Cybersecurity Law of the People’s Republic of China(Draft Amendment for the Second Round of Public Comment)

  1. Article 59 is revised to read:

    “Where a network operator fails to perform the cybersecurity protection obligations prescribed in Articles 21 and 25 of this Law, the competent authorities shall order it to make corrections, issue a warning, and may impose a fine of not less than 10,000 yuan but not more than 50,000 yuan. If it refuses to make corrections or causes consequences such as endangering cybersecurity, a fine of not less than 50,000 yuan but not more than 500,000 yuan shall be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the directly responsible persons-in-charge.

    Where an operator of critical information infrastructure fails to perform the cybersecurity protection obligations prescribed in Articles 33, 34, 36 and 38 of this Law, the competent authorities shall order it to make corrections, issue a warning, and may impose a fine of not less than 50,000 yuan but not more than 100,000 yuan. If it refuses to make corrections or causes consequences such as endangering cybersecurity, a fine of not less than 100,000 yuan but not more than 1,000,000 yuan shall be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the directly responsible persons-in-charge.

    Anyone who commits the acts specified in the preceding two paragraphs and causes serious cybersecurity consequences such as massive data leakage or partial loss of function of critical information infrastructure shall be imposed a fine of not less than 500,000 yuan but not more than 2,000,000 yuan by the competent authorities. The competent authorities may also order the suspension of relevant businesses, suspension of operations for rectification, closure of websites or applications, revocation of relevant business licenses or revocation of business licenses, and impose a fine of not less than 50,000 yuan but not more than 200,000 yuan on the directly responsible persons-in-charge and other directly liable personnel. If such acts result in particularly serious cybersecurity consequences such as total loss of main functions of critical information infrastructure, the competent authorities shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan, and order the suspension of relevant businesses, suspension of operations for rectification, closure of websites or applications, revocation of relevant business licenses or revocation of business licenses, in addition to imposing a fine of not less than 200,000 yuan but not more than 1,000,000 yuan on the directly responsible persons-in-charge.”

  2. A new article is added as Article 61:

    “Whoever, in violation of the provisions of Article 23 of this Law, sells or provides critical network equipment and specialized cybersecurity products that have not undergone security certification or testing, or have failed security certification, or failed to meet the requirements in security testing shall be ordered by the competent authorities to make corrections or terminate the illegal act, issued a warning, and have the illegal products and illegal gains confiscated. If the illegal gains exceed 100,000 yuan, an additional fine of not less than one time but not more than three times the illegal gains may be imposed. If there are no illegal gains or the illegal gains are less than 100,000 yuan, an additional fine of not less than 30,000 yuan but not more than 100,000 yuan may be imposed.”

  3. A new article is added as Article 64:

    “Whoever commits any of the acts specified in Items (1) and (2) of Article 60 and Article 63 of this Law and causes the consequences prescribed in Paragraph 3 of Article 59 of this Law shall be punished in accordance with the provisions of that paragraph.”

  4. Article 65 is renumbered as Article 67 and revised to read:

    “Where an operator of critical information infrastructure, in violation of the provisions of Article 35 of this Law, uses network products or services that have not undergone security review or have failed the security review, the competent authorities shall order it to make corrections within a time limit, eliminate the impact on national security, impose a fine of not less than one time but not more than ten times the procurement amount, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the directly responsible persons-in-charge and other directly liable personnel.”

  5. Articles 68 and Item (1) of Article 69 are merged into a new Article 69, which is revised to read:

    “Where a network operator, in violation of the provisions of Article 47 of this Law, fails to stop the transmission of information prohibited by laws and administrative regulations, take such disposal measures as removal, keep relevant records, or report to the competent authorities; or in violation of the provisions of Article 50 of this Law, fails to stop the transmission of such prohibited information, take such disposal measures as removal, or keep relevant records in accordance with the requirements of the competent authorities, the competent authorities shall order it to make corrections, issue a warning and a circular of criticism, and may impose a fine of not less than 50,000 yuan but not more than 500,000 yuan. If it refuses to make corrections or the circumstances are serious, a fine of not less than 500,000 yuan but not more than 2,000,000 yuan shall be imposed. The competent authorities may also order the suspension of relevant businesses, suspension of operations for rectification, closure of websites or applications, revocation of relevant business licenses or revocation of business licenses, and impose a fine of not less than 50,000 yuan but not more than 200,000 yuan on the directly responsible persons-in-charge and other directly liable personnel.

    Where a network operator commits the illegal acts specified in the preceding paragraph and causes particularly serious impacts or consequences, the competent authorities shall impose a fine of not less than 2,000,000 yuan but not more than 10,000,000 yuan, and may order the suspension of relevant businesses, suspension of operations for rectification, closure of websites or applications, revocation of relevant business licenses or revocation of business licenses, and impose a fine of not less than 200,000 yuan but not more than 1,000,000 yuan on the directly responsible persons-in-charge and other directly liable personnel.

    Providers of electronic information sending services and providers of application software downloading services that fail to perform the security management obligations prescribed in Paragraph 2 of Article 48 of this Law shall be punished in accordance with the provisions of the preceding two paragraphs.”

  6. Paragraph 1 of Article 64, Article 66 and Article 70 are merged into a new Article 71, which is revised to read:

    “Whoever commits any of the following acts shall be handled and punished in accordance with the provisions of relevant laws and administrative regulations:

    (1) Publishing or transmitting information prohibited by Paragraph 2 of Article 12 of this Law and other laws and administrative regulations;

    (2) Violating the provisions of Paragraph 3 of Article 22 and Articles 41 to 43, thus infringing upon the legally protected rights and interests of personal information;

    (3) Violating the provisions of Article 37, where an operator of critical information infrastructure stores personal information and important data overseas or provides such information and data to overseas parties.”

  7. A new article is added as Article 72:

    “Where a network operator actively eliminates or mitigates the harmful consequences of its illegal act, or commits a minor illegal act that is promptly corrected without causing harmful consequences, or commits an illegal act for the first time with minor harmful consequences that is promptly corrected, it shall be given a lighter or mitigated administrative penalty, or be exempted from administrative penalty in accordance with the provisions of the Administrative Penalty Law of the People’s Republic of China.

    Competent authorities shall formulate corresponding benchmarks for the discretionary application of administrative penalties in accordance with their duties to regulate the exercise of discretionary power in imposing administrative penalties.”

  8. Partial articles are revised as follows:

    (1) Article 61 is renumbered as Article 62 and Article 62 as Article 63, and the phrase “closing of websites” therein is revised to “closing of websites or applications”.

    (2) Paragraph 2 of Article 64 is renumbered as Article 66.

    In addition, the serial numbers of the relevant articles are adjusted accordingly.

Explanation on the Draft Amendment to the Cybersecurity Law of the People’s Republic of China (for the Second Round of Public Comment)

The Party Central Committee attaches great importance to safeguarding national cybersecurity. General Secretary Xi Jinping has issued important instructions on multiple occasions, emphasizing that “without cybersecurity, there can be no national security, no stable operation of the economy and society, and it will be difficult to protect the interests of the broad masses of people”. The 20th National Congress of the Communist Party of China and the Third Plenary Session of the 20th Central Committee have made important arrangements for strengthening legislation in key, emerging, and foreign-related fields, and enhancing the systematicness, integrity, coordination, and timeliness of legislation. To implement the decisions and arrangements of the Party Central Committee, fulfill the Legislative Plan of the Standing Committee of the 14th National People’s Congress, and adapt to the new situation of cybersecurity, our office, together with relevant departments, has drafted the Draft Amendment to the Cybersecurity Law of the People’s Republic of China (for the Second Round of Public Comment) (hereinafter referred to as the Draft Amendment). The relevant details are explained as follows:
  1. Background of the Revision

    Since the Cybersecurity Law came into force in 2017, it has provided strong legal guarantees for safeguarding the sovereignty of cyberspace, national security, and public interests, as well as protecting the legitimate rights and interests of citizens, legal persons, and other organizations. As network and information technologies become increasingly integrated into social production and daily life, cybersecurity risks have become more prominent. Since 2021, relevant cybersecurity legislations such as the Data Security Law of the People’s Republic of China and the Personal Information Protection Law of the People’s Republic of China have been formulated and implemented successively, and the Administrative Penalty Law of the People’s Republic of China has been revised and issued. The Cybersecurity Law needs to adapt to the new situation, strengthen connection and coordination with these newly issued laws, scientifically optimize the relevant legal liability system, and further ensure cybersecurity.

In September 2023, the Legislative Plan of the Standing Committee of the 14th National People’s Congress was released, clearly listing the “revision of the Cybersecurity Law” as a “Category I item: draft laws that are relatively mature and planned to be submitted for deliberation during the term of office”. In March 2025, the Work Report of the Standing Committee of the National People’s Congress included the revision of the Cybersecurity Law in the legislative work tasks for 2025. Since the launch of the revision work, our office has maintained close communication and jointly promoted the revision with relevant departments. It has successively carried out research and investigation, drafting of the draft amendment, soliciting opinions from relevant central and state organs, and publicly seeking public opinions. On the basis of earnestly listening to opinions from all sectors, the Draft Amendment has been formulated.

2. Ideas Guiding the Revision

In drafting the Draft Amendment, the following key points have been emphasized: First, adhering to the guidance of Xi Jinping Thought on Socialism with Chinese Characteristics for a New Era, and thoroughly implementing Xi Jinping Thought on the Rule of Law and General Secretary Xi Jinping’s important thoughts on building a strong cyber country. Second, adhering to a problem-oriented approach, focusing on strengthening cybersecurity legal liabilities and increasing the intensity of penalties for illegal acts. Third, adhering to systematic connection, strengthening the organic connection with relevant laws such as the Data Security Law, the Personal Information Protection Law, and the Administrative Penalty Law, and making reasonable arrangements for the types, scope, and intensity of administrative penalties. Fourth, adhering to classified governance, and scientifically formulating legal liabilities for different types of illegal acts such as network operation security and network information security.

3. Main Contents of the Revision

(1) Legal Liabilities for Network Operation Security

Combined with the actual consequences of endangering cybersecurity in practice, the Draft Amendment adds circumstances that cause serious cybersecurity consequences such as massive data leakage and partial loss of function of critical information infrastructure, as well as particularly serious cybersecurity consequences such as total loss of main functions of critical information infrastructure. It adjusts the fine range of Article 59 of the current Cybersecurity Law with reference to the Data Security Law and adds corresponding penalty provisions. A new legal liability is established for the sale or provision of critical network equipment and specialized cybersecurity products that have not undergone security certification or testing, or have failed security certification, or failed to meet the requirements in security testing. Meanwhile, it clarifies the disposal and penalty measures for operators of critical information infrastructure that use network products or services without security review or that have failed the security review.

(2) Legal Liabilities for Network Information Security

To guard against the new risks and challenges posed by network information content security risks to national security and political security under the new situation, the Draft Amendment improves the illegal circumstances targeted by Articles 68 and 69 of the current Cybersecurity Law by drawing on the recent law enforcement practices of network information content and the latest adjustments to legal liability systems in foreign related legislations. It adjusts the legal liabilities for failing to report to competent authorities or failing to stop the transmission of prohibited information and take disposal measures such as removal as required by the authorities, and clarifies the disposal and penalty measures for illegal acts that cause particularly serious impacts or consequences.

(3) Legal Liabilities for the Security of Personal Information and Important Data

In view of the new specific provisions on penalties for illegal acts related to personal information and important data involved in Paragraph 1 of Article 64 and Article 66 of the current Cybersecurity Law, as stipulated in the Data Security Law, the Personal Information Protection Law and other relevant laws and administrative regulations, the Draft Amendment clarifies the provisions on cross-reference application.

(4) Circumstances for Lighter, Mitigated, or Exempted Administrative Penalties

Considering the applicable relationship between the Cybersecurity Law and the Administrative Penalty Law, a new connecting provision is added in the Draft Amendment. It clarifies that network operators who actively eliminate or mitigate harmful consequences, commit minor illegal acts that are promptly corrected without causing harm, or commit an illegal act for the first time with minor consequences that is promptly corrected shall be given lighter or mitigated penalties, or be exempted from penalties in accordance with the law. It also specifies that competent authorities shall formulate corresponding benchmarks for the discretionary application of administrative penalties in accordance with their duties.

发表回复