China’s Cybersecurity Law Amendments: Key Changes in the Second Draft

Posted by Written by Collins Fan and Qian Zhou Reading Time: 7 minutes

The latest amendments to China’s Cybersecurity Law are part of a broader effort to enhance legal enforcement, align with recent data protection laws, address emerging cyber threats, and strengthen national security. In this article, we explore the key changes, enforcement trends, and essential compliance strategies to help businesses navigate China’s evolving cybersecurity landscape.

On March 28, 2025, the Cyberspace Administration of China (CAC) issued new draft amendments to the Cybersecurity Law (CSL) for public comment.

Originally enacted in 2016, the CSL is one of the three pillar laws of China’s data protection and cybersecurity regime, alongside the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both of which were passed in 2021. With these newer laws in place, the CSL has often been accused of being outdated —particularly due to its significantly lower fines compared to those outlined in the DSL and PIPL.

Find Business Support
Complete Cybersecurity and Data Compliance Solutions for your Asia Business ⟶

To address this gap, the CAC released an initial draft of CSL amendments in 2022, introducing higher penalties and aligning its provisions with other regulations. However, this draft was never finalized. Instead, the CAC continued refining China’s data compliance system, culminating in the release of the Regulations on Network Data Security Management, which took effect on January 1, 2025.

Building on these developments, the latest draft amendments to the CSL further strengthen enforcement measures and penalties within China’s data compliance framework. As China refines its data governance framework, businesses operating in the country must stay informed and ensure full compliance with the evolving regulatory landscape.

In this article, we examine the key changes in the new amendments, their implications for businesses and individuals, and their broader impact.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Why does China’s Cybersecurity Law need to be amended?

As introduced earlier, the CSL has been a foundational piece of legislation governing cybersecurity, data protection, and critical information infrastructure (CII). However, evolving regulatory, technological, and geopolitical landscapes have made amendments necessary. The latest amendments aim to address several pressing issues:

  • Legal alignment with newer data protection laws: Since the CSL’s enactment, China’s data protection and compliance regime has kept developing, with new laws such as the DSL and PIPL being introduced. These laws set stricter requirements for data security and personal information protection. However, discrepancies between the CSL and these newer laws have led to inconsistencies in enforcement. The amendments ensure that the CSL aligns with the broader cybersecurity and data governance framework, creating a more cohesive regulatory system.
  • Stronger enforcement to deter violations: One of the key criticisms of the original CSL is that its penalties for non-compliance are significantly lower than those in the DSL and PIPL. This has weakened its deterrence effect, allowing some businesses to take cybersecurity risks without facing substantial consequences. The amendments introduce harsher penalties and clearer enforcement mechanisms, ensuring that violations result in meaningful consequences and better compliance across industries.
  • Enhanced risk prevention amid evolving cyber threats: Since 2016, cyber threats such as data breaches, ransomware attacks, and supply chain vulnerabilities have grown in scale and complexity. The amendments strengthen legal provisions to address these emerging risks, reinforcing compliance requirements for network security, critical information infrastructure protection, and cybersecurity product approvals. By updating the law, regulators aim to mitigate cybersecurity threats and strengthen China’s digital resilience.
  • Adapting to geopolitical and international cybersecurity challenges: With increasing global tensions around data security and digital sovereignty, China is tightening regulations on critical information infrastructure and sensitive data. The amendments introduce stricter controls on the use of foreign cybersecurity products and services in critical sectors, aligning with China’s broader strategy to enhance domestic cybersecurity capabilities.

Key changes in the new amendments to China’s Cybersecurity Law

Find Business Support
Find out what a Virtual CIO can do for you ⟶

The latest draft amendments to the CSL introduce stricter penalties, clearer enforcement mechanisms, and greater alignment with existing data protection laws. The amendments emphasize graded penalties based on severity, differentiated responsibilities for network operators and critical infrastructure providers, and flexible enforcement for minor violations.

Strengthened legal responsibilities and penalties

 Strengthened Legal Responsibilities and Penalties in the Cybersecurity Law Amendments 2025
Article Current law Draft amendments Key changes
Article 59 (Amended) Fines:

RMB 10,000–100,000 for general network operators; RMB 100,000–1 million for CII operators.

 Introduces tiered fines:

General violations: RMB 10,000–500,000 (for general operators); RMB 50,000–1 million (for CII).
Severe violations: RMB 500,000–2 million or up to RMB 10 million (if CII functionality is significantly impaired).

Adds new penalties: License revocation, business suspension, or rectification orders.

 Harsher penalties:
– Fines now scale based on consequences.
– Introduces license revocation for severe violations.
Article 61

(Newly added)

 No corresponding provision. Selling unapproved network devices/products:
-Confiscation of illegal gains + fines of 1–3 times the illegal earnings.
– If no illegal earnings: Fines of RMB 30,000–100,000.		 New market entry regulation: Ensures that only certified cybersecurity products are sold.
Article 65 (Amended, to be new Article 67) Using unapproved products in CII: Ordered to rectify + fine. Higher penalties:
– Fines increased to 1–10 times the procurement amount.
– Personal fines of RMB 10,000–100,000.		 Stricter penalties for non-compliant procurement of cybersecurity products in critical sectors.
Articles 68 & 69 (Merged, to be new Article 69) Failure to handle illegal information: Fine of RMB 10,000–500,000. Tiered fines based on severity:
– General violations: RMB 50,000–500,000.
– Severe cases: RMB 500,000–2 million.
– Particularly severe: RMB 2–10 million + possible license revocation.		 Increased penalties for failing to manage illegal content.
Article 72

(Newly added)

 No corresponding provision. Introduces “lenient enforcement” principles:
– No penalty if the violator proactively corrects mistakes and eliminates harm.
– Lighter penalties for first-time or minor violations that are promptly corrected.		 Encourages voluntary compliance to prevent excessive enforcement.

Additional amendments and updates

Broader enforcement scope: The term “shutting down websites” is expanded to include “shutting down websites or applications” (Articles 62, 63).

Consolidation of provisions: Several articles related to information publishing, personal data violations, and cross-border data transfers are merged into Article 71, ensuring consistent enforcement across related legal frameworks.

Innovative enforcement mechanisms

As seen above, one of the most notable aspects of the latest amendments to China’s CSL is the introduction of more flexible enforcement mechanisms. These changes reflect a shift toward a balanced regulatory approach that aims to enhance compliance without resorting to overly rigid penalties.

Flexible penalty system

A key innovation is the incorporation of discretionary administrative penalties under Article 72. For the first time in cybersecurity law enforcement, the amendment introduces a flexible penalty system that encourages compliance rather than imposing strict, uniform fines.

Under this new system, first-time minor violations may go unpunished if the violator proactively mitigates the harm and corrects the issue promptly. Additionally, companies that take swift action to rectify non-compliance and reduce the negative impact of their violations may receive lighter penalties. To ensure fairness and transparency, authorities are also required to establish clear discretionary standards, preventing arbitrary or inconsistent enforcement. The policy goal behind this approach is to avoid a one-size-fits-all punishment model and instead encourage companies to take a proactive role in maintaining cybersecurity standards.

Consistency with other cybersecurity laws

In addition to promoting compliance through flexible penalties, the amendments also introduce a more structured legal framework that harmonizes cybersecurity enforcement with existing laws.

To prevent overlapping or conflicting regulations, Article 71 now explicitly redirects certain cybersecurity violations to be penalized under the appropriate legal frameworks. For example, illegal content publishing violations will now be handled under the Internet Information Services Regulations, personal information protection breaches will fall under the PIPL, and cross-border data transfer violations will be governed by the DSL. This approach not only streamlines enforcement but also clarifies compliance obligations for businesses operating in China’s digital space.

Penalty escalation mechanism

Furthermore, Article 64 introduces a more severe penalty escalation mechanism for major violations. If a cybersecurity breach leads to large-scale data leaks or other serious security incidents, the penalties will automatically escalate to the highest tiers outlined in Article 59. This ensures that companies handling critical information infrastructure and sensitive data face significant consequences in the event of serious compliance failures.

Overall, these innovative enforcement mechanisms demonstrate China’s evolving regulatory strategy, which aims to strike a balance between strict cybersecurity enforcement and pragmatic, compliance-driven incentives. By offering leniency for minor infractions while increasing penalties for severe violations, the amended CSL encourages businesses to take a more proactive and responsible approach to cybersecurity management.

Impact of the latest amendments to China’s Cybersecurity Law

The latest amendments to China’s CSL introduce stricter compliance requirements and heightened enforcement risks for businesses operating in the country. These changes shall impact not only CII operators but also general network operators and network product suppliers, requiring them to reassess their cybersecurity strategies and compliance frameworks:

  • For CII operators, which include companies in sectors like finance, healthcare, energy, and telecommunications, the revised CSL mandates a more rigorous approach to supply chain security. Businesses in this category must re-evaluate their security review processes when procuring network equipment or services and ensure compliance with China’s cross-border data transfer regulations. Additionally, as cybersecurity enforcement intensifies, CII operators are advised to increase their cybersecurity budgets to three to five percent of their annual revenue.
  • For general network operators, the primary focus should be on strengthening mechanisms for handling illegal online content. The amendments impose higher penalties for failing to prevent or respond to violations, making it critical for businesses to develop robust emergency response plans for content-related incidents. Additionally, businesses that rely on third-party network products and services must implement stricter vetting procedures to ensure that their suppliers meet China’s enhanced cybersecurity compliance requirements.
  • Network product suppliers, including hardware and software vendors, will now face stricter market access controls. Under the revised law, companies must obtain security certification or testing approval before their products can be sold in China. This shift underscores the need for suppliers to implement security lifecycle management systems, ensuring that their products comply with cybersecurity standards from design and development through to deployment and maintenance.
Find Business Support
Have a question? Contact our data security and compliance professionals ⟶

If the 2025 CSL amendments are enacted in the current form, businesses should prepare for targeted enforcement actions. Regulators are expected to prioritize inspections and audits in key industries such as healthcare, finance, and transportation, where cybersecurity risks have significant national security implications. Additionally, platform companies with over one million users and businesses that engage in cross-border data transfers will face heightened scrutiny. Given this focus, companies operating in these sectors should proactively conduct internal risk assessments and enhance their cybersecurity governance structures to avoid compliance pitfalls.

In addition to stricter enforcement, new supporting regulations will be introduced to clarify implementation details. Businesses should closely monitor upcoming rules, which will provide specific penalty guidelines for different types of violations and set the technical and procedural requirements for obtaining compliance certifications.

By investing in cybersecurity infrastructure, refining risk management strategies, and staying ahead of evolving regulatory requirements, companies can mitigate enforcement risks while maintaining smooth operations in China’s digital economy.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.