China Finalises Amendments to the Cybersecurity Law What Businesses Need to Know Before 1 January 2026

China completed the first major overhaul of its Cybersecurity Law ("CSL") since it came into force in 2017, with amendments passed on 28 October 2025 and scheduled to come into force on 1 January 2026 (the "Amendments").

The finalised Amendments maintain the policy direction set out in the Draft Amendments published in March 2025 (see our previous Legal Update on China Proposes Amendments to the Cybersecurity Law), confirming a more assertive posture on cybersecurity and data governance.

The Amendments recalibrate penalty thresholds to align more closely with the Data Security Law ("DSL") and the Personal Information Protection Law ("PIPL"). Some of the amendments include targeted refinements to penalty design, scope of liability and enforcement tools, clarification of obligations for suppliers and purchasers of key network equipment and cybersecurity products, and extra-territorial provisions allowing China to pursue overseas actors for cyber activities affecting domestic networks. The Amendments also embed support for artificial intelligence ("AI") within the CSL, and codify a more lenient approach for minor or promptly corrected breaches. These changes are intended to improve China's cybersecurity governance in view of technological developments and evolving threat landscapes, particularly in AI and cross-border activities.

This Legal Update analyses how the finalised amendments compare with the March 2025 draft, identifies which proposals were retained and what has been added or adjusted, and offers some takeaways for companies to help them prepare for the effective date of these amendments.

Key Changes

Increased Penalties and Streamlined Enforcement

The Draft Amendments proposed in March 2025 increased all fines and introduced higher-tier penalties for severe consequences, with a view to narrowing the gap between CSL on the one hand and the DSL and PIPL on the other. These changes were confirmed and expanded in the final text.

Under the Amendments, penalties have been tiered more explicitly according to the severity and consequences of the breach. Where violations lead to serious consequences, for example, large-scale data leaks or loss of partial functions of critical information infrastructures ("CII"), authorities may impose fines up to RMB 2 million (approx. US$280,000). Where violations lead to very serious consequences, such as the loss of primary functions of a CII, authorities may impose fines up to RMB 10 million (approx. US$1.4 million).

Notably, the finalised Amendments lower the procedural threshold for sanctioning non-compliance. Basic penalties under the pre-amendment CSL required authorities to issue a warning first and a rectification order against operators violating cybersecurity protection obligations, and if the violator refused to make the rectification or the violation threatened network security, then fines could be subsequently imposed. The Amendments remove the strict requirement for an initial warning, allowing regulators to issue fines immediately for certain failures to meet cybersecurity protection obligations. This change gives authorities greater flexibility and means that even minor breaches can now carry immediate financial consequences.

Procurement and Supply Chain Controls for Cybersecurity Products

The Draft Amendments reiterate compliance obligations for suppliers and users of key network equipment and specialised cybersecurity products. The finalised Amendments carry this forward and further enhance the penalties that can be imposed.

The finalised Amendments also introduce a detailed penalty framework for selling or providing network security equipment and products that lack required security certification, fail security testing, or have security testing which does not meet prescribed requirements. Sanctions include orders to halt the sales or provision of such products or services, warnings, confiscation of illegal gains, and/or fines calculated against illegal proceeds. Where the violations are deemed to be serious, the authorities can also order the suspension of relevant operations or businesses, and/or revocation of the relevant business licences.

As far as the use of uncertified network products or services is concerned, the Amendments clarify that authorities can order a rectification, and require CIIOs to terminate use of such products or services, and impose fines of up to ten times the purchase amount. Responsible officers may also be subject to financial penalties. The upshot of these changes is that CIIOs would need to have robust procurement governance and supplier due diligence in place, including contractual controls, certification verification and traceability in the supply chain.

The maximum penalty for unlawfully conducting cybersecurity certification, testing or risk assessment, or for the unauthorised disclosure of cybersecurity information (including information on system vulnerability, computer viruses, network attack or hacking) has been increased from RMB 100,000 (approx. US$14,000) to RMB 1 million (approx. US$140,000). Authorities can also order the suspension of relevant operations or businesses, shutting down of websites or applications, the revocation of the relevant business licences, and imposing fines on responsible officers.

Heavier Sanctions for Failure to Control Illegal Information

The Amendments strengthen penalties for network operators who fail to take required measures to stop dissemination of prohibited content or to comply with orders issued by the relevant authorities. These penalties were broadly anticipated by the draft but are articulated with clearer thresholds and enforcement steps in the final version.

Network operators who fail to promptly cease the transmission of illegal content, remove such content, preserve relevant records, report to the relevant authorities, or comply with specific instructions issued by relevant authorities, may face warnings, fines, suspension or shutdown of their business, websites or applications, and revocation of their licence. When non-compliance leads to a particularly serious impact or consequences, the finalised CSL authorises fines up to RMB 10 million (approx. US$1.4 million) for organisations and up to RMB 1 million (approx. US$140,000) for responsible individuals. 

Expanded Extraterritorial Enforcement and Sanctions

The CSL previously only targeted overseas activities that harm CIIs within China. The Amendments give the CSL extraterritorial reach to cover any overseas organisations and individuals engaging in activities that harm China cybersecurity more broadly. The Amendments provide that authorities may pursue legal liability against such overseas actors and, where serious consequences result, the Public Security department and relevant departments may impose sanctions such as freezing assets or other necessary measures. This noticeable shift signals China's more assertive posture on cross-border cyber activities and underscores the importance for multinational companies of assessing cybersecurity risks that may have a nexus to China, even where operations are offshore.

Other Developments and Rollback

For the first time, the Amendments explicitly affirm national support for AI innovation and security under the CSL framework. Specifically, there is an articulation of a commitment to the advancement of foundational AI research and algorithmic innovation, promoting the construction of AI training data resources and computing power infrastructure, improving AI ethical norms, strengthening risk monitoring and safety assessments, to ultimately support the healthy development of AI. The Amendments further encourage the use of innovative technologies, including AI, to enhance cybersecurity management practices.

While these provisions are high level and do not themselves establish technical standards, they signal an integrated policy direction and are likely to be complemented by sectoral rules and standards. Companies deploying AI, particularly in network operations, content moderation, endpoint protection, and vulnerability detection, should anticipate follow-on standards and guidance.

The finalised Amendments retain the leniency framework consistent with the Administrative Penalty Law, allowing regulators to reduce or waive penalties in defined circumstances, such as first-time or minor violations that are promptly rectified. In practice, this creates a basis for regulators to take into account prompt rectification, cooperation, first-time minor violations, and other mitigating factors. While leniency is not guaranteed, organisations that demonstrate timely remediation and good faith compliance efforts may benefit from reduced penalties.

Additionally, in terms of penalties imposed on individuals for breaches of cybersecurity protection obligations, liability attribution is broadened to include "other directly responsible personnel," not just the "directly responsible managers." This clarifies the personal exposure of technical and operational leads and will likely influence internal accountability and training practices.

Takeaways

The Amendments introduce a lower threshold for imposing fines, and broader use of administrative measures such as business suspension and the closure of websites and apps. Governance programmes must be recalibrated to the revised penalty framework, including having clear escalation pathways for incidents that may be classified as "severe," and demonstrable remediation capabilities to increase the chances of receiving reduced penalties or even having them waived.  

Supply chain due diligence will require a step change. Procurement teams should review and reinforce controls to ensure all key network equipment and specialised cybersecurity products meet certification or inspection requirements. Contracting frameworks should be updated to include warranties, audit rights, and indemnities addressing the certification status and security review obligations.

Organisations deploying AI in products, services, or internal operations should map their activities against the CSL’s policy signals and existing AI regulatory framework, and implement technical safeguards in compliance with the existing regulations and proportionate to use cases. Cybersecurity functions are encouraged to incorporate AI-powered controls consistent with the policy direction under CSL, while ensuring that AI systems themselves meet security and other compliance standards.

Given the broadened extraterritorial reach under the CSL, companies with offshore operations that have a China nexus should assess their exposure and adopt defensive measures, including incident containment protocols and legal readiness for potential cross-border enforcement.

The authors would like to thank Roslie Liu, Legal Practice Assistant at Mayer Brown Hong Kong LLP, for her assistance with this Legal Update.