Introduction
On March 28, 2025, the Cyberspace Administration of China (CAC) issued new draft amendments to the Cybersecurity Law (CSL Draft Amendments) for public comment until 27 April 2025. Originally enacted on 1 June 2017, the Cybersecurity Law (CSL) is now being revised to better align with related legislation—namely, the Data Security Law (DSL), Personal Information Protection Law (PIPL), and the Administrative Penalty Law (APL).
This article explores the key amendments, enforcement shifts, and practical compliance strategies businesses need to navigate China’s rapidly evolving cybersecurity landscape.
Legal Responsibilities for Network Operation Security
The CSL Draft Amendment strengthens penalties for severe network security breaches, aligning Article 59 of the CSL with the DSL.
|
Operator Type
|
Violation
|
Penalty on Entity
|
Penalty on Personnel
|
| General Network Operators |
Failure to meet obligations under Articles 21 & 25
- Article 21 requires network operators to implement a cybersecurity multi-level protection system (MLPS) by adopting security management systems, technical measures to prevent cyber threats, monitoring and logging practices, data protection measures, and compliance with other legal obligations.
- Article 25 requires network operators to create emergency response plans for cybersecurity incidents, promptly address risks, and report to relevant authorities when incidents occur.
|
Warning + RMB 10,000–50,000 |
Up to RMB 100,000 |
| If harm is caused or failure to rectify. |
RMB 50,000–500,000 |
RMB 10,000–100,000 |
| Critical Information Infrastructure (CII) Operators |
Failure to meet obligations under Articles 33, 34, 36, & 38.
- Article 33 outlines obligations for critical information infrastructure (CII) operators, including ensuring business stability and security through synchronized planning and technical measures.
- Article 34 requires setting up specialized security management bodies, providing regular cybersecurity training, and conducting disaster recovery and emergency drills.
- Article 36 requires CII operators to sign security agreements with providers.
- Article 38 requires CII operators to conduct annual security assessments and submit the reports to the relevant authorities.
|
Warning + RMB 50,000–100,000 |
Up to RMB 100,000 |
| If harm is caused or failure to rectify |
RMB 100,000–1,000,000 |
RMB 10,000–100,000 |
| Severe incident (data breach / partial function loss) |
RMB 500,000–2,000,000
Business suspension, app/website shutdown, license revocation
|
RMB 50,000–200,000 |
| Critical incident (loss of core CII functions) |
RMB 2,000,000–10,000,000
Business suspension, app/website shutdown, license revocation
|
RMB 200,000–1,000,000 |
| Under the current law, fines range from RMB 10,000 - 100,000 for general network operators and RMB 100,000 - 1 million for CII Operators. The CSL Draft Amendments introduce legal consequences scaling with the impact of the violation. Penalties are broader and deeper, especially for CII operators. |
The CSL Draft Amendments update Articles 68 and 69. They address emerging risks and reflect recent enforcement practices. They also clarify penalties for not reporting or stopping the spread of prohibited information.
|
Violation Type
|
Penalty on Entity
|
Penalty on Personnel
|
Enforcement Action
|
Failure to:
- Stop illegal information transmission
- Remove prohibited content
- Retain logs
- Report to authorities
- Comply with Article 50 orders
|
RMB 50,000–500,000 |
RMB 50,000–200,000 |
Rectification orders, warnings |
| If not rectified or a serious violation |
RMB 500,000–2,000,000 |
RMB 50,000–200,000 |
Business suspension, app/website shutdown, license revocation |
| If a violation causes particularly severe consequences |
RMB 2,000,000–10,000,000 |
RMB 200,000–1,000,000 |
Business suspension, app/website shutdown, license revocation |
| Electronic information & app service providers
(Failing obligations under Art. 48(2))
|
RMB 2,000,000–10,000,000 |
RMB 200,000–1,000,000 |
Business suspension, app/website shutdown, license revocation |
| Under the current law, failure to handle illegal information leads to fines ranging from RMB 10,000–500,000.
The CSL Draft Amendments propose increased penalties for failing to manage illegal content.
|
Non-Compliant Procurement of Cyber Security Products
The CSL Draft Amendment amends article 65 of the CSL into a new article 67.
|
Violation Type
|
Penalty on Entity
|
Penalty on Personnel
|
| Using unapproved products in CII |
1–10 times the procurement amount. |
RMB 10,000–100,000. |
| The fine for using unapproved products in the proposed amendments is significantly higher than the one imposed by the current law. The amendment advocates stricter penalties for non-compliant procurement of cybersecurity products in critical sectors. |
The Addition of New Provisions
|
New provisions
|
Violation Type
|
Penalty on Entity
|
Key takeaway
|
| Article 61 |
Introduces a penalty for selling unapproved network devices/products |
Illegal gains will be confiscated, and violators may be fined 1 to 3 times the amount earned. If no illegal profits are made, a fixed fine of RMB 30,000 to 100,000 will apply. |
Regulates new market entry and ensures the sale of certified cybersecurity products. |
| Article 72 |
Introduces a principle of lenient enforcement aimed at encouraging proactive compliance. Under this approach, entities that voluntarily correct their violations and eliminate any resulting harm may be exempt from penalties altogether. Additionally, first-time or minor infractions that are promptly addressed may result in reduced penalties, reflecting a shift toward a more balanced and corrective enforcement strategy. |
Violators who promptly fix issues and prevent harm may avoid penalties, while first-time or minor breaches corrected in time may face lighter fines. |
Prevents excessive enforcement and encourages voluntary compliance. |
The CSL Draft Amendment aligns the CSL with China’s DSL and PIPL by clarifying that violations involving personal information and important data will be subject to penalties under those more specific frameworks. Specifically, the following actions will now be punished in accordance with relevant laws and administrative regulations:
- Publishing or transmitting prohibited information, including content restricted under Article 12(2) and other laws.
- Violations of personal information protection, such as breaches of Article 22(3) and Articles 41–43, which safeguard individuals’ lawful data rights.
- Cross-border data violations, including unlawfully storing or transferring personal or important data overseas in breach of Article 37.
This shift ensures more consistent and specialized enforcement of data protection obligations across China's broader legal landscape.
Significance of the CSL Proposed Draft Amendments
The amendment is crucial to closing regulatory gaps and ensuring consistency with newer, stricter laws like the DSL and the PIPL. It enhances enforcement by introducing tougher penalties, addressing previous weaknesses in deterrence. As cyber threats grow in scale and complexity, the changes equip regulators with stronger legal tools to manage risks across network security, critical infrastructure, and cybersecurity products. Additionally, the amendment reflects China's strategic shift toward digital sovereignty by tightening controls on foreign technologies in sensitive sectors.
Impact of the CSL Proposed Draft Amendments
The latest amendments to China’s CSL significantly heighten compliance requirements and enforcement risks for businesses, impacting not only CII operators but also general network operators and network product suppliers.
For CII operators, the proposed revision of CSL demands
- stronger supply chain security practices,
- reassessment of their security review processes, particularly in procuring network equipment and services, and
- compliance with China's cross-border data transfer regulations.
General network operators must prioritize stronger mechanisms for managing illegal online content, as the amendments impose higher penalties for failing to prevent or address such violations. Developing robust emergency response plans for content-related incidents is critical, and businesses should enforce more stringent vetting procedures for third-party network product suppliers to meet China’s enhanced cybersecurity standards.
Network product suppliers will face more stringent market access requirements. Under the proposed revised law, companies must secure security certifications or testing approvals before selling products in China, requiring them to implement comprehensive security lifecycle management practices to ensure compliance from design through to deployment and maintenance.
