The Standing Committee of the National People’s Congress revised China’s Cybersecurity Law on 28 October, marking the legislation’s first update since taking effect in 2017. The amended law, which takes effect on 1 January 2026, steps up accountability for overseas misconduct, providing greater protection over critical information infrastructure.
The revision gives authorities more law enforcement power. Under the amended law, authorities can now impose fines without issuing a warning if the violator fails to fulfill their cybersecurity obligations. Authorities can also disable apps as a new form of penalty.
The revised law also raises fines imposed on the illegal sale of key network equipment or security products and allows business licences to be revoked in contravention of serious violations.
Companies could face up to RMB10 million (USD1.4 million) in fines if they have damaged critical information infrastructure that leads to the loss of certain functions, while individuals will be fined up to RMB1 million.
The Cybersecurity Law also broadens the scope of extraterritorial jurisdiction. Previously, it was limited to acts that endangered “critical information infrastructure”, but it now would extend to all overseas activities that harm China’s cybersecurity.
The latest amendment addresses inconsistencies in existing laws on personal data protection by requiring network operators to comply with the Cybersecurity Law, the Civil Code and the Personal Information Protection Law when handling personal information.
