On October 28, 2025, the 18th Session of the Standing Committee of the 14th National People’s Congress approved the Decision of the Standing Committee of the National People’s Congress on Amending the Cybersecurity Law of the People’s Republic of China. This amendment includes 14 provisions and aims to clarify cybersecurity’s role within the broader context of national security, incorporate new technologies like artificial intelligence into the regulatory scope, and enhance the legal liability system.
The new law takes effect on January 1, 2026, signaling a new phase of more systematic and precise cybersecurity governance in China. This article outlines the key amendments and provides practical guidance for foreign companies operating in China.
This amendment is the first major revision of the Cybersecurity Law since its implementation in 2017, aiming to address new security challenges arising from the rapid development of digital technologies.
The amended contents are mainly distributed across the chapters of General Provisions, Cybersecurity Support and Promotion, Cyber Operation Security, Cyber Information Security, and Legal Liability, among which the amendments to the “Legal Liability” section amount to as many as ten, highlighting the clear intention of the legislators to enhance regulatory effectiveness by strengthening legal consequences.
For foreign enterprises operating in China, this amendment does not create entirely new obligations but represents a deepening, refinement, and strengthening based on the existing regulatory framework. Its core impacts lie in: enhanced operability and predictability of legal rules, clearer layering and specificity of compliance requirements, and significantly increased certainty and severity of the costs of violations. Understanding these changes helps enterprises turn compliance pressure into an opportunity to improve governance and enhance risk management capabilities.
The new Cybersecurity Law adds Article 20, which provides: “The state supports the research and development of basic theories and key technologies such as algorithms for artificial intelligence, promotes the construction of infrastructure such as training data resources and computing power, improves ethical norms for artificial intelligence, strengthens risk monitoring and assessment, and security supervision, and promotes the application and healthy development of artificial intelligence. The state supports innovation in network security management methods, uses new technologies such as artificial intelligence, and enhances the level of network security protection.”
This provision, for the first time at the legal level, explicitly defines artificial intelligence as an important component of digital infrastructure (including algorithms, training data resources, and computing power) and establishes a regulatory tone in which “encouraging innovation” and “regulated development” proceed in parallel. For enterprises that develop or apply AI technologies, this means embedding compliance design throughout the entire product lifecycle and establishing internal control mechanisms, particularly regarding algorithm transparency, data governance, ethical review, and continuous risk monitoring.
Revised Article 61 integrates and upgrades former Articles 59 and 60 and sets out four levels of penalties based on the consequences of violations:
The revised provision comprehensively raises the upper limits of fines for acts such as network operators’ failure to perform security protection obligations and violations by critical information infrastructure operators, and introduces a tiered penalty mechanism linked to the severity of the consequences of violations. This tiered design makes the boundaries of liability highly clear.
Another notable part of this amendment is the systematic strengthening of legal liabilities. It clearly aligns the rules of different laws through logical consolidation and connection, creating a more rigorous liability system.
The added paragraph in Article 42 provides: “When network operators handle personal information, they shall comply with this Law and the provisions of the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other laws and administrative regulations.” This paragraph clarifies the alignment requirements between multiple laws relating to the handling of personal information and ensures the consistency of personal information rights protection. This requires enterprises to carry out integrated compliance management, and any data processing activities must meet multiple legal standards.
Under the overall tone of unifying personal information rights protection, the newly revised Cybersecurity Law merges former Articles 64, 66, and 70 into new Article 71 and provides in Paragraph 2 of this article that “where personal information rights are infringed, handling and punishment shall be carried out in accordance with the relevant laws and administrative regulations,” thereby achieving seamless connection with the liability provisions of the Personal Information Protection Law and avoiding grey areas in the application of the law
Revised Article 67 amends former Article 65 to: Where a critical information infrastructure operator uses network products or services that have not undergone security review or have failed security review, the competent authorities shall order cessation of use and impose a fine of between one and ten times the procurement amount, and the directly responsible persons shall be fined between RMB 10,000 and RMB 100,000.
This amendment links the fine standards to the procurement amount, achieving alignment between liability and business scale. This means that enterprises, especially those that may be identified as critical information infrastructure operators, must treat cybersecurity review as a key component of supply chain management when procuring core network equipment or services. When selecting suppliers (especially cloud service providers), their security and compliance capabilities should be taken as important evaluation indicators, and relevant responsibilities should be clearly defined in contracts.
Overall, the amendments to the new Cybersecurity Law promote China’s cybersecurity governance toward a more mature and refined stage by elevating strategic positioning, incorporating new technology regulation, and strengthening legal liabilities: emphasizing security while also encouraging development; clarifying responsibilities while also providing buffer mechanisms.
For foreign enterprises in China, this amendment is more a clarification of the legal framework than a tightening of the regulatory environment, representing the formation of a business environment with clearer rules and more predictable law enforcement. Enterprises need to maintain robust network and data governance capabilities, continuously monitor policy developments, and ensure the long-term, stable, and successful development of their business in China.
On October 28, 2025, the 18th Session of the Standing Committee of the 14th National People’s Congress approved the Decision of the Standing Committee of the National People’s Congress on Amending the Cybersecurity Law of the People’s Republic of China. This amendment includes 14 provisions and aims to clarify cybersecurity’s role within the broader context
With the progressive digitalization of economic activities, companies increasingly operate on an international level, managing personal data flows across multiple jurisdictions.In this article, we focus specifically on data transfers between the European union (EU) and the People’s Republic of China (PRC) – two legal systems, governed respectively by the General Data Protection Regulation (GDPR) and
In July 2025, five government authorities, including the Ministry of Commerce, jointly issued the Work Plan to Support Beijing in Piloting the Implementation of the WTO E-Commerce Agreement.[1] This milestone marks a new stage in China’s efforts to align its institutional opening and digital trade rules with international standards. As a core hub for digital
