China has announced amendments to its Cybersecurity Law (CSL), marking the first major overhaul of the framework since its enactment in 2017. The revisions, approved by the Standing Committee of the National People’s Congress in October 2025, are aimed at enhancing artificial intelligence (AI) safety, strengthening enforcement mechanisms, and clarifying incident reporting obligations for onshore infrastructure.
The updated cybersecurity law will officially take effect on January 1, 2026.
CSL Updates Strengthen AI Governance and National Security
One of the most notable updates to the CSL is the inclusion of a new article emphasizing state support for AI development and safety. This addition is the first explicit mention of artificial intelligence within China’s cybersecurity framework.
At the same time, the amendment stresses the importance of establishing ethical standards and safety oversight mechanisms for AI technologies. The new provisions encourage the use of AI and other technologies to improve cybersecurity management, signaling a growing recognition of AI’s dual role as both an enabler of progress and a potential source of risk.
While the revised cybersecurity law articulates strategic priorities, detailed implementation guidelines are expected to follow with future regulations or technical standards, reported Global Policy Watch.
Expanding Enforcement and Liability
The 2025 amendments introduce stricter enforcement measures and higher penalties for violations under the CSL. Companies and individuals found in serious breach of the law could face increased fines, up to RMB 10 million for organizations and RMB 1 million for individuals. The revisions also broaden liability to include additional categories of violations, reflecting China’s ongoing efforts to strengthen accountability across its digital ecosystem.
Moreover, the updated cybersecurity law expands its extraterritorial reach. Previously, the CSL’s jurisdiction over cross-border cyber incidents was limited to foreign actions harming China’s critical information infrastructure (CII). The new amendments extend coverage to any foreign conduct that endangers the country’s network security, regardless of whether it targets CII. In severe cases, authorities may impose sanctions such as asset freezes or other punitive measures.
Clarifying Data Protection Obligations
The amendments also resolve a long-standing ambiguity surrounding personal data processing. Under the revised CSL, network operators are now explicitly required to comply not only with the cybersecurity law itself but also with the Civil Code and the Personal Information Protection Law (PIPL). This clarification reinforces the interconnected nature of China’s data governance regime and provides clearer guidance for companies handling personal information.
Complementing the CSL amendments, the Cyberspace Administration of China (CAC) issued the Administrative Measures for National Cybersecurity Incident Reporting, which will come into force on November 1, 2025. These new reporting measures consolidate previously scattered requirements into a unified framework, creating clearer operational expectations for organizations managing onshore infrastructure.
The Measures apply to all network operators that build or operate networks within China or provide services through Chinese networks. Notably, the rules appear to exclude offshore incidents, even when they affect Chinese users, suggesting that the primary focus remains on domestic cybersecurity resilience.
Defined Thresholds and Reporting Procedures
Under the new system, cybersecurity incidents are classified into four levels of severity. Operators must report “relatively major” incidents, such as data breaches involving more than one million individuals or economic losses exceeding RMB 5 million (approximately USD 700,000), within four hours of discovery. A preliminary report must be followed by a full assessment within 72 hours and a post-incident review within 30 days of resolution.
The CAC has introduced multiple reporting channels, including a dedicated hotline, website, email, and WeChat platform, to simplify compliance. Failure to report, delayed notifications, or false reporting can result in penalties. Conversely, prompt and transparent reporting may mitigate or eliminate liability under the revised cybersecurity law.
