what we think

By Tristan van Veen and Norah Chen

On 28 October 2025, the Standing Committee of the National People's Congress adopted a set of amendments to the Cybersecurity Law (CSL), which will take effect on 1 January 2026. These amendments recalibrate data and cybersecurity compliance obligations and significantly increase penalties, creating a more structured, stringent, and closely supervised regulatory environment for companies operating within China's digital landscape.

Enhanced Penalty Regime for Non-Compliance

This marks the first significant revision since the CSL entered into force in 2017. Together with the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), the CSL forms the cornerstone of China's national data and cybersecurity framework. A key focus of the amendments is recalibrating and tiering (distinguishing critical information infrastructure, CII, operators from those that are not) the penalty provisions and strengthening compliance obligations. Most notably, the general cap on financial penalties has been increased from CNY 1 million to 10 million; the specific amount depending on the nature and severity of the violation. Important penalty increases include:

• Up to CNY 10 million for CII operators (approx. USD 1.4 million);
• Up to CNY 500,000 for non-CII ordinary businesses (approx. USD 71,000);
• Up to CNY 1 million for non-CII cybersecurity businesses (approx. USD 142,000);
• Up to CNY 1 million in personal liability for individuals responsible for cybersecurity.

In addition to monetary sanctions, non-compliance can trigger far-reaching operational or administrative consequences. These consequences may include:

• Official warnings;
• Suspension or shutdown of websites or apps;
• Suspension of services;
• Revocation of licenses or permits;
• Confiscation of illegal gains;
• Reduction in social credit ratings; or
• Placement on regulatory blacklists.

Together, this revised penalty regime significantly raises financial and operational exposure for companies that fall short of the CSL's expanded requirements, but also provides clearer distinctions between minor, serious, and particularly serious violations.

Alignment with the PIPL and DSL

Another key focus of the amendments is aligning the CSL with the PIPL and DSL. The amendments strengthen coordination between these laws by harmonizing provisions and introducing referential provisions, which avoid overlaps, conflicts, and inconsistencies in penalties. While this reduces uncertainties in interpretation and application that previously challenged companies, it also introduces new compliance obligations. Overall, it makes the CSL a more integrated part of China's data and cybersecurity framework, strengthening the coherence of the legal system.

Mitigation and Waiver of Penalties

While the overall enforcement regime is becoming stricter, the amendments also clarify when penalties may be reduced or waived. Mitigation applies in situations where a violator:

• Voluntarily prevents or reduces harmful consequences;
• Commits the violation under coercion or inducement;
• Proactively reports misconduct that regulators were unaware of; or
• Cooperates meaningfully with regulatory investigations.

These provisions introduce a more transparent incentive framework for proactive compliance, offering organizations meaningful opportunities to reduce liability when prompt and responsible action is taken.

Expanded Extraterritorial Reach

The amended CSL significantly widens its reach beyond China's borders. While the original law only covered overseas activities involving attacks or intrusions into domestic critical information infrastructure, the revised version applies to any overseas conduct endangering China's cybersecurity. This expansion will enhance China's capacity to implement countermeasures against foreign entities, including measures such as freezing assets in cases of serious violations.

Conclusion

The revised CSL reflects China's continued shift toward a more integrated, structured, and enforceable cybersecurity framework. The new obligations will increase compliance complexity and potential exposure for businesses across all sectors, including those overseas. With the amendments taking effect on 1 January 2026, organizations — both domestic and international — should swiftly understand the changes, reassess their cybersecurity frameworks, and enhance their internal controls and incident response to remain compliant under the tightened regulatory regime.

R&P's Cybersecurity & Data Privacy team advises and supports clients to ensure compliance with China's complex cybersecurity and data privacy regulatory framework. The starting point is often to support with identifying where key risks lie and then setting up a baseline cybersecurity and data privacy compliance plan tailored to a client's operations and business needs. If you would like a clearer understanding of whether your business could be impacted, or if you need support planning for future compliance in this field, please reach out to the authors Tristan van Veen and Norah Chen at [email protected] and [email protected], or your trusted contact at R&P China Lawyers.