China Dramatically Strengthens Cybersecurity Law, Expanding Reach to AI and Overseas Entities

Beijing – China’s revised Cybersecurity Law (CSL), which officially took effect on January 1, 2026, represents a significant escalation in the country’s efforts to control cyberspace and protect its critical infrastructure. The sweeping changes, enacted after more than three years of deliberation, address shortcomings in the 2016 legislation and introduce new regulations governing artificial intelligence, data security, and cross-border activities.

The original CSL, implemented in 2017, was a landmark attempt to enshrine “cyberspace sovereignty” and establish a legal framework for a rapidly evolving digital landscape. However, as a senior official stated, the initial law “lacked sufficient teeth” and failed to adequately address emerging threats. The revised version aims to rectify these deficiencies, imposing significantly higher penalties and expanding the scope of enforcement both domestically and internationally.

Background: From Foundational Law to Comprehensive Revision

Enacted amidst growing concerns over cybersecurity threats and the increasing integration of technology into all aspects of Chinese society, the 2016 CSL laid the groundwork for the nation’s cyberspace legal system. It established protections for critical information infrastructure (CII) and placed obligations on network operators. However, technological advancements and practical experience revealed several weaknesses.

“The original framework was a necessary first step, but it quickly became apparent that the liability framework was underdeveloped, penalties were too lenient, and alignment with subsequent legislation like the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) was insufficient,” explained one analyst. Furthermore, the law did not adequately address the novel security challenges posed by emerging technologies, particularly artificial intelligence, and the CII protection mechanism remained underdeveloped.

To address these issues, Chinese authorities embarked on a comprehensive revision process. The Cyberspace Administration of China (CAC) solicited public opinions twice, in September 2022 and March 2025, followed by review and further public consultation by the National People’s Congress Standing Committee (NPCSC). The revised text was ultimately passed by the NPCSC on October 28, 2025, paving the way for the “New Version” to take effect at the start of 2026.

Six Key Revisions Shaping China’s Cybersecurity Landscape

The New Version introduces substantial changes across multiple areas, with six key revisions taking center stage.

Introduction of AI Provisions

Perhaps the most significant update is the inclusion of Article 20, which directly addresses the governance of artificial intelligence. This provision affirms state support for AI research and development, promotes ethical norms, strengthens risk monitoring and security supervision, and encourages the use of AI to enhance cybersecurity protection.

This addition is a direct response to the security and regulatory gaps created by the rapid development of AI. The Old Version did not cover issues like algorithmic bias, model misuse, or systemic risks. “Article 20 fills a critical void, providing a top-level framework for AI governance that encompasses the entire lifecycle, from research to deployment,” a company release noted.

Optimization of Penalty Mechanisms

The New Version significantly refines the penalty framework, making it more robust and deterrent. This is achieved through three core enhancements: broadening the trigger for penalties – violations no longer require “serious consequences” to incur fines; establishing a structured, tiered gradation of penalties; and systematically increasing the monetary value of fines.

Specifically, Article 61 now imposes fines ranging from RMB 50,000–500,000 (approximately $7,000 – $70,000 USD) for general violations, a fivefold increase from the Old Version’s RMB 10,000–100,000. Fines for responsible individuals have doubled to RMB 10,000–100,000. Article 65, concerning cybersecurity certification, now carries penalties of RMB 100,000–1,000,000 for enterprises – a tenfold increase. Furthermore, the New Version expands personal liability to include “other directly responsible persons” and introduces measures like application shutdowns for violators.

Strengthening CII Protection

The New Version bolsters the protection of Critical Information Infrastructure (CII) through a “penalty-for-violation + tiered sanctions” regime, extending liability to a wider range of personnel. It also introduces a rectification grace period for procurement violations, allowing operators time to address non-compliance. The law now requires the “elimination of the impact on national security” resulting from CII breaches and refines data transfer regulations, replacing the broad term “network data” with “personal information and important data” to align with the PIPL and DSL.

Improving Full-Chain Management of Supply Chain Security

The revised law explicitly penalizes entities involved in the production, sale, and service of critical network equipment and cybersecurity products that lack required certifications or fail to meet security standards. Penalties range from warnings and confiscation of illegal gains to business suspensions and license revocations.

Optimizing Coordination Between Different Laws

The New Version clarifies the relationship between the CSL and other relevant legislation, such as the PRC Civil Code and the PIPL, ensuring compliance when processing personal information. It also standardizes penalties for prohibited information release, data breaches, and unauthorized cross-border data transfers, referencing “relevant laws and administrative regulations” to avoid conflicts.

Expanding Extraterritorial Reach

The scope of extraterritorial regulation has been significantly expanded. The New Version now covers “activities that endanger the cybersecurity of China,” extending beyond activities that merely “harm CII.” While establishing legal liability for overseas entities requires proof of activity endangering China’s cybersecurity, the imposition of sanctions – such as asset freezes – now requires proof of “serious consequences.” This change addresses a previous enforcement gap.

Compliance Recommendations for a New Era of Cybersecurity

In light of these comprehensive changes, enterprises must adopt differentiated compliance strategies. General network operators must fulfill baseline obligations, including implementing the Cybersecurity Multi-level Protection Scheme, conducting regular security self-inspections, complying with data compliance requirements, and procuring certified network products and services.

CII operators face enhanced obligations, including layered protection, procurement compliance, and regular cybersecurity emergency response plan testing. Suppliers of network products and services must ensure their offerings meet mandatory certification standards. Finally, enterprises engaged in AI development should prioritize algorithmic impact assessments, data compliance, and model security throughout the R&D process. .

The New Version of China’s Cybersecurity Law marks a pivotal moment in the country’s approach to cyberspace governance. Its expanded scope, stricter penalties, and focus on emerging technologies signal a commitment to safeguarding national security and shaping the future of the digital landscape.