Key Revisions and Compliance Recommendations of the PRC Cybersecurity Law

China’s Cybersecurity Law (“CSL”) has been comprehensively revised and officially took effect on 1 January 2026. This article focuses on three aspects: (i) the background and process of this revision; (ii) six key revisions; and (iii) the compliance recommendations tailored to different types of enterprises.

I. Background

The CSL promulgated in 2016 (“Old Version”) has been in effect since 2017 for nearly nine years. Enacted in the context of increasingly severe cyberspace security threats and the deepening integration of information technology into all spheres of society, it was the first to enshrine the principle of cyberspace sovereignty in a fundamental law. It also established the regime for protecting critical information infrastructure (“CII”), strengthened the cybersecurity obligations of network operators, and provided a foundational basis for subsequent implementing regulations, thereby laying the cornerstone of China's cyberspace legal system.

However, with technological evolution and evolving practical demands, the Old Version has revealed several shortcomings: its liability framework was not sufficiently sound, penalties were not severe enough, and it lacked effective alignment with subsequent legislations such as the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”). Moreover, it failed to sufficiently address emerging security challenges posed by new technologies like artificial intelligence (“AI”), and the CII protection mechanism remained underdeveloped.

To systematically address these deficiencies, relevant authorities spent more than three years, undergoing multiple rounds of procedures, to comprehensively revise the Old Version. The Cyberspace Administration of China solicited public opinions twice in September 2022 and March 2025, and the National People’s Congress Standing Committee (“NPCSC”) reviewed the draft amendments and solicited public opinions from September 2025. Ultimately, the revised text was passed by the NPCSC on 28 October 2025, and the current CSL (“New Version”) officially took effect on 1 January 2026.

The New Version makes important supplements and optimizations to the Old Version in multiple aspects, as detailed below.

II. Six Key Revisions

The core revisions focus on six key aspects.

(i) Introduction of AI Provisions

The New Version introduces Article 20, incorporating AI governance into the foundational cyber legal framework. This provision: 

• affirms the state’s support for the research and the development (“R&D”) of fundamental AI theory and critical technologies such as algorithms;
• advances the implementation of AI ethics norms;
• strengthens risk monitoring and assessment, and security supervision; and
• supports the application of AI and other new technologies to enhance the level of cybersecurity protection.

This addition responds to the novel security challenges and regulatory gaps arising from the rapid development of AI. While the Old Version established a basic framework for cyber and data security, it did not cover AI-related issues such as algorithmic black boxes, model misuse, and systemic risks. Subsequent laws like the DSL and the PIPL focused on data governance, making it difficult to fully address AI governance needs. Therefore, this revision serves a dual purpose of filling systemic gaps and strengthening top-level institutional design.

Article 20 not only guides resources toward core areas of AI from a legal perspective, promoting a holistic governance model encompassing R&D, ethical norms, security testing, etc., but also supports the use of AI for risk forecasting and rapid response. In doing so, it affirms AI’s strategic value in cybersecurity, and boosts its broader development.

(ii) Optimization of Penalty Mechanisms

This revision refines the penalty framework by emphasizing three core enhancements: 

• Broadened Trigger for Penalties: Penalties may now be imposed upon violation itself—without requiring “serious consequences” as a prerequisite.
• Structured Penalty Gradation: A clear, tiered hierarchy is established: general violations → refusal to rectify or causing moderate harm → serious consequences → particularly serious consequences.
• Systematic Increase in Fines: Monetary penalties have been significantly raised.

Key adjustments of fines include:

• Article 61 (General Obligations): Compared to Article 59 of the Old Version, if an operator refuses to take corrective action or causes cybersecurity-related harm, enterprise fines rise from RMB 10,000–100,000 to RMB 50,000–500,000 (a fivefold increase). Fines for responsible individuals increase from RMB 5,000–50,000 to RMB 10,000–100,000 (doubled).
• Article 65 (Cybersecurity Certification, Testing, Risk Assessment, and Public Disclosure of Cybersecurity Information on system vulnerabilities, malware, cyberattacks, etc.): Compared to Article 62 of the Old Version, enterprise fines escalate from RMB 10,000–100,000 to RMB 100,000–1,000,000 (tenfold), while individual penalties rise from RMB 5,000–50,000 to RMB 10,000–100,000 (doubled).
• Article 69 (Obligation to Handle Illegal Information): Consolidating Articles 68 and 69 of the Old Version, this article raises enterprise fines from RMB 100,000–500,000 to RMB 500,000–2,000,000, and individual fines from RMB 10,000–100,000 to RMB 50,000–200,000.

In addition, the New Version broadens personal liability by explicitly including “other directly responsible persons”, thereby incentivizing individuals to proactively identify risks and fulfil compliance obligations. Beyond strengthening personal liability, the New Version also adds measures such as “closing down the applications” to directly cut off the operational channels and user access capabilities of the violators. At the same time, network operators are now required to promptly dispose of violations upon discovery and report to the competent authorities. These measures further enhance the enforceability and deterrent effect of the law.

(iii) Strengthening CII Protection

The New Version further strengthens CII governance, mainly reflected in the following four aspects:

First, it introduces a “penalty-for-violation + tiered sanctions” regime for CII violations, and explicitly extends liability from directly responsible supervisors to other directly responsible persons.

Second, it sets a rectification grace period for procurement violations, emphasizing a three-step corrective pathway: 

• rectify the violation within a prescribed timeframe;
• discontinue use of the non-compliant product or service, and
• eliminate any adverse impact on national security. 

This approach grants network operators sufficient time to reallocate resources, transition to compliant alternatives, and avoid secondary security issues that could arise from abrupt service termination.

Third, it adds the obligation to “eliminate the impact on national security”, forming a complete closed loop for risk disposal;

Fourth, when stipulating penalties for CII operators’ cross-border data transfer, it replaces the broad term “network data” from the Old Version with the more precise categories of “personal information and important data,” and ensures consistency with applicable laws such as the PIPL and the DSL.

(iv) Improving Full-Chain Management of Supply Chain Security

The New Version adds explicit penalties for critical network equipment and specialized cybersecurity products that either have not undergone required security certification or testing, or have failed to obtain security certification or meet testing requirements. It brings all entities across the production, sales, and service chain within the scope of regulatory oversight. 

The penalty system is clearly tiered, including basic punishments such as warnings and confiscation of illegal gains, as well as graduated fine scaled to the amount of illegal proceeds. In cases of serious violations, it further adds severe measures such as suspending the relevant business, ceasing business operation for an overhaul, or revoking the relevant business permit or business license.

(v) Optimizing Coordination Between Different Laws

The New Version clarifies that network operators must comply with the PRC Civil Code and the PIPL when processing personal information, and uniformly refers penalties for three types of behaviours— releasing or transmitting information prohibited, infringing upon personal information rights and interests, and unauthorized cross-border transfer of CII data—to “relevant laws and administrative regulations,” avoiding conflicts in provisions and achieving coherence across legal frameworks. Additionally, the New Version incorporates provisions from the PRC Administrative Penalty Law that allow for lighter, mitigated, or exempted penalties under specified circumstances, enhancing the consistency and predictability of enforcement discretion.

(vi) Expanding Extraterritorial Reach

The New Version expands the scope of extraterritorial regulation from “activities that harm CII” to “activities that endanger the cybersecurity of China,” enabling the law to cover various cross-border network violations and offenses committed by overseas entities. 

The revised provisions distinguish between the conditions for establishing legal liability and those for imposing sanction. Specifically, overseas entities can be held legally accountable simply by engaging in activities that endanger the cybersecurity of China. The imposition of concrete sanction measures—such as asset freezes or other necessary actions—now requires an additional threshold: that the conduct has “caused serious consequences.” This change addresses a prior enforcement gap, where accountability could not be pursued in a timely manner because the “serious consequences” standard had not been met.

III. Compliance Recommendations

In the face of the comprehensive upgrade of the New Version, different types of enterprises shall adopt differentiated compliance strategies. 

• General network operators shall fulfil baseline obligations, including implementing the Cybersecurity Multi-level Protection Scheme, conducting periodic security self-inspections, complying with data compliance requirements, procuring network products and services that have undergone national certification or testing, and establishing mechanisms for timely rectification of identified risks.
• CII Operators shall comply with enhanced security obligations, including implementing layered protection, ensuring procurement compliance, and formulating and regularly testing cybersecurity emergency response plans.
• Suppliers of network products and services shall ensure their offerings have passed mandatory national certification or security testing where required, and fulfil contractual and statutory commitments regarding product security.
• Enterprises engaged in AI development should embed algorithmic impact and ethical assessments in the early stages of R&D, ensure compliance of data sources, and strengthen model security protections.

* With thanks to Lin WU (Intern, Beijing) for help in drafting this article.