DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · CSL

Cybersecurity Law of the People's Republic of China (2025 Amendment).

中华人民共和国网络安全法(2025 修正)

FILED UNDER · Data Security Critical Information Infrastructure Personal Information

Promulgated by: Standing Committee of the National People’s Congress.
Originally adopted at the 24th Session of the Standing Committee of the 12th National People’s Congress on November 7, 2016.
Amended in accordance with the Decision on Amending the Cybersecurity Law of the People’s Republic of China adopted at the 18th Session of the Standing Committee of the 14th National People’s Congress on October 28, 2025.
Amendment takes effect January 1, 2026.

Chapter 1 General Provisions

Article 1. In order to safeguard cybersecurity, maintain cyber sovereignty and national security, protect the public interest of society, protect the lawful rights and interests of citizens, legal persons and other organizations, and promote the healthy development of economic and social informatization, this Law is hereby formulated.

Article 2. This Law shall apply to the construction, operation, maintenance and use of networks within the territory of the People’s Republic of China, as well as the supervision and administration of cybersecurity. 2025

Article 3. Cybersecurity work shall adhere to the leadership of the Communist Party of China, implement the overall national security concept, coordinate development and security, and advance the building of a cyber power.

Article 4. The State shall uphold equal emphasis on cybersecurity and informatization development, follow the policy of proactive utilization, scientific development, law- based administration, and ensuring security, advance the construction and interconnection of network infrastructure, encourage innovation and application of network technologies, support the cultivation of cybersecurity professionals, establish and improve a cybersecurity , and enhance cybersecurity protection capabilities.

Article 5. The State shall formulate and continuously improve a national cybersecurity strategy, clarify the basic requirements and main objectives for safeguarding cybersecurity, and put forward cybersecurity policies, tasks and measures in key areas.

Article 6. The State shall take measures to monitor, defend against, and address cybersecurity risks and threats originating within and outside the People’s Republic of China, protect critical information infrastructure from attacks, intrusions, interference and destruction, punish cyber-related illegal and criminal activities in accordance with the law, and maintain security and order in cyberspace. 2025

Article 7. The State shall advocate honest and trustworthy, healthy and civilized behavior on the Internet, promote the dissemination of the core socialist values, take measures to enhance the cybersecurity awareness and capacity of the whole society, and foster a favorable environment for the joint participation of the whole society in promoting cybersecurity.

Article 8. The State shall actively carry out international exchanges and cooperation in cyberspace governance, network technology research and development and standard- setting, combating cyber-related illegal and criminal activities, promote the building of a peaceful, secure, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system of Internet governance.

Article 9. The national cyberspace administration shall be responsible for overall coordination of cybersecurity work and relevant supervision and administration. The telecommunications authority under the State Council, public security authorities, and other relevant authorities shall, within their respective responsibilities and in accordance with this Law and relevant laws and administrative regulations, be responsible for cybersecurity protection and supervision and administration. The cybersecurity protection and supervision and administration responsibilities of the relevant departments of local people’s governments at or above the county level shall be determined in accordance with relevant State provisions. 2025

Article 10. Network operators, when carrying out business and service activities, shall comply with laws and administrative regulations, respect social morality, observe commercial ethics, act in good faith, perform cybersecurity protection obligations, accept supervision by the government and society, and assume social responsibility.

Article 11. Those who construct or operate networks or provide services through networks shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements under national standards, take technical and other necessary measures to ensure cybersecurity and stable operation, effectively respond to cybersecurity incidents, prevent cyber-related illegal and criminal activities, and maintain the integrity, confidentiality and availability of network data.

Article 12. Industry organizations related to networks shall, in accordance with their charters, strengthen industry self- discipline, formulate codes of conduct for cybersecurity, guide members to strengthen cybersecurity protection, improve cybersecurity protection levels, and promote the healthy development of the industry.

Article 13. The State shall protect the right of citizens, legal persons and other organizations to lawfully use networks, promote universal network access, enhance the level of 2025 network services, provide the society with secure and convenient network services, and ensure the lawful, orderly and free flow of network information. Any individual or organization using networks shall comply with the Constitution and laws, observe public order, respect social morality, shall not endanger cybersecurity, and shall not use networks to engage in activities that endanger national security, honor and interests, incite subversion of state power, overthrow the socialist system, incite the splitting of the State, undermine national unity, advocate terrorism or extremism, advocate ethnic hatred or ethnic discrimination, disseminate violent or obscene pornographic information, fabricate or disseminate false information to disrupt economic order and social order, or infringe upon the reputation, privacy, intellectual property rights and other lawful rights and interests of others.

Article 14. The State shall support the research and development of network products and services conducive to the healthy growth of minors, punish in accordance with the law activities carried out via networks that harm the physical and mental health of minors, and provide a secure and healthy online environment for minors. 2025

Article 15. Any individual or organization shall have the right to report to the cyberspace, telecommunications, public security and other departments acts that endanger cybersecurity. The departments receiving reports shall promptly handle them in accordance with the law; if the matter does not fall within the functions of the department, it shall be promptly transferred to the department with authority to handle it. Relevant departments shall keep confidential the relevant information of the whistleblower and protect the lawful rights and interests of the whistleblower.

Chapter 2 Support and Promotion of Cybersecurity

Article 16. The State shall establish and improve the system of cybersecurity standards. The standardization administrative authority under the State Council and other relevant departments under the State Council shall, based on their respective responsibilities, organize the formulation and timely revision of national and industry standards related to cybersecurity management as well as the security of network products, services and operations. The State shall support enterprises, research institutions, higher education institutions, and industry organizations related to networks in participating in the formulation of national and industry standards for cybersecurity.

Article 17. The State Council and the people’s governments of provinces, autonomous regions, and municipalities directly 2025 under the Central Government shall make overall plans, increase investment, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote secure and trustworthy network products and services, protect intellectual property rights in network technologies, and support enterprises, research institutions and higher education institutions in participating in national cybersecurity technology innovation projects.

Article 18. The State shall advance the construction of a socialized service system for cybersecurity, and encourage relevant enterprises and institutions to carry out security services such as cybersecurity certification, testing and risk assessment.

Article 19. The State shall encourage the development of technologies for the protection and utilization of network data security, promote the opening of public data resources, and advance technological innovation and economic and social development.

Article 20. The State shall support basic theoretical research on artificial intelligence and the research and development of key technologies such as algorithms, advance the construction of infrastructure such as training data resources and computing power, improve ethical norms for artificial intelligence, strengthen risk monitoring and assessment and safety supervision, and promote the application and healthy development of artificial intelligence. The State shall support innovation in cybersecurity management methods, and use new technologies such as artificial intelligence to enhance cybersecurity protection levels. 2025

Article 21. People’s governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and guide and supervise relevant entities to carry out cybersecurity publicity and education properly. Mass media shall, in a targeted manner, conduct cybersecurity publicity and education towards society.

Article 22. The State shall support enterprises and higher education institutions, vocational schools and other education and training institutions in carrying out education and training related to cybersecurity, adopt various means to cultivate cybersecurity talents, and promote exchanges of cybersecurity talents.

Chapter 3 Security of Network Operations

Section 1 General Provisions

Article 23. The State shall implement a cybersecurity multi- level protection scheme. Network operators shall, in accordance with the requirements of the cybersecurity multi- level protection scheme, perform the following security protection obligations to ensure that networks are protected from interference, damage or unauthorized access, and to prevent leakage, theft or tampering of network data: (1) 2025 formulate internal security management rules and operating procedures, designate persons responsible for cybersecurity, and implement cybersecurity protection responsibilities;

(2) take technical measures to prevent behaviors endangering cybersecurity such as computer viruses, cyberattacks, and network intrusions;

(3) take technical measures to monitor and record the status of network operations and cybersecurity incidents, and retain relevant network logs for not less than six months as required;

(4) take measures such as data classification, backup of important data, and encryption;

(5) other obligations as prescribed by laws and administrative regulations.

Article 24. Network products and services shall meet the mandatory requirements under relevant national standards. Providers of network products and services shall not set malicious programs; upon discovering risks such as security defects and vulnerabilities in their network products or services, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities. Providers of network products and services shall continuously provide security 2025 maintenance for their products and services; within the prescribed period or the period agreed upon by the parties, they shall not cease to provide security maintenance. Where network products or services have functions to collect user information, their providers shall explicitly inform users and obtain consent; where personal information of users is involved, they shall also comply with this Law and relevant laws and administrative regulations regarding the protection of personal information.

Article 25. Key network equipment and specialized cybersecurity products shall, in accordance with the mandatory requirements under relevant national standards, be sold or provided only after being certified for security by qualified institutions or passing security testing meeting the requirements. The national cyberspace administration, in conjunction with relevant departments under the State Council, shall formulate and publish catalogues of key network equipment and specialized cybersecurity products, and promote mutual recognition of security certification and security testing results to avoid repeated certification and testing.

Article 26. When network operators handle network access, 2025 domain name registration services, procedures for fixed-line and mobile phone network access, or provide information publication, instant messaging and other services for users, they shall, when concluding agreements with users or confirming the provision of services, require users to provide real identity information. Where users do not provide real identity information, network operators shall not provide them with relevant services. The State shall implement a strategy of trustworthy network identity, support the research and development of secure and convenient electronic identity authentication technologies, and promote mutual recognition among different electronic identity authentications.

Article 27. Network operators shall formulate contingency plans for cybersecurity incidents, and promptly address security risks such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions; when incidents endangering cybersecurity occur, they shall immediately activate contingency plans, take corresponding remedial measures, and report to the competent authorities in accordance with provisions.

Article 28. Those carrying out cybersecurity certification, testing, risk assessment and other activities, or releasing to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, shall comply with relevant State provisions. 2025

Article 29. No individual or organization may engage in activities that endanger cybersecurity, such as illegal intrusion into another’s network, interference with the normal functions of another’s network, or theft of network data; no individual or organization may provide programs or tools specifically used to engage in activities that endanger cybersecurity such as intrusion into networks, interference with the normal functions and protection measures of networks, or theft of network data; and those who knowingly engage in activities that endanger cybersecurity shall not be provided with technical support, advertisement promotion, payment settlement and other assistance.

Article 30. Network operators shall provide technical support and assistance to public security authorities and national security authorities in their lawful activities to safeguard national security and investigate crimes.

Article 31. The State shall support cooperation among network operators in areas such as the collection, analysis, notification and emergency response of cybersecurity information, so as to improve the security of network operators. Relevant industry organizations shall establish and improve cybersecurity protection norms and collaboration mechanisms within their industries, strengthen analysis and assessment of cybersecurity risks, regularly issue risk alerts to their members, and support and assist members in responding to cybersecurity risks. 2025

Article 32. Information obtained by the cyberspace administration and relevant departments in performing cybersecurity protection responsibilities shall only be used for the needs of maintaining cybersecurity, and shall not be used for other purposes.

Section 2 Security of Operations of Critical Information Infrastructure

Article 33. The State shall, on the basis of the cybersecurity multi-level protection scheme, implement focused protection with respect to critical information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other infrastructure that, once damaged, losing functionality or suffering data leakage, may seriously endanger national security, the national economy and people’s livelihood, and the public interest. The specific scope of critical information infrastructure and the measures for security protection shall be formulated by the State Council. The State shall encourage network operators outside critical information infrastructure to voluntarily participate in the system of critical information infrastructure protection. 2025

Article 34. In accordance with the division of responsibilities prescribed by the State Council, departments responsible for the security protection of critical information infrastructure shall respectively formulate and organize the implementation of security plans for critical information infrastructure in their respective industries and fields, and guide and supervise the security protection of the operation of critical information infrastructure.

Article 35. The construction of critical information infrastructure shall ensure performance that supports stable and continuous operation of business, and ensure that security technical measures are planned, constructed, and used concurrently.

Article 36. In addition to the provisions of Article 23 of this Law, operators of critical information infrastructure shall also perform the following security protection obligations: (1) establish specialized security management institutions and designate persons responsible for security management, and conduct security background checks on such persons and personnel in key positions;

(2) periodically carry out cybersecurity education, technical training and competency assessments for employees;

(3) implement disaster recovery backup for important systems and databases;

(4) formulate contingency plans for cybersecurity incidents and conduct regular drills;

(5) other obligations as prescribed by laws and administrative regulations. 2025

Article 37. Where operators of critical information infrastructure procure network products and services that may affect national security, they shall undergo a national security review organized by the national cyberspace administration in conjunction with relevant departments under the State Council.

Article 38. Operators of critical information infrastructure that procure network products and services shall, in accordance with provisions, sign security and confidentiality agreements with the providers, and clarify security and confidentiality obligations and responsibilities.

Article 39. Personal information and important data collected and generated in the course of operations by operators of critical information infrastructure within the territory of the People’s Republic of China shall be stored within the territory. Where, due to business needs, it is truly necessary to provide such information and data overseas, a security assessment shall be conducted in accordance with the measures 2025 formulated by the national cyberspace administration in conjunction with relevant departments under the State Council; where laws or administrative regulations provide otherwise, such provisions shall govern.

Article 40. Operators of critical information infrastructure shall, on their own or by entrusting cybersecurity service institutions, conduct at least once a year security testing and assessment of their networks’ security and potential risks, and submit the status of testing and assessment and measures for improvement to the departments responsible for the security protection of critical information infrastructure.

Article 41. The national cyberspace administration shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure: (1) conduct spot checks and testing of the security risks of critical information infrastructure, put forward measures for improvement, and where necessary entrust cybersecurity service institutions to test and assess security risks existing in networks;

(2) regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve the level of responding to cybersecurity incidents and the capacity for coordination;

(3) promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service institutions;

(4) provide technical support and assistance for emergency response to cybersecurity incidents and the restoration of network 2025 functions.

Chapter 4 Security of Network Information

Article 42. Network operators shall keep strictly confidential the user information they collect, and establish and improve user information protection systems. Network operators, when processing personal information, shall comply with this Law and the provisions of laws and administrative regulations such as the Civil Code of the People’s Republic of China and the Personal Information Protection Law of the People’s Republic of China.

Article 43. Network operators, when collecting and using personal information, shall follow the principles of legality, legitimacy and necessity, make public their rules for collection and use, explicitly inform the purposes, methods and scope of collection and use of information, and obtain the consent of the person being collected. Network operators shall not collect personal information irrelevant to the services they 2025 provide, shall not collect or use personal information in violation of laws and administrative regulations and the agreements between the parties, and shall, in accordance with laws and administrative regulations and their agreements with users, handle personal information they retain.

Article 44. Network operators shall not divulge, tamper with or damage personal information they collect; without the consent of the person being collected, they shall not provide personal information to others. However, where personal information has been processed so that specific individuals cannot be identified and cannot be restored, the foregoing shall not apply. Network operators shall take technical and other necessary measures to ensure the security of the personal information they collect and prevent information leakage, damage or loss. When situations of personal information leakage, damage or loss occur or may occur, they shall immediately take remedial measures, promptly inform users in accordance with provisions and report to the competent authorities.

Article 45. Where individuals find that network operators collect or use their personal information in violation of the provisions of laws and administrative regulations or the 2025 agreements between the parties, they have the right to request the network operators to delete their personal information; where they find errors in their personal information collected or stored by network operators, they have the right to request network operators to correct such information. Network operators shall take measures to delete or correct it.

Article 46. No individual or organization may steal or obtain personal information through other illegal means, or illegally sell or illegally provide personal information to others.

Article 47. Departments with statutory responsibilities for supervision and administration of cybersecurity and their staff shall keep strictly confidential the personal information, privacy and commercial secrets they become aware of in the course of performing their duties, and shall not divulge, sell or illegally provide them to others.

Article 48. Any individual or organization shall be responsible for the acts of their use of networks, and shall not establish websites or communication groups used to commit fraud, teach methods of committing crimes, or manufacture or sell prohibited items or controlled items and other illegal and criminal activities, and shall not use networks to release information involving the commission of fraud, manufacture or sale of prohibited items or controlled items and other illegal and criminal activities. 2025

Article 49. Network operators shall strengthen the management of information published by their users; upon discovering information whose publication or transmission is prohibited by laws and administrative regulations, they shall immediately cease transmission of such information, take measures such as removal to dispose of it, prevent the spread of information, preserve relevant records, and report to the competent authorities.

Article 50. Any individual or organization that sends electronic information or provides application software shall not set malicious programs and shall not contain information the publication or transmission of which is prohibited by laws and administrative regulations. Providers of electronic information transmission services and application download services shall perform security management obligations; where they become aware that their users engage in the acts prescribed in the preceding paragraph, they shall stop providing services, take measures such as removal to dispose of it, preserve relevant records, and report to the competent authorities.

Article 51. Network operators shall establish systems for complaints and reports regarding network information security, publish information such as modes of complaints 2025 and reports, and promptly accept and handle complaints and reports regarding network information security. Network operators shall cooperate with supervision and inspection lawfully carried out by the cyberspace administration and relevant departments.

Article 52. Where the national cyberspace administration and relevant departments, in the course of lawfully performing their network information security supervision and administration responsibilities, discover information whose publication or transmission is prohibited by laws and administrative regulations, they shall require network operators to cease transmission, take measures such as removal to dispose of it, and preserve relevant records; with respect to the above information originating outside the People’s Republic of China, they shall notify relevant institutions to take technical and other necessary measures to block transmission.

Chapter 5 Monitoring, Early Warning and Emergency Response

Article 53. The State shall establish systems for cybersecurity monitoring and early warning and information notification. The national cyberspace administration shall coordinate relevant departments to strengthen the collection, analysis and notification of cybersecurity information, and uniformly release cybersecurity monitoring and early warning information in accordance with provisions. 2025

Article 54. Departments responsible for the security protection of critical information infrastructure shall establish and improve cybersecurity monitoring and early warning and information notification systems in their respective industries and fields, and submit cybersecurity monitoring and early warning information in accordance with provisions.

Article 55. The national cyberspace administration shall coordinate relevant departments to establish and improve mechanisms for cybersecurity risk assessment and emergency response work, formulate contingency plans for cybersecurity incidents, and organize regular drills. Departments responsible for the security protection of critical information infrastructure shall formulate contingency plans for cybersecurity incidents in their respective industries and fields, and organize regular drills. Contingency plans for cybersecurity incidents shall classify cybersecurity incidents according to factors such as the degree of harm and scope of impact after an incident occurs, and provide corresponding emergency response measures.

Article 56. When the risk of cybersecurity incidents increases, relevant departments of people’s governments at or above the provincial level shall, in accordance with prescribed authority and procedures and based on the characteristics of cybersecurity risks and the possible harm, take the following measures: (1) require relevant departments, institutions and 2025 personnel to promptly collect and report relevant information, and strengthen the monitoring of cybersecurity risks;

(2) organize relevant departments, institutions and professionals to analyze and assess cybersecurity risk information, and forecast the likelihood of incidents, scope of impact and degree of harm;

(3) release cybersecurity risk early warnings to society, and publish measures to avoid or mitigate harm.

Article 57. Upon the occurrence of cybersecurity incidents, contingency plans for cybersecurity incidents shall be immediately activated, cybersecurity incidents shall be investigated and assessed, network operators shall be required to take technical and other necessary measures to eliminate security hazards, prevent harm from expanding, and timely release to the public warning information involving the public.

Article 58. Where relevant departments of people’s governments at or above the provincial level discover, in the course of performing cybersecurity supervision and administration responsibilities, that networks have significant security risks or that security incidents have occurred, they 2025 may, in accordance with prescribed authority and procedures, conduct interviews with the legal representative or principal person-in-charge of the operator of the network. Network operators shall take measures as required, implement rectification, and eliminate hidden dangers.

Article 59. Where emergencies or production safety accidents occur due to cybersecurity incidents, they shall be dealt with in accordance with relevant provisions of laws and administrative regulations such as the Emergency Response Law of the People’s Republic of China and the Work Safety Law of the People’s Republic of China.

Article 60. Where, for the purpose of maintaining national security and social public order, it is necessary to address major emergent social security incidents, temporary measures such as restrictions on network communications may, upon decision or approval by the State Council, be taken within specific regions.

Article 61. Where network operators fail to perform the cybersecurity protection obligations prescribed in Articles 23 and 27 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 50,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 50,000 but 2025 not more than RMB 500,000 shall be imposed, and the person- in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where operators of critical information infrastructure fail to perform the cybersecurity protection obligations prescribed in Articles 35, 36, 38 and 40 of this Law, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where they refuse to make corrections or cause consequences such as harm to cybersecurity, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and the person-in-charge directly responsible and other directly liable persons shall be fined not less than RMB 10,000 but not more than RMB 100,000. Where the acts under the preceding two paragraphs cause serious consequences that harm cybersecurity, such as leakage of a large amount of data or partial functional loss of critical information infrastructure, the competent authorities shall impose a fine of not less than RMB 500,000 but not more than RMB 2,000,000 on the operator, and shall impose a fine of not less than RMB 50,000 but not more than RMB 200,000 on the person-in-charge directly responsible and other directly liable persons; where particularly serious consequences that harm cybersecurity occur, such as the loss of main functions of critical information infrastructure, a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000 shall be imposed, and a fine of not less than RMB 200,000 but not more than RMB 1,000,000 shall be imposed on the person-in- charge directly responsible and other directly liable persons. 2025

Article 62. Where any of the following acts is committed in violation of the first and second paragraphs of Article 24 and the first paragraph of Article 50 of this Law, the competent authorities shall order corrections and give warnings; where corrections are refused or consequences such as harm to cybersecurity are caused, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed on the operator, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible: (1) setting malicious programs;

(2) failing to immediately adopt remedial measures for risks such as security defects and vulnerabilities existing in its products or services, or failing to promptly inform users in accordance with provisions and report to the competent authorities;

(3) arbitrarily ceasing the provision of security maintenance for its products or services. Where any of the acts under items (1) and (2) of the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. 2025

Article 63. Where any person sells or provides key network equipment or specialized cybersecurity products without security certification or security testing, or where such certification is not passed or such testing does not meet the requirements, in violation of Article 25 of this Law, the competent authorities shall order the cessation of sales or provision, give warnings, and confiscate illegal gains; where there are no illegal gains or such gains are less than RMB 100,000, a fine of not less than RMB 20,000 but not more than RMB 100,000 shall be imposed; where illegal gains are RMB 100,000 or more, a fine of not less than one time but not more than five times the amount of illegal gains shall be imposed; where circumstances are serious, an order may be given to suspend relevant business, suspend business for rectification, revoke relevant business permits or revoke the business license. Where laws or administrative regulations provide otherwise, such provisions shall govern.

Article 64. Where network operators, in violation of the first paragraph of Article 26 of this Law, fail to require users to provide real identity information, or provide relevant services to users who do not provide real identity information, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business 2025 permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons.

Article 65. Where any person, in violation of Article 28 of this Law, carries out cybersecurity certification, testing, risk assessment and other activities, or releases to society cybersecurity information such as system vulnerabilities, computer viruses, cyberattacks, and network intrusions, the competent authorities shall order corrections, give warnings, and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person- in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph results in the consequences prescribed in the third paragraph of Article 61 of this Law, punishments shall be imposed in accordance with that paragraph. 2025

Article 66. Where any person, in violation of Article 29 of this Law, engages in activities that endanger cybersecurity, or provides programs or tools specifically used to engage in activities that endanger cybersecurity, or provides technical support, advertisement promotion, payment settlement and other assistance for others to engage in activities that endanger cybersecurity, and the circumstances do not constitute a crime, the public security authorities shall confiscate illegal gains and impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 100,000 but not more than RMB 1,000,000 may concurrently be imposed. Where such acts are committed by an entity, the public security authorities shall confiscate illegal gains and impose a fine of not less than RMB 100,000 but not more than RMB 1,000,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. Personnel who, in violation of Article 29 of this Law, receive public security administrative punishment shall not engage in work in key positions of cybersecurity management and network operations within five years; personnel who receive criminal punishment shall never engage in work in key positions of cybersecurity management and network operations. 2025

Article 67. Where operators of critical information infrastructure, in violation of Article 37 of this Law, use network products or services that have not undergone security review or have not passed security review, the competent authorities shall order corrections within a time limit, order cessation of use, eliminate the impact on national security, and impose a fine of not less than one time but not more than ten times the procurement amount, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons.

Article 68. Where any person, in violation of Article 48 of this Law, establishes websites or communication groups used to carry out illegal and criminal activities, or uses networks to publish information involving the commission of illegal and criminal activities, and the circumstances do not constitute a crime, the public security authorities shall impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a fine of not less than RMB 50,000 but not more than RMB 500,000 may concurrently be imposed. Websites or communication groups used to carry out illegal and criminal activities shall be shut down. Where such acts are committed by an entity, the public security authorities shall impose a fine of not less than RMB 100,000 but not more than RMB 500,000 on the entity, and punish the person-in-charge directly responsible and other directly liable persons in accordance with the preceding paragraph. 2025

Article 69. Where network operators, in violation of Article 49 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records, report to the competent authorities with respect to information whose publication or transmission is prohibited by laws and administrative regulations, or, in violation of Article 52 of this Law, fail to cease transmission, take measures such as removal to dispose of it, preserve relevant records in accordance with requirements of relevant departments with respect to information whose publication or transmission is prohibited by laws and administrative regulations, the competent authorities shall order corrections, give warnings and issue circulars, and may impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where corrections are refused or circumstances are serious, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, and an order may be given to suspend relevant business, suspend business for rectification, shut down websites or applications, revoke relevant business permits or revoke the business license, and a fine of not less than RMB 50,000 but not more than RMB 200,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons. Where the act under the preceding paragraph causes particularly serious impact or particularly serious consequences, the competent authorities shall impose a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000, and order suspension of relevant business, suspension of business for rectification, shutting down websites or applications, revocation of relevant business permits or revocation of the business license, and impose a fine of not less than RMB 200,000 but not more than RMB 1,000,000 on the person-in-charge directly responsible and other directly liable persons. Where providers of electronic information transmission services or 2025 application download services fail to perform the security management obligations prescribed in the second paragraph of Article 50 of this Law, punishments shall be imposed in accordance with the preceding two paragraphs.

Article 70. Where network operators commit any of the following acts in violation of this Law, the competent authorities shall order corrections; where corrections are refused or circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person-in-charge directly responsible and other directly liable persons: (1) refusing or obstructing supervision and inspection lawfully carried out by relevant departments;

(2) refusing to provide technical support and assistance to public security authorities and national security authorities. 2025

Article 71. Where any of the following acts is committed, handling and punishment shall be carried out in accordance with relevant laws and administrative regulations: (1) publishing or transmitting information prescribed in the second paragraph of Article 13 of this Law and other information the publication or transmission of which is prohibited by laws and administrative regulations;

(2) infringing personal information rights and interests in violation of the third paragraph of Article 24 and Articles 43 to 45 of this Law;

(3) storing personal information and important data overseas or providing personal information and important data overseas by operators of critical information infrastructure in violation of Article 39 of this Law. Where any person, in violation of Article 46 of this Law, steals or obtains personal information through other illegal means, illegally sells or illegally provides personal information to others, and the circumstances do not constitute a crime, the public security authorities shall impose punishment in accordance with relevant laws and administrative regulations.

Article 72. Where illegal acts prescribed in this Law are committed, they shall be recorded in credit archives in accordance with relevant laws and administrative regulations, 2025 and be made public.

Article 73. Where violations of this Law occur but circumstances for lighter, mitigated or exemption from punishment prescribed in the Administrative Penalty Law of the People’s Republic of China exist, lighter, mitigated or exemption from punishment shall be applied in accordance with such provisions.

Article 74. Where operators of government affairs networks of State organs fail to perform the cybersecurity protection obligations prescribed in this Law, their superior organs or relevant organs shall order corrections; the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law.

Article 75. Where the cyberspace administration and relevant departments, in violation of Article 32 of this Law, use information obtained in the course of performing cybersecurity protection responsibilities for other purposes, the person-in-charge directly responsible and other directly liable persons shall be sanctioned in accordance with the law. Where staff of the cyberspace administration and relevant departments commit negligence of duty, abuse of power or engage in malpractices for personal gain, and the circumstances do not constitute a crime, they shall be sanctioned in accordance with the law. 2025

Article 76. Where violations of this Law cause harm to others, civil liability shall be borne in accordance with the law. Where violations of this Law constitute acts violating public security administration, public security administrative punishments shall be imposed in accordance with the law; where they constitute crimes, criminal liability shall be pursued in accordance with the law.

Article 77. Where institutions, organizations or individuals outside the territory engage in activities that endanger the cybersecurity of the People’s Republic of China, legal liability shall be pursued in accordance with the law; where serious consequences are caused, the public security department under the State Council and relevant departments may also decide to take measures such as freezing property or other necessary sanctions against such institutions, organizations or individuals.

Chapter 7 Supplementary Provisions

Article 78. The meanings of the following terms under this Law are: (1) Network means a system composed of computers or other information terminals and related equipment which, in accordance with certain rules and procedures, collects, stores, transmits, exchanges, and processes information.

(2) Cybersecurity means, by taking necessary measures, preventing attacks, intrusions, interference, destruction and illegal use of networks as well as accidents, bringing networks into a state of stable and reliable operation, and the capability to ensure the integrity, confidentiality and availability of network data. 2025

(3) Network operator means the owner, administrator and network service provider of a network.

(4) Network data means various electronic data collected, stored, transmitted, processed and generated through networks.

(5) Personal information means various information recorded in electronic or other forms that can identify a natural person’s personal identity, alone or in combination with other information, including but not limited to the natural person’s name, date of birth, identification number, personal biometric information, address, telephone number, etc.

Article 79. In addition to complying with this Law, the security protection of the operation of networks that store or process information involving State secrets shall comply with the provisions of secrecy laws and administrative regulations. 2025

Article 80. The security protection of military networks shall be separately prescribed by the Central Military Commission.

Article 81. This Law shall come into force on June 1, 2017.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

7 briefs reference this law.

  • § 01 · ANONYMIZATION

    Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime

    Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.

    anonymization · personal-information · data-economy
  • § 02 · ANONYMIZATION

    From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative

    The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.

    anonymization · personal-information · de-identification
  • § 03 · AI-GOVERNANCE

    Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI

    Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.

    ai-governance · open-source · training-data
  • § 04 · ENFORCEMENT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

    enforcement · miit · app-compliance
  • § 05 · CSL

    China's Cybersecurity Law Just Got Teeth — The 2025 Amendment and What Changed

    On October 28, 2025, the NPC Standing Committee adopted the first amendment to China's Cybersecurity Law since 2017, effective January 1, 2026. Compliance Talker's global legal policy team walks through what changed across 14 amendments: a new framework provision on AI safety and development, harmonization with PIPL and the Civil Code on personal information, sharply increased penalties (10× cap on top fines), expanded application of the dual-penalty system to individual officers, and broader extraterritorial reach. For overseas teams, the operational takeaway is that cybersecurity compliance is now an executive-level risk, not a documentation exercise.

    csl · csl-2025-amendment · ai-governance
  • § 06 · CROSS-BORDER

    Mutual Trust Mechanisms for Cross-Border Data Flow — China's 'Trusted Data Space' Bet

    Compliance Talker's global legal policy team analyzes three competing models for cross-border data mutual trust: the EU's 'rule trust' (adequacy + SCC), the US's 'market trust' (CLOUD Act + DPF), and China's 'technology trust' bet on Trusted Data Spaces (TDS). The NDA's November 2024 *TDS Development Action Plan 2024-2028* makes confidential computing, federated learning, and blockchain the technical layer through which China seeks to demonstrate cross-border data flow can be 'usable but invisible.' For overseas teams, this is the most concrete view of where Chinese cross-border data infrastructure is heading.

    cross-border · trusted-data-space · confidential-computing
  • § 07 · IMPORTANT-DATA

    How to Identify 'Important Data' — A Plain-Language Method from Wang Qinglan

    Wang Qinglan, head of compliance at a Chinese data exchange, walks through China's unique 'important data' concept in plain language: where it came from, why no other major jurisdiction has anything quite like it, how the U.S., EU, Japan and Korea solve the same problem differently, and — most useful for compliance teams — three methods to identify whether a dataset is 'important' in practice. Her own 'unorthodox' shortcut: ask whether a hostile foreign actor could use this data to cause trouble. If yes, treat it as important data.

    important-data · data-classification · cross-border
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.