Key amendments to China’s cybersecurity law

The latest amendments adopt a “small-incision” approach, as explained by the Legislative Affairs Commission, and touch on artificial intelligence, liabilities and extraterritorial application.

Key takeaways

Integrating AI into the CSL

The amendments express support for foundational AI research, core technologies such as algorithms, and infrastructure including resources for training data and computing. They emphasize AI ethics, risk monitoring and assessment, and safety oversight, while encouraging robust and responsible AI deployment.

These objectives are consistent with the State Council’s directive issued earlier this year to promote the broad and deep integration of AI across economic and social sectors, with the goal of achieving an AI application penetration rate on all smart terminals exceeding 70% by 2027 and 90% by 2030.

While these provisions remain principle-based, they signal that AI considerations may be embedded across network and data security regulation, in the absence of a more comprehensive AI legislation.

Increased liability and penalty

The amendments substantially increase fines and sanctions. The general cap on administrative fines rises from RMB1 million to RMB10 million, depending on the nature and severity of violations.

Two areas see material increase:

Data leakage

Where a network operator fails to discharge obligations to manage vulnerabilities, viruses, cyberattacks, or intrusions, and the failure results in serious consequences (such as large-scale data leakage or partial loss of functionality of critical information infrastructure), fines increase from a prior range of RMB10,000–500,000 to RMB500,000–10m.

Content governance

Where a network operator fails to stop transmission, remove prohibited information, preserve relevant records, or report to regulators as required, the maximum fine, if the circumstances or consequences are particularly serious, increases from RMB500,000 to RMB10m.

Another point to note is that the amendments expressly refer to mitigating circumstances under the Administrative Penalties Law to allow mitigated or waived penalties where statutory conditions are met. That means taking measures such as timely remediation, prompt correction, and evidence of absence of subjective fault (e.g., clear trails of measures taken for cybersecurity protections) can meaningfully reduce sanction.

Expanded extraterritorial reach

The original CSL previously only targets specific adverse activities (attack, infiltration, interference, and destruction) by overseas actors against domestic critical information infrastructure. It now extends to any activities by overseas actors that “endanger China’s cybersecurity” more generally, likely in an effort to further build out China’s countermeasures toolkit.

What this means for organizations doing business in China？

The amendments elevate both the expectations and the stakes for entities operating or offering network products and services in China. The integration of AI considerations into the CSL suggests that AI governance will increasingly be treated as a core dimension of cybersecurity and data compliance. The broadened extraterritorial reach also heightens exposure for overseas entities whose activities intersect with China-based users or infrastructure. The ten-fold increase in potential fines, coupled with express recognition of mitigating factors, raises the importance of demonstrable, documented compliance programs and rapid remediation capabilities.

In practical terms, organizations should reassess their China compliance posture through the lens of AI, incident preparedness, content governance, and cross-border operations. Management of organizations doing business in China should be briefed on the enhanced penalty regime and the importance of prompt, well-documented corrective action to qualify for mitigation under the Administrative Penalties Law.