CHINA: Amendments to Cybersecurity Law Effective 1 January 2026

By Carolyn Bigg, Qiuyang Zhao & Amanda Ge on November 3, 2025

Posted in China, Cyber security, Cyber-crime, New laws, Privacy Law

On 28 October 2025, China passed amendments to the Cybersecurity Law, marking the first update since its enactment in 2016. These amendments reflect China’s heightened focus on cybersecurity and AI governance and are scheduled to take effect on 1 January 2026.

Key Updates

The amendments primarily focus on the law’s enforcement provisions. Key updates include:

Increased financial penalties for general cybersecurity obligations: the financial penalties for general cybersecurity obligations (such as technical security measures and cybersecurity incident handling) have been increased, partly to align with the levels of penalties under the Data Security Law and Personal Information Protection Law. This includes increasing the maximum fines for critical information infrastructure operators (“CIIOs“) from RMB 1 million (approx. USD 141,000) to RMB 10 million (approx. USD 1.41 million) and those for non-CIIOs from RMB 100,000 (approx. USD 14,100) to RMB 2 million (approx. USD 282,000), as well as holding first-time violators liable to fines;
Increased financial penalties for content control obligations: network operators failing to take required measures regarding illegal content (such as ceasing transmission, removal, record preservation and reporting to authorities) will face fines of up to RMB 10 million (approx. USD 1.41 million), a twentyfold increase from RMB 500,000 (approx. USD 70,400) under the current law;
Increased / new penalties for non-compliant cybersecurity services / products: the maximum fine for unlawfully conducting cybersecurity authentication, testing or risk assessment, or unlawfully releasing cybersecurity information such as system bugs, computer virus, network attacks and intrusions increases from RMB 100,000 (approx. USD 14,100) to RMB 1 million (approx. USD 141,000). In parallel, the amendments newly introduce penalties for providing critical network equipment and dedicated cybersecurity products that fail to meet mandatory national standards or lack proper certification/testing, including fines up to the higher of RMB 100,000 (approx. USD 14,100) and 1-5 times of illegal gains, along with non-financial penalties (such as suspension of business and revocation of permits or business licenses). It is also worth noting that not only providers but users should be mindful of compliance of cybersecurity services and products, as users will risk business or after-sales disruptions if non-compliant products or services are shut down or their providers are sanctioned, and CIIOs will even face penalties (including fines of up to 10 times the purchase amount) for purchasing certain non-compliant cybersecurity products or services;
Broadened extraterritorial effect: the amendments expand the law’s extraterritorial reach from activities by overseas parties that harm critical information infrastructure in China to any activities by overseas parties that harm China’s cybersecurity; and
Circumstances for mitigating or waiving penalties: aside from the increased burdens on organisations outlined in the bullet points above, the amendments also provide some relief by explicitly referencing the circumstances where penalties should or may be mitigated or waived under the Administrative Penalty Law, in alignment with the discretionary benchmarks published by the Cyberspace Administration of China (“CAC“) for its penalties under the Provisions on the Application of Discretionary Benchmarks for Administrative Penalties by Cyberspace Administration Departments (“Discretionary Benchmarks Provisions“),effective this August. Under the Administrative Penalty Law and the Discretionary Benchmarks Provisions, the CAC:
- should mitigate penalties when the violator:
  - voluntarily eliminates or reduces harmful consequences of violations;
  - acts under coercion or inducement;
  - voluntarily discloses violations unknown to regulators; or
  - cooperates with investigations;
- may consider waiving penalties for first-time violations causing minor harm and timely corrected; and

In addition to the updates to enforcement provisions, a general clause on AI is introduced, stating that the government will improve ethical norms for AI while strengthening AI risk monitoring and assessment and safety oversight — potentially paving the way for further AI regulations.

Next Steps

Alongside the recent significant shortening of timelines for network security incident notifications (see our summary here), the amendments to the Cybersecurity Law signal a continued tightening of regulatory scrutiny on cybersecurity in China. Organisations — both within China and, given the expanded extraterritorial scope, overseas — should strengthen their cybersecurity programs to meet increasingly rigorous compliance obligations.