On 28 October 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on amending the Cybersecurity Law of People’s Republic of China. The revised Cybersecurity Law (the “Revised Law”) will take effect on 1 January 2026. This is the first substantial update to the Cybersecurity Law (“Original Law”) since its promulgation in 2016. Together with the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), the Cybersecurity Law forms the core of China’s cyber and data governance regime. Because the Original Law predates both the DSL and the PIPL, it contains broad and foundational rules that underpin China’s cybersecurity, data protection, and personal information protection framework.
The Revised Law updates the Original Law to reflect the significant legislative developments of the past decade, align cybersecurity requirements with newer data laws, and strengthen enforcement mechanisms. While many provisions remain stable, the revisions focus on legal accountability, coordination with the PIPL, and clearer obligations for operators of networks, platforms, and critical information infrastructure.
Alignment with Data and Personal Information Laws
The Revised Law strengthens its connection to the Civil Code, the PIPL, and other administrative regulations. A new paragraph is added to Article 42 (originally Article 40), which clarifies that network operators processing personal information must comply with the Cybersecurity Law, the Civil Code, the PIPL, and other relevant laws.
This change is important because it confirms that the PIPL governs most issues involving personal information processing. For example, Article 43 of the Revised Law (originally Article 41) provides that collection and use of personal information require user consent. However, the PIPL already sets out seven legal bases for processing, and consent is only one of them. In practice, personal information controllers should follow Article 13 of the PIPL when determining the applicable legal basis rather than relying solely on the consent requirement in the Cybersecurity Law.
By embedding cross-references to the PIPL and DSL, the Revised Law recognizes the more sophisticated regulatory architecture that has emerged since 2021 and clarifies that the Cybersecurity Law is no longer the sole or primary law governing personal information or overseas data activities.
Focus on Legal Liability
One of the most significant updates concerns legal liability. The Revised Law consolidates three key liability provisions from the Original Law: Article 64 on personal information protection, Article 66 on overseas data transfer obligations for critical information infrastructure operators, and Article 70 on handling illegal online information. These provisions are merged into a new Article 71. Instead of creating separate penalties in the Cybersecurity Law, Article 71 refers to the penalties set out in other applicable laws and regulations.
This approach reflects the shift that has already taken place in practice. The PIPL, the Provisions on Promoting and Regulating Overseas Data Flow and other relevant regulations have already replaced the Original Law’s general overseas data provisions. For illegal online information, the Cybersecurity Law contains high-level prohibitions, but enforcement continues to rely on sectoral or content-specific rules.
The consolidation clarifies the structure of liability and reduces internal inconsistency across related laws.
Other Key Changes and Clarifications
Beyond personal information and overseas data issues, the Revised Law introduces a series of updates that strengthen the overall cybersecurity governance framework. These include refined security obligations for network operations and critical information infrastructure, clearer requirements for network products, services, and software, and enhanced accountability mechanisms for platforms. The Revised Law increases liability for failures to implement real-name requirements and penalties for the unauthorized disclosure of security vulnerabilities and raises enforcement for content governance. Authorities may order rectification, restrict services, or suspend applications in serious cases.
A new provision also incorporates the leniency principles under the Administrative Penalty Law, allowing reduced or waived penalties when violations are minor, promptly corrected, or committed under specific mitigating circumstances. Overall, these changes expand the range of regulated activities and reinforce operators’ responsibilities across the cybersecurity lifecycle.
Compliance Implications for Enterprises
From a compliance perspective, the Revised Law shows a clear focus on strengthening cybersecurity governance and increasing accountability. Although the upper limit of fines is lowered relative to earlier draft amendments, the maximum fine still rises significantly compared to the Original Law. The Revised Law also expands the number of scenarios where penalties apply. Many activities that previously resulted only in rectification orders may now lead directly to administrative penalties. In practice, the impact on companies extends beyond the fine itself and includes credit records, market reputation, and business operations.
The revision signals a new phase in cybersecurity compliance in China. The regulatory system for network security, data security, personal information protection, and content governance is becoming more structured and refined. Companies should strengthen system-level compliance, including governance frameworks, internal controls, employee training, technical security measures, and emergency response mechanisms. This will help prevent compliance risks and support sustainable and responsible growth in a complex regulatory environment.