Explaining the Major Amendments to China's "Cybersecurity Law": How Should Companies Respond to Strengthened Penalties and Expanded Extraterritorial Application?

The “Cybersecurity Law of the People’s Republic of China” (Cybersecurity Law, Chinese original: 中华人民共和国网络安全法), which serves as the cornerstone of China’s cybersecurity regulations, has reached a significant turning point. On October 28, 2025, the Standing Committee of the National People’s Congress announced amendments to this law, which will take effect on January 1, 2026. Read more.

This new law marks the first major revision since its implementation in 2017 and goes beyond mere textual amendments. It significantly strengthens legal responsibilities, addresses new technologies such as artificial intelligence (AI), and expands the extraterritorial application of law enforcement. These changes are crucial for Japanese companies conducting business in China and cannot be overlooked.

This article will outline the background of this major revision to the Cybersecurity Law, detail the specific amendments, and discuss the practical responses required from Japanese companies.

Background of the Major Revision to the “Network Security Law” (Cybersecurity Law) in China

The Network Security Law of China, alongside the “Data Security Law” and the “Personal Information Protection Law,” serves as a foundational law that supports governance in the cybersecurity domain, collectively known as the “Three Data Laws of China.”

There are two main factors behind the recent revision. One is the need to address new risks arising from the rapid development of the digital economy.

The swift proliferation of artificial intelligence technologies, including generative AI, has brought to light issues such as the safety of algorithms, the legality of training data, and AI ethical standards, which were not fully anticipated by existing legal frameworks. There was a demand to establish a legal framework to manage these issues.

Additionally, threats such as network intrusions, cyberattacks, and the spread of illegal information have been increasing, necessitating the strengthening of legal responsibilities to enhance deterrence against these threats.

The other factor is related to China’s national strategy. Under China’s initiatives to build a “cyber power” and the “overall national security concept,” efforts have been made to develop relevant legal systems to protect sovereignty and security in cyberspace.

Moreover, the previous law had relatively light penalties, and discrepancies in punishment standards between it and the subsequently enacted Data Security Law and Personal Information Protection Law were also seen as issues. The current revision aims to strengthen the coordination of these “Three Data Laws” and enhance the uniformity and rigor of law enforcement.

In addition, considering recent international circumstances, the scope of extraterritorial application of the law has been clarified and expanded to address attacks from outside China and actions threatening national security. This allows for the imposition of sanctions on foreign organizations and individuals.

Key Points of the Revised “Network Security Law” in Japan

The new law introduced by this revision not only inherits substantial obligations from the previous law but also includes several significant new provisions and amendments.

Establishment of Basic Policies and AI-Related Provisions

The new law explicitly states the adherence to the leadership of the Communist Party of China in cybersecurity operations and the implementation of the “overall national security concept.”

Additionally, for the first time, the revised law systematically incorporates policies related to AI into the main body of the cybersecurity law. While the government supports the research and development of AI’s fundamental theories and algorithms, it also strengthens risk monitoring, safety supervision, and the establishment of ethical norms to enhance cybersecurity levels by utilizing new technologies.

Strengthening of Safety Protection Obligations and Coordination with Personal Information Protection Legislation

Network operators are obligated to ensure network safety by adhering to the grade protection system, which includes the establishment of internal management systems, clarification of responsible persons, and implementation of technical measures.

The revision clearly states that when handling personal information, compliance is required not only with the Network Security Law but also with provisions of the Civil Code and the Personal Information Protection Law.

This enhances the consistency of related legal systems and demands a more integrated compliance response.

Ensuring the Safety of Network Products and Services

The law emphasizes the safety of supply chains for critical equipment and dedicated products. The sale or provision of critical network equipment that has not undergone or failed safety certification and inspection is strictly prohibited.

Violations may result in sales suspension, confiscation of illegal income, and substantial fines.

Significant Strengthening of Legal Responsibilities (Penalties)

One of the most notable features of this revision is the introduction of a tiered penalty system based on the severity of harm and the overall increase in fine levels.

Fines for Network Operators

Under the new law, it is possible to impose direct fines alongside corrective orders for violations of safety protection obligations (whereas the previous law sometimes only issued corrective recommendations). Fines for refusing correction or causing harm range from 50,000 yuan to 500,000 yuan (increased from the previous law’s maximum of 100,000 yuan).

Furthermore, as a newly established aggravated punishment provision, fines range from 500,000 yuan to 2 million yuan for causing significant harm such as massive data leaks or partial functional loss of critical information infrastructure. For causing especially significant harm, such as the loss of major functions of critical information infrastructure, fines range from 2 million yuan to 10 million yuan.

Fines for Individuals (Directly Responsible Persons)

The responsibility for individuals in charge within companies has also increased. Depending on the level of harm, fines range from 50,000 yuan to 200,000 yuan for significant harm, and from 200,000 yuan to 1 million yuan for especially significant harm. In addition to the traditional “person in charge,” “other directly responsible persons” are also explicitly included as subjects of punishment.

Other Sanctions

In addition to fines, severe administrative penalties such as temporary suspension of business, business suspension and rectification, closure of websites or applications, and revocation of business licenses may be imposed depending on the circumstances. In cases of especially significant harm, these measures will be mandatorily applied.

Expansion of Extraterritorial Application Scope

Previously, extraterritorial application was limited to activities threatening China’s critical information infrastructure (CII). However, the new law includes foreign institutions, organizations, and individuals engaged in activities threatening China’s overall network security. In cases of significant consequences, Chinese authorities may decide on sanctions such as asset freezes.

Corporate Compliance with Amendments to the “Network Security Law” in Japan

With the implementation of the new law, companies operating in China must fundamentally reassess their current systems and establish more stringent governance structures.

Reevaluation and Strengthening of Internal Security Management Systems

Companies must ensure that their networks are protected at an appropriate level according to the Cybersecurity Grading Protection System.

Clarification of Responsibilities

It is essential to clearly designate a network security officer and incorporate their authority and duties into internal regulations. The new law significantly increases fines for individuals, making it crucial for companies to educate and support their personnel in fulfilling their duties to reduce legal risks.

Implementation of Technical Measures

Companies need to implement technical measures to prevent computer viruses and cyberattacks, and retain logs for more than six months. Additionally, they must verify that data classification, backup of critical data, and encryption measures comply with the latest technical standards.

Ensuring Supply Chain Compliance

It is necessary to strictly manage whether the critical network equipment and dedicated products used or sold by the company have passed the safety certification and inspection recognized by Chinese authorities.

Verification During Procurement

Companies identified as CII operators must pass a national security review when procuring network products or services that may impact national security.

Confidentiality Agreements

It is mandatory to enter into agreements with providers regarding safety and confidentiality, clearly defining the scope of responsibilities.

Establishment of Incident Response and Reporting Systems

Companies are required to develop emergency response plans (manuals) for security incidents and conduct regular training. In the event of an incident, immediate remedial measures must be taken, and a process for promptly reporting to authorities must be established.

Safety Evaluation for the Introduction of New Technologies (AI)

When introducing AI into operations, companies must assess the safety of algorithms and their compliance with ethical standards. The law promotes the healthy development of AI while indicating a policy to strengthen risk monitoring, necessitating proactive measures in anticipation of future supervisory regulations.

Management of Cross-Border Data Transfers

For the overseas provision of critical data and personal information, companies must appropriately conduct procedures such as safety evaluations, certifications, and the conclusion of standard contracts based on the Data Security Law and the Personal Information Protection Law. The law emphasizes coordination with these other laws, making the establishment of a unified data management system an urgent task.

Conclusion: Consult with a Lawyer for Compliance with China’s Network Security Law

The recent amendment to China’s Network Security Law symbolizes a shift in digital governance within China, moving from “guidance through corrective recommendations” to “strict law enforcement accompanied by substantial fines.”

The fine, which can reach up to 10 million yuan, is significant enough to greatly impact a company’s operations. Companies are now required to have a more precise understanding of the law and to engage more carefully in their management decisions.

Additionally, it is essential to organize the relationship with related subordinate regulations, such as the “Network Data Security Management Regulations” enacted in January 2025, and to establish a multilayered compliance system to continue business operations in the Chinese market.

In addressing these legal amendments, it is crucial to utilize the support of lawyers who are well-versed not only in law but also in IT business.

Guidance on Measures by Our Firm

Monolith Law Office is a legal firm with extensive experience in both IT, particularly the Internet, and law. In recent years, global business has been expanding increasingly, and the need for legal checks by experts is growing. Our firm provides solutions related to international legal affairs under Japanese law.