China Proposes Amendments to the Cybersecurity Law
Introduction
Almost eight years after the Cybersecurity Law (“CSL”) came into force in the PRC in 2017, the Cyberspace Administration of China (“CAC”) issued draft amendments to the CSL (“2025 Draft Amendments”) on 28 March 2025 for public comment.
The 2025 Draft Amendments introduce higher penalties for breaches of key cybersecurity obligations, aiming to align them with the liabilities and penalties under the Data Security Law ("DSL") and the Personal Information Protection Law (“PIPL”).
Background
Effective on 1 June 2017, the CSL was the first national legislation in China governing cybersecurity and data protection in the country. In 2021, the DSL and the PIPL were introduced, establishing more stringent standards for network security and protection of personal information. All three data laws in China are enforced by a common regulator, the Cyberspace Administration of China (CAC) – one notable difference among these laws has been the level of penalties imposed under each of these laws. The maximum fines under CSL stand at RMB 1 million (approx. US$ 137,000) as compared to the fines of up to RMB 10 million (approx. US$ 1.37 million) for violations that lead to serious consequences under DSL, and up to RMB 50 million (approx. US$ 6.86 million) or 5% of the annual revenue under PIPL.
In 2022, the CAC proposed various amendments to the CSL ("2022 Draft Amendments") which aimed to increase the maximum fines for certain breaches under the CSL from RMB 1 million (approx. US$ 137,000) to RMB 50 million (approx. US$ 6.86 million) or 5% of a company's annual turnover, bringing them in line with those under the PIPL. However, the 2022 Draft Amendments were never finalised or adopted.
In this Legal Update, we look at the key proposed changes under the 2025 Draft Amendments, and how they may affect companies that conduct business in China if these proposed changes are finalised in their present form.
Key Changes
Increased Penalties
One of the significant changes under the 2025 Draft Amendments is the higher fines for certain breaches of general obligations set out in the CSL.
The penalties of CSL are warnings and rectification orders for first-time or minor violations by network operators, while the 2025 Draft Amendments provide that minor violations of some of the obligations may also lead to fines between RMB 10,000 (approx. US$ 1,370) and RMB 50,000 (approx. US$ 6,860) in addition to warnings and rectification orders. If a network operator fails to rectify the violation(s), or its violation(s) causes harm to network security, network operators may be subject to fines of RMB 50,000 (approx. US$ 6,860) to RMB 500,000 (approx. US$ 68,600). By contrast, Critical Information Infrastructure Operators (“CIIOs”) may face fines of RMB 100,000 (approx. US$ 13,700) to RMB 1 million (approx. US$ 137,000).
Notably, the 2025 Draft Amendments add that network operators responsible for significant data breaches or the failure of major or partial functions of Critical Information Infrastructures ("CIIs") will be subject to more severe penalties. These penalties include the suspension or cessation of business operations, the shutdown of websites or applications, the revocation of operating permits and business licences, and fines up to RMB 10 million (approx. US$ 1.37 million) for organisations and RMB 1 million (approx. US$ 137, 000) for directly responsible individuals. Consequently, if the 2025 Draft Amendments are adopted, the maximum fines under the CSL will increase to RMB 10 million (approx. US$ 1.37 million) to better align with the penalties under DSL.
Strengthened regulation of cybersecurity procurement activities
The CSL stipulates that critical network equipment and specialized cybersecurity products are subject to security certification by an appointed institution or shall satisfy the requirements of security inspection before they can be sold or provided.
The 2025 Draft Amendments introduce a new provision, which articulates the penalties for any person who sells critical network equipment or specialised cybersecurity products without the appropriate security certification or security inspection. These penalties may include orders for rectification, warning, confiscation of the products and any illegal gain, and fines of one to three times the amount of the illegal gain, or (if there is no illegal gain) fines up to RMB 100,000 (approx. US$ 13,700).
The 2025 Draft Amendments provide stricter rules for CIIOs using uncertified cybersecurity products. They may be ordered to rectify and alleviate the impact of such actions on national security, instead of merely having to “stop using the products” as required under the current CSL. However, the proposed fines (up to ten times the purchase price) remain unchanged.
Companies doing business in China, which are designated as CIIOs, should pay more attention to their procurement policies and practices, and ensure that they only use or provide certified products and services that meet the security certification or inspection requirements. This may require enhanced due diligence, quality control, and contractual safeguards in their supply chain and distribution channels.
Illegal content
Under the CSL, network operators are required to take measures to avoid the further dissemination of information which is prohibited by laws or administrative regulations. Network operators who do the following may face a range of penalties:
- fail to follow the requirements of relevant departments to adopt measures such as stopping dissemination or deleting illegal information;
- refuse or obstruct the lawful supervision and inspection by the competent departments;
- refuse to provide technical support and assistance to public security authorities and state security authorities.
This new obligation now puts the burden of content control on network operators. The 2025 Draft Amendments have introduced increased penalties for network operators who do not adhere to these requirements, especially when such non-compliance results in serious consequences. These penalties include public reprimands, suspension or cessation of business activities, shutdowns of websites and applications, and the revocation of operating permits and business licences. Additionally, companies may face significant fines of up to RMB 10 million (approx. US$ 1.37 million) for breaches that lead to serious impact and consequences, and directly responsible persons could be fined up to RMB 1 million (approx. US$ 137,000).
Given the potential reputational damage, business and financial risks to the business if they violate this requirement, companies should strengthen their content management policies and their enforcement measures for such policies.
Minor violations
The 2025 Draft Amendments specify that network operators that proactively rectify or mitigate the adverse consequences of their violations, or network operators which are first-time offenders with minor violations, may receive a lighter penalty, or in some cases, may not be penalised if they put in prompt rectification measures. This proposal encourages companies to adopt a more cooperative and transparent approach to compliance and provides incentives for them to report and rectify violations promptly.
Takeaway
The 2025 Draft Amendments, if finalised in their present form, will introduce increased enforcement risks for CIIOs, network operators, and suppliers of cybersecurity products. Businesses may face increased fines with a more severe impact on their business reputation if they fail to comply with the obligations under the CSL, especially regarding content management and the use or provision of uncertified network security products.
The authors would like to thank Roslie Liu, Intellectual Property Officer at Mayer Brown Hong Kong LLP, for her assistance with this article.
