China’s Standing Committee of the National People’s Congress has passed amendments to the Cybersecurity Law (CSL) which will take effect on 1 January 2026. These amendments emphasise good AI governance, strengthen the legal liabilities attaching to failures to maintain network security under the 2017 law, and enhance alignment with existing legal regimes by expanding the law’s extraterritorial reach.
Specific AI provisions
One of the key highlights among the CSL amendments is the introduction of specific AI provisions into the law.
On the one hand, the amended Article 20 seeks to foster fundamental AI research, algorithm development, and AI infrastructure construction including training data resources and computing power. This approach echoes with China’s AI policies and initiatives, from the Next Generation AI Development Plan in 2017 to the “AI Plus” initiative in 2025.
On the other hand, the CSL amendments seek to implement stronger guardrails that improve AI ethical standards, strengthen risk monitoring, and utilise AI to enhance cybersecurity protection. This reflects Chinese regulators’ growing awareness of AI-specific cybersecurity threats, from attacks on machine learning models to misuse of generative AI for creating malicious content or conducting social engineering attacks, as outlined in China’s AI Safety Governance Framework 2.0. Despite the absence of a comprehensive AI Law, China has implemented an extensive AI legislative framework covering algorithm regulation, deep synthesis provisions, interim GenAI measures, AI labelling rules, along with a growing list of AI standards.
This dual approach reflects China’s ambition to lead in AI development without sacrificing security. For businesses developing or deploying AI systems in China, this approach entails both opportunities for growth and heightened regulatory scrutiny of AI-related risks.
Enhanced penalty framework
The amendments significantly revise the penalty provisions under the CSL:
Tiered penalty structure: A three-tier system distinguishes between general violations, serious consequences, and particularly serious consequences (e.g., massive data leaks or critical information infrastructure (CII) losing partial functionality), with corresponding individual liability applying not only to directly responsible management personnel but also other directly responsible persons.
Expanded penalty triggers and increased fines: Fines for violations causing particularly serious consequences can now reach RMB 10 million (circa US$ 1.4 million) for businesses and RMB 1 million (circa USD 140,000) for responsible individuals. Various violations can now be penalised immediately upon discovery, rather than only after refusal to rectify.
Sanctions for non-compliant equipment: New penalties apply to selling or providing network critical equipment and network security specialised products that lack proper security certification or testing, or that fail such requirements. This change illustrates the Chinese authorities’ enhanced awareness of supply chain vulnerabilities.
App closure powers: Enforcement authorities may now shut down mobile apps for certain violations. This echoes the authorities’ scrutiny on this ubiquitous element in today’s digital economy, with introduction of last year’s filing regime and the regular enforcement campaigns against non-compliant apps.
Broader extraterritorial reach
In response to emerging cyberattacks and cyber threats that transcend national boundaries, the amendments expand the extraterritorial application of the CSL to cover any foreign organisation or individual engaging in activities that endanger mainland China’s network security generally. In severe cases, the Ministry of Public Security is empowered to freeze assets or impose other necessary sanctions.
Whereas similar provisions exist in China’s Personal Information Protection Law (PIPL) and Data Security Law (DSL) to empower the Chinese authorities to seek to prosecute overseas actors which process personal and non-personal data in a manner that endangers national security, public interests, or the legitimate rights of citizens and organisations, the expanded focus of the CSL on the cyber infrastructure through which that data flows further enhances the long-arm jurisdiction of China’s cyber watchdogs at a time when geopolitical tensions are spurring numerous fellow authorities to do the same.
Strengthened regulations on CII operators’ procurement activities
Under the CSL, CII operators using network products or services without security review approval face fines of one to ten times the procurement amount.
In the event of such violation, apart from the existing requirements for CII operators to stop using such network products or services, the CSL amendment further introduces requirement to “eliminate impacts on national security”.
For example, after Micron Technology reportedly failed its 2023 cybersecurity review by the Chinese authorities, CII operators cannot procure Micron products and must take remedial measures such as strengthening security monitoring or deploying replacements.
Companies operating in China that are designated as CII operators should carefully review their procurement policies and vendor onboarding due diligence processes, enhance quality control, and ensure contractual protections are implemented throughout their supply chains and distribution networks.
The silver lining: mitigating circumstances
Importantly, the CSL amendments introduce a new Article 73, providing that where violations meet conditions for lighter, reduced, or exempted penalties under China’s Administrative Penalty Law, such treatment will apply.
Under the Administrative Penalty Law, circumstances warranting lighter penalties include proactively eliminating harmful consequences, voluntarily disclosing violations not yet known to authorities, and cooperating with investigations. Minor violations that are promptly corrected without causing harm may be exempted from penalties, as may initial violations with minor consequences that are promptly corrected. The Cyberspace Administration of China frequently conducts administrative interviews before imposing formal penalties, providing opportunities for remediation.
The combination of increased penalty ceilings under the amended CSL, with meaningful mitigation opportunities, therefore seems to signal the Chinese authorities’ aim to balance innovation with cybersecurity, incentivising proactive compliance while preserving flexibility in regulatory supervision and enforcement.
Looking ahead
The amendments represent China’s maturing and coordinated cyber and data governance framework under the CSL, DSL and PIPL.
Organisations should begin preparing now to ensure readiness when the new regime takes effect on 1 January 2026.
As always, feel free to reach out if you have any questions.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-07-03-11-42-05-966-68666c8d1103f79f336c9b4e.png)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2025-11-04-15-05-38-883-690a1642ba091b57e829f211.jpg)
