Key amendments

1. AI governance now embedded in the CSL

The amendments explicitly provide that the state will support AI innovation, promote the development of training data resources and building of computing infrastructure, strengthen AI ethics regulation, and enhance AI risk assessment and security governance.

Although China has already introduced rules on algorithms, deepfake technology, generative AI, and AI labelling, this marks the first time that AI governance has been formally written into one of China’s foundational cybersecurity laws, elevating the topic of AI governance from regulation level to legislation level.

In addition, the amendments stipulate that the state will support leveraging AI technologies to enhance cybersecurity protection. Accordingly, relevant markets and industries may witness broader application of AI technologies in cybersecurity by both regulatory authorities and companies.

2. Heavier penalties for non-compliance

The amendments significantly strengthen the legal liability of network operators for violations, emphasising strict penalties for major security incidents, particularly by imposing severe fines and sanctions on operators of critical information infrastructure (CII) whose actions give rise to exceptionally severe consequences. Some of the highest penalties are as follows:

• CII operators may face fines of up to RMB 10 million (approx. US$1.4 million).
• Non-CII ordinary businesses may be fined up to RMB 500,000 (approx. US$71,000).
• Non-CII cybersecurity business may be fined up to RMB 1 million (approx. US$142,000).
• Individuals responsible for cybersecurity may also face personal fines of up to RMB 1 million (approx. US$140,000).

3. Expanded administrative sanctions

Beyond monetary penalties, violations may lead to:

• Suspension or shutdown of websites and mobile apps
• Suspension or termination of services or operations
• Revocation of business licences or operating permits
• Official warnings and orders to correct
• Confiscation of illegal gains
• Lowered social credit ratings
• Inclusion on the national blacklist

4. Flexible penalty mechanisms

In line with China’s Administrative Penalty Law, regulators may reduce or waive penalties under specific circumstances if the violator:

• Proactively eliminates or reduces the harmful consequences of illegal acts;
• Is coerced or induced by another individual or entity to commit the illegal acts;
• Voluntarily confesses an illegal act that is not yet known to the authorities;
• Cooperates with authorities to investigate illegal acts; or
• Falls within other circumstances set forth by laws or regulations.

Leniency may apply to first-time or minor violations that are promptly corrected. Companies must demonstrate good-faith compliance efforts to benefit from such leniency.

5. Reaffirming personal data protection requirements

As the CSL was initially enacted in 2016 and became effective in 2017, several years before the Personal Information Protection Law (PIPL) took effect in 2021, these two laws are not closely aligned with each other in their treatment of personal data protection. The CSL amendments explicitly require network operators to comply with the PIPL, strengthening integration between these two important laws and avoiding potential conflicts in interpretation and application.

6. Cross-border data transfer (CBDT) requirements

The revised CSL reaffirms that CII operators must store data locally. Where it is necessary to transfer data overseas, the company must first undergo a regulator-led security assessment for CBDT compliance. Other, less intrusive CBDT mechanisms – such as executing and filing standard contractual clauses (SCCs) or obtaining certification from qualified third parties – are not available in such a scenario.

7. Cybersecurity in the supply chain

The CSL amendments highlight the importance of supply chain cybersecurity. Both purchasers and suppliers/vendors of key network equipment and specialised cybersecurity products now bear direct legal obligations to ensure compliance. All such equipment and products are subject to safety certification and testing requirements.

Failure to comply may result in a fine of up to RMB 100,000 (approx. US$14,200), plus up to five times the value of illegal gains related to key network equipment and specialised cybersecurity products, together with the suspension or termination of services, business, or operations. In addition, non-compliant CII operators must take measures to mitigate any national security impact.

8. Expanded extraterritorial application

The amendments expand the scope of the CSL’s extraterritorial application from specific illegal acts undermining the security of CII to all illegal acts undermining cybersecurity. As a result, the CSL now applies to a broader range of attacks and other illegal acts conducted by foreign entities or individuals located outside China, providing a legal basis for Chinese authorities to impose penalties accordingly.

Summary

The CSL, together with the Data Security Law and the Personal Information Protection Law, forms the cornerstone of China’s data and cybersecurity regulatory framework. The CSL amendments will have significant implications for businesses across all industries, introducing multiple new compliance obligations and significantly higher penalties that raise both the cost and risk of non-compliance. With only a two-month window before the CSL amendments take effect on 1 January 2026, businesses should immediately assess the changes, review their cybersecurity frameworks, and take swift compliance action.

Client Alert 2025-274