeasures, China has intensified its crackdown possibilities on transnational cybersecurity threats.
c) Refining penalty standards
(1) Introducing more penalty tiers
The penalty framework for failure to fulfill cybersecurity protection obligations has been refined from the original two-tier structure, i.e. “general violation” and “failure to rectify”, to a four-tier structure, i.e. “general violation”, “failure to rectify”, “serious consequences” (e.g., partial loss of functionality of critical information infrastructure operators (“CIIO”)) and “exceptionally serious consequences” (e.g., complete loss of functionality of CIIO). This multi-tier penalty structure better aligns penalties with the severity of violations and enhances the flexibility and proportionality of enforcement.
(2) Increasing fines significantly
Previously, non-CIIOs that failed to fulfill their cybersecurity protection obligations had to face maximum fines of only RMB 100,000 for companies and RMB 50,000 for directly responsible individuals. Now, these caps have been raised to RMB 500,000 for companies and RMB 100,000 for responsible individuals. Moreover, in case of “exceptionally serious consequences”, the maximum penalties now reach RMB 10 million for companies and RMB 1 million for responsible individuals. This substantial increase in fines significantly raises the cost of non-compliance, compelling companies to attach more importance to their cybersecurity obligations. Further, corporate executives should now consider more thoroughly the risk of personal liability when making business decisions related to network and data protection compliance.
(3) Defining circumstances for mitigated, reduced or waived penalties
The CSL explicitly states that mitigated, reduced or waived administrative penalties can be decided by reference to the Administrative Penalty Law. The corresponding circumstances include voluntarily eliminating harmful consequences of the violation, a first-time violation resulting in minimal harm and promptly rectifying the issue, no subjective fault, etc. The aim of this revision is to encourage companies to establish data compliance systems and proactively address violations to prevent or minimize any harm. This also means that, when responding to cybersecurity incidents, enterprises must retain relevant operational logs and other evidence to demonstrate their proactive efforts to eliminate or mitigate unlawful conduct during potential investigations.
3. Conclusion
The CSL serves as China’s fundamental legislation for network governance and is the primary legal basis for many related regulations and standards. For business operators in China, the revision of the CSL means robust network and data protection compliance is no longer optional. Proactive risk identification, effective internal controls and timely response mechanisms are essential for companies to meet regulatory expectations and to avoid significant administrative penalties.
