Privacy & Information Security Law Blog

On October 28, 2025, the Cyberspace Administration of China (“CAC”) issued the Amendment to the Cybersecurity Law of China, which will take effect on January 1, 2026 (the “Amendment”). Certain of the key changes taking effect through the Amendment are as follows:

Principle-Based Provisions for AI Security and Development

The Amendment emphasizes China’s support for research and development of key technologies such as artificial intelligence (“AI”) and infrastructure construction, while refining ethical guidelines for AI, strengthening risk monitoring and assessment, and enhancing security oversight.

Increasing the Financial Penalties for Violations

The Amendment increases the potential fines for violating the Cybersecurity Law, including:

• In extremely serious scenarios, such as the loss of primary functions of critical information infrastructure (“CII”), CII operators may be subject to fines of up to RMB 10 million (approx. $1.4 million) while the personnel directly responsible for cybersecurity may be subject to fines of up to RMB 1 million (approx. $140,000).
• Non-CII ordinary businesses may be subject to fines of up to RMB 500,000 (approx. $71,000), and the personnel directly responsible for cybersecurity may be subject to fines of up to RMB 100,000 (approx. $14,000).

Expanding Potential Administrative Sanctions

The potential administrative sanctions have been extended and updated. In addition to financial penalties, sanctions include, for example, suspension or closure of a website or application, suspension or termination of services or operations, revocation of business licenses or permits, and inclusion on the national blacklist.

Introducing Provisions for Leniency or Reduction of Administrative Penalties

The Amendment introduces the principle of “no punishment, leniency or mitigation” from the Administrative Penalty Law into the Cybersecurity Law. The principle allows for leniency or reduction of administrative penalties where the organization: (1) proactively eliminates or mitigates the harmful consequences of illegal acts; (2) commits illegal acts under coercion or deception by others; (3) voluntarily discloses illegal acts to administrative authorities that such authorities are not yet aware of; and (4) assists administrative agencies in investigating and handling illegal activities with commendable performance. Administrative penalties may also be waived in instances of first-time or minor violations with few or no consequences.

Expanding Extraterritorial Application and Sanctions Measures

The Amendment expands the territorial scope of the Cybersecurity Law, empowering the competent authority to take action against overseas organizations, institutions and individuals for any activities endangering cybersecurity in China, as opposed to only specific illegal acts. If such activities are found to result in serious consequences in China, the competent authority may freeze the properties and conduct other sanctions against such parties.