Originally implemented on June 1, 2017, the PRC Cybersecurity Law (“CSL”) serves as one of the three pillar laws of China’s data protection and cybersecurity regime, alongside the Data Security Law and the Personal Information Protection Law.

Recently, the Amendment to the Cybersecurity Law (the “CSL Amendment”) was promulgated, expected to enter into effect on January 1, 2026. This article summarizes the core legislative reforms and six key highlights of the CSL Amendment, providing practical guidance for enterprise compliance.

I. Core Legislative Reforms: A Substantial Escalation in Liabilities and Penalties

The most critical aspect of the CSL Amendment is the comprehensive overhaul of the legal liability chapter, fundamentally altering the previous regime where penalties were often perceived as lacking sufficient deterrence. The core of this change lies in establishing a graded fine system directly linked to the severity of the harm caused, raising the maximum fine substantially from the prior range of hundreds of thousands to millions of RMB to a new ceiling of ten million RMB.

According to legislative rationale, the penalty “ceiling” has been dramatically raised to match the value of data assets and the severity of security risks in the digital economy era. This revision reflects a dynamic “consequence-based liability” model, focusing not only on whether an entity has completed prescribed actions but also on assessing the actual harm caused by any failure to do so.

Notably, while escalating penalties, the CSL Amendment formally incorporates the leniency provisions of the Administrative Punishment Law, allowing for mitigated treatment, reduced penalties, or exemptions from administrative sanctions in certain non-compliance instances. This approach aims to encourage enterprises to proactively establish compliance systems and undertake self-correction in the event of any violations.

II. Six Key Highlights of the Substantive Amendments

The following six key highlights, particularly points 1 through 4, are intrinsically linked to the strengthened penalty system, collectively forming a tighter net of accountability.

1. The rules for Multi-Level Protection Scheme (“MLPS”) for cybersecurity

Pursuant to the CSL, network operators must fulfill security protection obligations according to the requirements of the rules for the MLPS, including developing internal security management systems and operating procedures. The CSL Amendment significantly increases penalties for failure to implement such measures. Penalties are divided into three tiers based on the extent of harm caused by the failure. For any conduct resulting in large-scale data leakage or other seriously damaging consequences that severely endanger cybersecurity, companies may face fines of up to CNY 2 million, and directly responsible persons could be fined up to CNY 200,000.

2. Protection for Critical Information Infrastructure (“CII”)

CII receives the highest level of protection under the MLPS framework. The CSL Amendment delivers the most substantial penalty hikes for violations concerning Critical Information Infrastructure Operators (“CIIO”). For violations that seriously endanger cybersecurity, such as causing the functional paralysis of major CII, the CIIO may face significant fines of up to CNY 10 million, and directly responsible persons could be fined up to CNY 1 million.

3. Information prohibited from release or transmission

Under the CSL Amendment, a network operator who fails to cease the transmission of any information prohibited from release or transmission by law or administrative regulation is subject to more severe penalties. If the operator refuses to take corrective action or the circumstances are serious, beyond fines up to CNY 2 million for the company and a fine of no more than CNY 200,000 for the directly responsible person, the competent authority may order the suspension of the relevant business, suspension of operations for rectification, the shutdown of the website or application, or the revocation of the relevant business permit or license.

4. Critical network equipment and specialized cybersecurity products

The CSL Amendment introduces explicit penalties for selling or providing critical network equipment and specialized cybersecurity products that have not passed mandatory security certification or met security testing requirements.

Depending on the circumstances, penalties include minor punishments such as orders to stop selling or providing such products, and more severe punishments like confiscation of illegal gains, fines of up to five times the illegal gains, and even orders to suspend operations for rectification.

5. Artificial Intelligence (“AI”) governance

The CSL Amendment explicitly supports foundational AI research, core technologies such as algorithms and infrastructure including training data and computing resources, reflecting a legal response to technological progress. By incorporating AI governance into the legal framework, it codifies the principle of balancing “promoting development” with “safety oversight”.

6. New leniency provisions and compliance incentives

By aligning with the leniency provisions of the Administrative Punishment Law, the CSL Amendment allows for lenient treatment, reduced penalties, or exemptions from administrative sanctions in certain instances of non-compliance. The purpose is to encourage enterprises to proactively establish compliance systems and self-correct.

III. Key Takeaways

In summary, the CSL Amendment introduces a more robust penalty regime through significantly raised fines and a tiered penalty structure, while offering leniency in some specific scenarios to incentivize compliance. Enterprises should reexamine all relevant obligation clauses under the new CSL, ensure leadership is briefed on the enhanced penalty regime, and establish compliance systems as soon as possible.

We will continue to monitor the evolving enforcement practices of the PRC CSL, and assist enterprises in proactively adapting their cybersecurity compliance frameworks to this new regulatory environment.