Products

Data Command Center
View

Data+AI Security Teams

Data+AI Teams

Data Governance Teams

Data Privacy Teams

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

OWASP

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Home Knowledge Center Data Privacy Automation New Draft Amendments to China Cybersecurity Law

New Draft Amendments to China Cybersecurity Law

Published April 24, 2025

Author

Salma Khan

Data Privacy Analyst

CIPP/Asia

Introduction

On March 28, 2025, the Cyberspace Administration of China (CAC) issued new draft amendments to the Cybersecurity Law (CSL Draft Amendments) for public comment until 27 April 2025. Originally enacted on 1 June 2017, the Cybersecurity Law (CSL) is now being revised to better align with related legislation—namely, the Data Security Law (DSL), Personal Information Protection Law (PIPL), and the Administrative Penalty Law (APL).

This article explores the key amendments, enforcement shifts, and practical compliance strategies businesses need to navigate China’s rapidly evolving cybersecurity landscape.

Legal Responsibilities for Network Operation Security

The CSL Draft Amendment strengthens penalties for severe network security breaches, aligning Article 59 of the CSL with the DSL.

Operator Type	Violation	Penalty on Entity	Penalty on Personnel
General Network Operators	Failure to meet obligations under Articles 21 & 25 Article 21 requires network operators to implement a cybersecurity multi-level protection system (MLPS) by adopting security management systems, technical measures to prevent cyber threats, monitoring and logging practices, data protection measures, and compliance with other legal obligations. Article 25 requires network operators to create emergency response plans for cybersecurity incidents, promptly address risks, and report to relevant authorities when incidents occur.	Warning + RMB 10,000–50,000	Up to RMB 100,000
General Network Operators	If harm is caused or failure to rectify.	RMB 50,000–500,000	RMB 10,000–100,000
Critical Information Infrastructure (CII) Operators	Failure to meet obligations under Articles 33, 34, 36, & 38. Article 33 outlines obligations for critical information infrastructure (CII) operators, including ensuring business stability and security through synchronized planning and technical measures. Article 34 requires setting up specialized security management bodies, providing regular cybersecurity training, and conducting disaster recovery and emergency drills. Article 36 requires CII operators to sign security agreements with providers. Article 38 requires CII operators to conduct annual security assessments and submit the reports to the relevant authorities.	Warning + RMB 50,000–100,000	Up to RMB 100,000
	If harm is caused or failure to rectify	RMB 100,000–1,000,000	RMB 10,000–100,000
	Severe incident (data breach / partial function loss)	RMB 500,000–2,000,000 Business suspension, app/website shutdown, license revocation	RMB 50,000–200,000
	Critical incident (loss of core CII functions)	RMB 2,000,000–10,000,000 Business suspension, app/website shutdown, license revocation	RMB 200,000–1,000,000
Under the current law, fines range from RMB 10,000 - 100,000 for general network operators and RMB 100,000 - 1 million for CII Operators. The CSL Draft Amendments introduce legal consequences scaling with the impact of the violation. Penalties are broader and deeper, especially for CII operators.

Legal Responsibilities for Network Information Security

The CSL Draft Amendments update Articles 68 and 69. They address emerging risks and reflect recent enforcement practices. They also clarify penalties for not reporting or stopping the spread of prohibited information.

Violation Type	Penalty on Entity	Penalty on Personnel	Enforcement Action
Failure to: Stop illegal information transmission Remove prohibited content Retain logs Report to authorities Comply with Article 50 orders	RMB 50,000–500,000	RMB 50,000–200,000	Rectification orders, warnings
If not rectified or a serious violation	RMB 500,000–2,000,000	RMB 50,000–200,000	Business suspension, app/website shutdown, license revocation
If a violation causes particularly severe consequences	RMB 2,000,000–10,000,000	RMB 200,000–1,000,000	Business suspension, app/website shutdown, license revocation
Electronic information & app service providers (Failing obligations under Art. 48(2))	RMB 2,000,000–10,000,000	RMB 200,000–1,000,000	Business suspension, app/website shutdown, license revocation
Under the current law, failure to handle illegal information leads to fines ranging from RMB 10,000–500,000. The CSL Draft Amendments propose increased penalties for failing to manage illegal content.

Non-Compliant Procurement of Cyber Security Products

The CSL Draft Amendment amends article 65 of the CSL into a new article 67.

Violation Type	Penalty on Entity	Penalty on Personnel
Using unapproved products in CII	1–10 times the procurement amount.	RMB 10,000–100,000.
The fine for using unapproved products in the proposed amendments is significantly higher than the one imposed by the current law. The amendment advocates stricter penalties for non-compliant procurement of cybersecurity products in critical sectors.

The Addition of New Provisions

New provisions	Violation Type	Penalty on Entity	Key takeaway
Article 61	Introduces a penalty for selling unapproved network devices/products	Illegal gains will be confiscated, and violators may be fined 1 to 3 times the amount earned. If no illegal profits are made, a fixed fine of RMB 30,000 to 100,000 will apply.	Regulates new market entry and ensures the sale of certified cybersecurity products.
Article 72	Introduces a principle of lenient enforcement aimed at encouraging proactive compliance. Under this approach, entities that voluntarily correct their violations and eliminate any resulting harm may be exempt from penalties altogether. Additionally, first-time or minor infractions that are promptly addressed may result in reduced penalties, reflecting a shift toward a more balanced and corrective enforcement strategy.	Violators who promptly fix issues and prevent harm may avoid penalties, while first-time or minor breaches corrected in time may face lighter fines.	Prevents excessive enforcement and encourages voluntary compliance.

Legal Responsibilities for Personal Information and Important Data Security

The CSL Draft Amendment aligns the CSL with China’s DSL and PIPL by clarifying that violations involving personal information and important data will be subject to penalties under those more specific frameworks. Specifically, the following actions will now be punished in accordance with relevant laws and administrative regulations:

Publishing or transmitting prohibited information, including content restricted under Article 12(2) and other laws.
Violations of personal information protection, such as breaches of Article 22(3) and Articles 41–43, which safeguard individuals’ lawful data rights.
Cross-border data violations, including unlawfully storing or transferring personal or important data overseas in breach of Article 37.

This shift ensures more consistent and specialized enforcement of data protection obligations across China's broader legal landscape.

Significance of the CSL Proposed Draft Amendments

The amendment is crucial to closing regulatory gaps and ensuring consistency with newer, stricter laws like the DSL and the PIPL. It enhances enforcement by introducing tougher penalties, addressing previous weaknesses in deterrence. As cyber threats grow in scale and complexity, the changes equip regulators with stronger legal tools to manage risks across network security, critical infrastructure, and cybersecurity products. Additionally, the amendment reflects China's strategic shift toward digital sovereignty by tightening controls on foreign technologies in sensitive sectors.

Impact of the CSL Proposed Draft Amendments

The latest amendments to China’s CSL significantly heighten compliance requirements and enforcement risks for businesses, impacting not only CII operators but also general network operators and network product suppliers.

For CII operators, the proposed revision of CSL demands

stronger supply chain security practices,
reassessment of their security review processes, particularly in procuring network equipment and services, and
compliance with China's cross-border data transfer regulations.

General network operators must prioritize stronger mechanisms for managing illegal online content, as the amendments impose higher penalties for failing to prevent or address such violations. Developing robust emergency response plans for content-related incidents is critical, and businesses should enforce more stringent vetting procedures for third-party network product suppliers to meet China’s enhanced cybersecurity standards.

Network product suppliers will face more stringent market access requirements. Under the proposed revised law, companies must secure security certifications or testing approvals before selling products in China, requiring them to implement comprehensive security lifecycle management practices to ensure compliance from design through to deployment and maintenance.

Videos

January 20, 2025

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

January 15, 2025

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

January 15, 2025

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

January 2, 2025

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

December 24, 2024

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

November 1, 2024

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

October 29, 2024

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

August 12, 2024

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...