On October 28, the 18th meeting of the Standing Committee of the 14th National People’s Congress voted to adopt the Decision on Amending the Cybersecurity Law, which will take effect on January 1, 2026.

According to information released by the National People’s Congress (NPC), some members of the Standing Committee, as well as local governments and members of the public, proposed that given the rapid development and application of artificial intelligence technologies, the revised Cybersecurity Law should respond proactively — by supporting AI innovation, strengthening infrastructure and risk prevention, and promoting the healthy development of AI. After taking these views into account, the amended law adds a new article stating that:

“The State shall support basic theoretical research and the development of key technologies in artificial intelligence such as algorithms; advance the construction of infrastructure including AI training data resources and computing power; improve ethical norms for artificial intelligence; strengthen safety risk monitoring and assessment; innovate and enhance AI safety supervision; and promote the healthy development of artificial intelligence.”

Some members also suggested improving alignment between the Cybersecurity Law and other relevant legislation such as the Civil Code and the Personal Information Protection Law in the area of personal data protection. After incorporating this suggestion, Article 40 of the 2016 law has been renumbered to Article 42 in the amended version, with an additional clause added as Paragraph 2:

“Network operators handling personal information shall comply with this Law, the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and administrative regulations.”

2016 Cybersecurity Law
Chapter IV: Network Information Security
Article 40: Network operators shall strictly protect the confidentiality of user information they collect and shall establish and improve systems for protecting user information.

2025 Revised Cybersecurity Law
Article 42: Network operators shall strictly protect the confidentiality of user information they collect and shall establish and improve systems for protecting user information. When handling personal information, network operators shall comply with this Law, the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and administrative regulations.

Some Standing Committee members, government departments, and members of the public also recommended strengthening the penalties for violations and ensuring consistency between relevant provisions. Based on these proposals, the revised law raises the upper limit of fines for certain illegal acts, explicitly distinguishes between “ordinary” and “serious” violations, and refines the criteria for administrative discretion in enforcement.

In addition, some members suggested that the law should more clearly reflect “General Secretary Xi Jinping’s vision for building China into a cyber power”. In response, the amendment adds a new article stating that:

“Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the holistic national security concept, coordinate development and security, and promote the building of a cyber power.”

As a foundational law in China’s cybersecurity regime, the Cybersecurity Law has now been in place for ten years. The draft was first reviewed by the 12th NPC Standing Committee in June 2015 and released for public consultation in July of that year. The second reading took place in June 2016, followed by a third reading in October, and the law was passed with a large majority on November 7, 2016, taking effect on June 1, 2017. Comprising seven chapters and seventy-nine articles, it was China’s first comprehensive legislation on cyberspace governance, establishing key systems for critical information infrastructure protection, network operator obligations, personal data protection, and content management.

In the years since its enactment, China has adopted related laws such as the Data Security Law and the Personal Information Protection Law, gradually improving its cybersecurity regulatory framework. Following these developments, the Cybersecurity Law itself entered the amendment process to maintain consistency within the legal system. In September 2022, the Cyberspace Administration of China (CAC), together with relevant departments, drafted and released a proposed amendment for public comment. In March 2025, the NPC formally included the amendment in its annual legislative plan and published a new draft revision.

The implementation of the Cybersecurity Law has also triggered controversy in the context of U.S.-China relations, particularly over its data localization requirements. Article 37 of the law stipulates that operators of critical information infrastructure must store, within China, personal information and important data collected or generated within China. This data localization rule has raised concerns in the United States, which argues that mandating local data storage and reviewing cross-border transfers hampers global data flows and disrupts normal business operations. For example, Apple, in compliance with the law, invested in building a data center in Guizhou to host Chinese users’ iCloud data domestically. U.S. companies have criticized such requirements as burdensome and as a potential digital trade barrier.

Furthermore, the Cybersecurity Law and its implementing measures impose strict conditions on data exports, requiring network operators to conduct security assessments to ensure that outbound data transfers are “lawful, legitimate, and necessary” and meet national security requirements. These complex and often vague review mechanisms have been criticized by foreign businesses as overly broad and onerous. Organizations such as the U.S. Chamber of Commerce have argued that these restrictions do little to improve actual security and instead create barriers for industries that depend on cross-border data flows. Routine and legitimate data transfers essential for global business operations may be delayed or blocked under ambiguous security standards, posing challenges to the worldwide coordination of multinational companies.

Decision of the Standing Committee of the National People’s Congress on Amending the Cybersecurity Law of the People’s Republic of China
(Adopted at the 18th Session of the Standing Committee of the 14th National People’s Congress on October 28, 2025)

The 18th Session of the Standing Committee of the 14th National People’s Congress has decided to amend the Cybersecurity Law of the People’s Republic of China as follows:

1. Add one article as Article 3:

“Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the holistic view of national security, coordinate development and security, and advance the building of a cyber power.”

2. Change Article 18 to Article 19 and delete its second paragraph.

3. Add one article as Article 20:

“The state shall support fundamental research in artificial intelligence, as well as research and development of key technologies such as algorithms. It shall promote the construction of foundational infrastructures such as training data resources and computing power, improve ethical norms for artificial intelligence, strengthen risk monitoring, assessment, and safety supervision, and promote the sound development and application of artificial intelligence.
“The state shall support innovative methods of cybersecurity management, and use new technologies such as artificial intelligence to enhance the level of cybersecurity protection.”

4. Change Article 40 to Article 42 and add a new paragraph as Paragraph 2:

“When handling personal information, network operators shall comply with this Law, the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and administrative regulations.”

5. Change Article 59 to Article 61 and revise it as follows:

“Where a network operator fails to perform the cybersecurity protection obligations stipulated in Articles 23 and 27 of this Law, the competent authorities shall order corrections and issue a warning, and may impose a fine between 10,000 and 50,000 yuan; if the operator refuses to make corrections or causes consequences endangering cybersecurity, a fine between 50,000 and 500,000 yuan shall be imposed, and the directly responsible managers and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

“Where a critical information infrastructure operator fails to perform the cybersecurity protection obligations stipulated in Articles 35, 36, 38, and 40 of this Law, the competent authorities shall order corrections and issue a warning, and may impose a fine between 50,000 and 100,000 yuan; if the operator refuses to make corrections or causes consequences endangering cybersecurity, a fine between 100,000 and 1,000,000 yuan shall be imposed, and the directly responsible managers and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.
“Where the acts in the preceding two paragraphs cause severe consequences such as large-scale data leaks or partial loss of function in critical information infrastructure, a fine between 500,000 and 2,000,000 yuan shall be imposed, and the directly responsible managers and other directly responsible personnel shall be fined between 50,000 and 200,000 yuan; where the acts cause particularly severe consequences such as the major loss of function in critical information infrastructure, a fine between 2,000,000 and 10,000,000 yuan shall be imposed, and the directly responsible managers and other directly responsible personnel shall be fined between 200,000 and 1,000,000 yuan.”

6. Change Article 60 to Article 62 and add a new paragraph as Paragraph 2:

“Where the acts listed in Items (1) and (2) of the preceding paragraph cause the consequences prescribed in Paragraph 3 of Article 61 of this Law, penalties shall be imposed in accordance with that paragraph.”

7. Add one article as Article 63:

“Where anyone violates Article 25 of this Law by selling or providing key network equipment and cybersecurity-specific products that have not undergone security certification, security inspection, have failed certification, or failed to meet inspection requirements, the competent authorities shall order the cessation of sales or provision, issue a warning, and confiscate illegal gains. Where there are no illegal gains or the illegal gains are less than 100,000 yuan, a fine between 20,000 and 100,000 yuan shall be imposed; where the illegal gains exceed 100,000 yuan, a fine between one to five times the amount of illegal gains shall be imposed. In serious cases, the relevant business may be suspended, rectification ordered, business licenses for relevant operations revoked, or the business license canceled. Where other laws or administrative regulations provide otherwise, such provisions shall apply.”

8. Change Article 61 to Article 64, and revise the phrase “the competent authorities may also order suspension of relevant business, rectification, closure of websites, revocation of relevant business permits or business licenses” to “may order suspension of relevant business, rectification, closure of websites or applications, revocation of relevant business permits or business licenses.”

9. Change Article 62 to Article 65 and revise it as follows:

“Where anyone violates Article 28 of this Law by conducting cybersecurity certification, inspection, or risk assessment activities, or by publishing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or intrusions, the competent authorities shall order corrections, issue a warning, and may impose a fine between 10,000 and 100,000 yuan; if the party refuses to correct or the circumstances are serious, a fine between 100,000 and 1,000,000 yuan shall be imposed, and suspension, rectification, closure of websites or applications, or revocation of relevant business permits or business licenses may be ordered, and the directly responsible managers and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

“Where such acts cause the consequences prescribed in Paragraph 3 of Article 61 of this Law, penalties shall be imposed in accordance with that paragraph.”

10. Change Article 65 to Article 67 and revise it as follows:

“Where a critical information infrastructure operator violates Article 37 of this Law by using network products or services that have not undergone or failed a security review, the competent authorities shall order rectification within a specified time, cessation of use, and elimination of national security risks, and impose a fine between one and ten times the procurement amount. The directly responsible managers and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.”

11. Combine Articles 68 and 69(1) as Article 69, and revise it as follows:

“Where a network operator violates Article 49 of this Law by failing to stop transmission, remove prohibited information, preserve relevant records, and report to competent authorities as required by laws and administrative regulations, or violates Article 52 of this Law by failing to take the required measures, the competent authorities shall order corrections, issue a warning, circulate a notice of criticism, and may impose a fine between 50,000 and 500,000 yuan; if the operator refuses to correct or the circumstances are serious, a fine between 500,000 and 2,000,000 yuan shall be imposed, and suspension, rectification, closure of websites or applications, or revocation of relevant business permits or business licenses may be ordered. The directly responsible managers and other directly responsible personnel shall be fined between 50,000 and 200,000 yuan.

“Where such acts cause particularly severe impacts or consequences, a fine between 2,000,000 and 10,000,000 yuan shall be imposed, and suspension, rectification, closure of websites or applications, or revocation of relevant business permits or business licenses may be ordered. The directly responsible managers and other directly responsible personnel shall be fined between 200,000 and 1,000,000 yuan.
“Where providers of electronic information transmission services or application download services fail to perform the security management obligations prescribed in Paragraph 2 of Article 50 of this Law, they shall be penalized in accordance with the preceding two paragraphs.”

12. Combine Articles 64, 66, and 70 as Article 71 and revise it as follows:

“Where any of the following acts is committed, penalties shall be imposed in accordance with relevant laws and administrative regulations:

“(1) publishing or transmitting information prohibited by Paragraph 2 of Article 13 of this Law or other laws and administrative regulations;
“(2) violating Paragraph 3 of Article 24 and Articles 43 to 45 of this Law, thereby infringing upon personal information rights and interests;
“(3) violating Article 39 of this Law by storing or providing personal information or important data abroad by critical information infrastructure operators.

“Where anyone violates Article 46 of this Law by stealing, illegally obtaining, selling, or providing personal information to others, but the act does not constitute a crime, the public security authorities shall impose penalties in accordance with relevant laws and administrative regulations.”

13. Add one article as Article 73:

“Where violations of this Law occur but circumstances fall under those eligible for mitigated, reduced, or exempted punishment under the Administrative Penalty Law of the People’s Republic of China, such provisions shall apply.”

14. Change Article 75 to Article 77 and revise it as follows:

“Where overseas institutions, organizations, or individuals engage in activities that endanger the cybersecurity of the People’s Republic of China, legal liability shall be pursued in accordance with the law; where serious consequences are caused, the Ministry of Public Security and other relevant departments of the State Council may decide to impose sanctions such as freezing of assets or other necessary measures against the institution, organization, or individual.”

This Decision shall take effect on January 1, 2026.

The Cybersecurity Law of the People’s Republic of China shall be revised accordingly and republished with adjusted article numbering.

Report of the Constitution and Law Committee of the National People’s Congress on the Review Results of the Draft Amendment to the Cybersecurity Law of the People’s Republic of China

To the Standing Committee of the National People’s Congress:

At its 17th meeting, the Standing Committee conducted the first review of the Draft Amendment to the Cybersecurity Law. After the meeting, the Legislative Affairs Commission distributed the draft amendment to the people’s congresses of all provinces, autonomous regions, and municipalities, relevant central departments, certain deputies to the National People’s Congress, grassroots legislative contact points, and research institutions to solicit opinions. The full text of the draft amendment was also published on the official website of the National People’s Congress to solicit public comments.

The Constitution and Law Committee and the Legislative Affairs Commission conducted research in Beijing to hear local views and exchanged opinions with relevant departments on issues concerning the draft amendment for joint study. On September 28, the Constitution and Law Committee held a meeting to review the draft article by article, taking into account the deliberations of Standing Committee members and feedback from all sides. Officials from the Office of the Central Cyberspace Affairs Commission and the Cyberspace Administration of China attended the meeting. On October 15, the Committee held another meeting for further deliberation.

The Constitution and Law Committee believes that, in order to implement the decisions and deployments of the CPC Central Committee, adapt to the new situation and new requirements of cybersecurity, enhance coherence between laws, and improve the system of legal liability, amending the Cybersecurity Law is both necessary and timely. The draft amendment, after deliberation and revision, has become relatively mature. The Committee hereby proposes the following main amendments:

1. Some Standing Committee members suggested that the guiding principles of cybersecurity work should be enriched by incorporating General Secretary Xi Jinping’s important thought on building China into a cyber power. Upon study, the Committee recommends adding a provision stating that:

“Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the holistic view of national security, coordinate development and security, and advance the building of a cyber power.”

2. Some Standing Committee members, local authorities, and members of the public proposed that the Law should respond positively to the rapid development and application of artificial intelligence (AI) by supporting AI technological innovation, strengthening infrastructure development and risk prevention, and promoting the healthy development of AI. Upon study, the Committee recommends adding a provision stating that:

“The state shall support fundamental research in artificial intelligence and the research and development of key technologies such as algorithms; promote the construction of infrastructure for training data resources and computing power; improve AI ethical standards; strengthen safety risk monitoring and assessment; innovate and enhance AI safety supervision; and promote the healthy development of artificial intelligence.”

3. Some Standing Committee members proposed that personal information protection should be further aligned with the Civil Code and the Personal Information Protection Law. Upon study, the Committee recommends adding a provision stating that:

“When handling personal information, network operators shall comply with this Law, the Civil Code of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, and other relevant laws and administrative regulations.”

4. Some Standing Committee members, government departments, and members of the public proposed that relevant penalty provisions should be improved, that penalties for certain violations should be increased, and that coordination among related provisions should be strengthened. Upon study, the Committee recommends the following revisions to the draft amendment:
(1) For the illegal sale or provision of key network equipment and cybersecurity-specific products, the fine range should be raised, and an additional clause should specify that in serious cases, relevant business may be suspended, rectification ordered, business permits revoked, or business licenses canceled.
(2) In Article 7, Paragraph 2, delete the word “may” from the phrase “may order the suspension of relevant business, rectification, closure of websites or applications, revocation of relevant business permits, or revocation of business licenses.”
(3) Clarify that where anyone steals, illegally obtains, sells, or provides personal information to others by illegal means, and the act does not constitute a crime, the public security authorities shall impose penalties in accordance with relevant laws and administrative regulations.

In addition, the Committee has made some editorial and textual revisions to the draft amendment.

Based on the above opinions, the Constitution and Law Committee has prepared the Draft Decision of the Standing Committee of the National People’s Congress on Amending the Cybersecurity Law of the People’s Republic of China, and recommends that it be submitted to the current session of the Standing Committee for deliberation and adoption.

Please review the draft amendment decision and this report for consideration.

Constitution and Law Committee of the National People’s Congress
October 24, 2025