On October 28, 2025, the Standing Committee of China’s 14th National People’s Congress passed a decision at its 18th Session to revise the country’s Cybersecurity Law, introducing significant updates aimed at addressing emerging technological challenges and reinforcing legal frameworks for data security and AI. The amendments, which will take effect on January 1, 2026, reflect China’s evolving approach to cybersecurity in the digital era.
One of the key additions is the explicit inclusion of the Communist Party of China’s leadership in cybersecurity work. The amended law emphasizes adherence to the “overall national security outlook” and aims to balance development and security while advancing the nation’s goals of becoming a global leader in cyberspace. It also mandates state support for AI development and regulation by including provisions to boost innovation in foundational AI theory, algorithms, and key technologies while stipulating the enhancement of data resources and computing infrastructure. Furthermore, the legislation sets out requirements to establish AI ethical norms, strengthen risk monitoring, and enhance security supervision, aiming to ensure the technology’s healthy development.
In addition, the amended law significantly raises the financial stakes for non-compliance. Fines for violations are now structured to reflect the severity of the breach. Minor infractions may draw penalties starting at 10,000 yuan, while serious failures, especially those involving critical infrastructure or leading to major data leaks, can result in multimillion-yuan fines. The maximum penalty for entities has been set at 10 million yuan for the most severe cases that compromise critical infrastructure. Furthermore, the amended law strengthens oversight over network products and services. Entities selling or providing non-compliant network equipment or security products may face confiscation of illegal gains, fines of up to five times their profits, or revocation of business licenses. The amendments also address cross-border data security. Foreign organizations or individuals endangering China’s cybersecurity may face legal consequences, including asset freezes, if their actions cause severe harm.
These changes align China’s Cybersecurity Law with other key legislation, such as the Personal Information Protection Law and the Civil Code, creating a more cohesive legal framework for digital governance. By integrating AI governance, refining penalty mechanisms, and reinforcing cross-border security measures, the amendments seek to safeguard national security while promoting technological innovation. For foreign stakeholders, the amendments represent a continuation of regulatory trends emphasizing national jurisdiction and legal robustness. This development merits close attention to its interplay with data localization rules, the cybersecurity review mechanism, and its joint enforcement with other relevant laws, as these factors are likely to influence the compliance planning of foreign entities in China.
Chinese source of the article: https://www.gov.cn/yaowen/liebiao/202510/content_7046194.htm
