---
title_en: "Cybercrime Prevention Law (Draft for Public Consultation)"
title_zh: "网络犯罪防治法（征求意见稿）"
abbreviation: "Cybercrime Prevention Law (Draft)"
hierarchy: "draft"
issuing_body: "Ministry of Public Security (drafting); for eventual enactment by the NPC Standing Committee"
status: "draft"
related_laws: ["csl", "dsl", "pipl", "cybersecurity-review-measures", "network-data-security-regulations", "genai-services-interim-measures", "minors-online-protection-regulations"]
domains: ["data-security", "cross-border", "enforcement"]
url: https://datacompliancechina.com/laws/cybercrime-prevention-law-draft/
summary: "China's first standalone, comprehensive cybercrime statute, drafted by the Ministry of Public Security with a comment period that closed March 2, 2026. It goes well beyond the Criminal Law's cybercrime provisions to build a full prevention and governance framework: real-name controls over phone cards, bank accounts, and network accounts; a fifteen-item catalogue of prohibited \"cybercrime ecosystem\" conduct such as technical support, financial support, and personal-information or data misuse; tiered monitoring and reporting duties for ten categories of internet service, including a special obligation for AI service providers to detect and block abuse of their services; and cross-border tools including technical blocking of offshore actors, asset seizure, and entry/exit bans. Overseas counsel should read it closely for Article 2's extraterritorial reach, which extends to any offshore entity serving PRC users whose conduct harms China's national security, public interest, or the lawful rights of PRC citizens or organizations."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/cybercrime-prevention-law-draft/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Cybercrime Prevention Law (Draft for Public Consultation)", https://datacompliancechina.com/laws/cybercrime-prevention-law-draft/
**Promulgated by:** Ministry of Public Security (drafting authority); for eventual review and adoption by the Standing Committee of the National People's Congress.  
**Document No.:** Not yet assigned (draft for public consultation).  
**Comment period:** Released for public comment; the consultation period closed March 2, 2026. Effective date not yet determined — Article 68 of the draft leaves the implementation date blank.

---

## Chapter I. General Provisions

**Article 1.** This Law is enacted in accordance with the Constitution for the purposes of preventing, curbing, and governing cybercrime activities, safeguarding national security, social stability, and network order, and protecting the lawful rights and interests of citizens and organizations.

**Article 2.** This Law applies to cybercrime prevention and its regulatory oversight within the territory of the People's Republic of China. Where a citizen of the People's Republic of China located outside its territory, or an overseas organization or individual that provides services to users within the territory of the People's Republic of China, commits an act in violation of this Law that harms the national security, public interest, or the lawful rights and interests of citizens or organizations of the People's Republic of China, legal liability shall be pursued in accordance with the law.

**Article 3.** Cybercrime prevention work shall uphold the leadership of the Communist Party of China, implement a holistic view of national security, coordinate development and security, and follow the principles of combining prevention and enforcement, prioritizing prevention, addressing root causes, and coordinated action, so as to advance integrated online-offline prevention and build a comprehensive cybercrime prevention system.

Cybercrime prevention work shall safeguard the normal operation of network services, protect the lawful rights and interests of telecommunications, financial, internet, and other service providers, and foster a healthy and orderly network environment.

**Article 4.** The public security department of the State Council shall take the lead in cybercrime prevention work. The state cyberspace administration department, the press and publication department, and the competent telecommunications, financial, market regulation, foreign affairs, education, commerce, culture and tourism, radio and television, and other relevant departments of the State Council shall, in accordance with this Law and relevant laws and administrative regulations, be responsible for cybercrime prevention work within their respective areas of responsibility. Relevant competent departments shall closely coordinate with the public security department of the State Council in carrying out cybercrime prevention work.

People's governments at or above the county level shall coordinate, direct, urge, and guide relevant departments in performing cybercrime prevention work within their respective areas of responsibility. The cybercrime prevention regulatory duties of relevant departments of people's governments at or above the county level shall be determined in accordance with relevant state regulations.

**Article 5.** Telecommunications, financial, internet, and other service providers shall, in accordance with this Law and relevant laws, administrative regulations, and the mandatory requirements of national standards, establish and implement network security, information security, and data security management systems, adopt technical measures and other necessary measures, and perform cybercrime prevention obligations commensurate with their type of service, scale of operation, and capability.

**Article 6.** Any individual or organization has the right to report to the public security authorities or other departments any clues concerning cybercrime.

Relevant departments shall promptly handle such clues in accordance with the law and protect the lawful rights and interests of whistleblowers. Units and individuals who report cybercrime or make outstanding contributions to cybercrime prevention work shall be commended and rewarded in accordance with relevant state regulations.

Telecommunications, financial, internet, and other service providers shall establish convenient channels to accept complaints and reports concerning cybercrime from individuals and organizations, and shall promptly handle them in accordance with law and regulation.

**Article 7.** The public security authorities shall, relying on the national network and information security notification mechanism, strengthen the collection, analysis, and notification of cybercrime prevention information, and shall, in accordance with regulations, uniformly release cybercrime monitoring and early-warning information.

The public security authorities shall promote information sharing on cybercrime among relevant departments, and shall strengthen the sharing of information on the cybercrime situation with telecommunications, financial, internet, and other service providers.

**Article 8.** The State encourages and supports the research, development, and promotion of application of artificial intelligence and other technologies for cybercrime prevention, and strengthens security management of new technologies and applications such as artificial intelligence.

**Article 9.** The State encourages and supports network-related industry associations in carrying out monitoring and analysis of new network technologies and applications, analysis of cybercrime trends and industrial chains, and dynamic risk assessment of cybercrime; in formulating codes of conduct for cybercrime prevention; and in strengthening industry self-discipline and credit-based disciplinary work for cybercrime prevention.

**Article 10.** People's governments at all levels and their relevant departments shall organize regular publicity and education on cybercrime prevention, and shall guide and urge relevant units to carry out such publicity and education.

Schools and other educational institutions shall incorporate cybercrime prevention into their educational and teaching content. Radio, television, newspapers, periodicals, and other media, as well as internet platforms, shall actively carry out publicity on cybercrime prevention and popularize knowledge of cybercrime prevention.

## Chapter II. Management of Basic Network Resources

**Article 11.** Any individual or organization opening a mobile phone card, Internet-of-Things (IoT) card, bank account, or payment account shall provide true identity information, and shall not engage in any of the following acts that disrupt real-name management:

(1) opening a mobile phone card, IoT card, bank account, or payment account using a forged or altered identity document or false identity information;

(2) acquiring, renting, selling, or leasing a bank account or payment account, or acquiring, renting, selling, or leasing a mobile phone card or IoT card without completing transfer formalities, or lending out a mobile phone card, IoT card, bank account, or payment account while knowing it will be used for unlawful or criminal activity;

(3) unlawfully buying or selling an overseas mobile phone card, IoT card, bank account, or payment account;

(4) using an IoT card to register a network account or for other purposes not designated for it, in violation of relevant state regulations; or

(5) other acts that disrupt real-name management of telecommunications or financial services.

**Article 12.** Any individual or organization applying for internet information publishing, instant messaging, or other services shall provide true identity information, and shall not engage in any of the following acts that disrupt real-name management of the network:

(1) applying for an internet service using false identity information or a false business license, using another person's identity information, business license, phone number, or email address without authorization, or using an IoT card for such purposes;

(2) unlawfully acquiring, renting, selling, or leasing a network account, or lending out a network account while knowing it will be used for unlawful or criminal activity;

(3) registering large numbers of network accounts using network-address-switching tools, mass phone-card control tools, or other means to circumvent a network operator's account registration review rules or other measures;

(4) providing technical support or assistance such as unblocking services for a network account that has been lawfully subject to blocking or other measures;

(5) holding, without proper justification, a large number of network accounts not registered in one's own name; or

(6) other acts that disrupt real-name management of the network.

**Article 13.** Any individual or organization applying for network access, domain name registration, server hosting, space leasing, content distribution, application distribution, or other services, or opening a network line or telephone line, shall register true identity information, installation address, scope of use, and other information, and shall not engage in any of the following acts that disrupt real-name management:

(1) leasing a network line or telephone line to another person in violation of relevant state regulations;

(2) altering, without completing change-registration formalities, the installation address of a network line or telephone line; or

(3) other acts that disrupt real-name management of network lines or telephone lines.

**Article 14.** No individual or organization may unlawfully manufacture, sell, provide, or use any device, software, tool, or service with any of the following functions:

(1) an automatic redialing function that renders a target phone number unusable;

(2) a function to control mobile phone cards in bulk;

(3) a device or software with functions such as altering the calling number, virtual dialing, or connecting internet telephony to the public telecommunications network in violation of regulations;

(4) a function for bulk automatic switching of network addresses, or for bulk receipt or provision of SMS or voice verification codes;

(5) a function to harvest information from mobile terminal users, or to forcibly send or intercept SMS messages to or from unspecified users; or

(6) other devices, software, tools, or services identified by public security authorities at or above the provincial level, in conjunction with the competent telecommunications, radio and television, or other departments, as being specifically used to commit network-related unlawful or criminal acts or as having functions to circumvent regulatory systems.

**Article 15.** Any individual or organization that manufactures, sells, or provides a device, software, tool, or service with any of the following functions shall file with the public security authorities, the competent telecommunications department, or other competent departments, and shall register the true identity information of purchasers and users:

(1) a function to control network accounts, internet access lines, or smart terminals in bulk;

(2) a virtual network location-spoofing function;

(3) a function to intrude into or control computer information systems; or

(4) other devices, software, tools, or services identified by public security authorities at or above the provincial level, in conjunction with the competent telecommunications or other departments, as potentially subject to large-scale use for network-related unlawful or criminal activity.

The filing system referred to in the preceding paragraph shall be specified by the public security department of the State Council in conjunction with the competent telecommunications and other departments.

**Article 16.** Telecommunications, financial, internet, and other service providers shall, in accordance with laws, regulations, and the requirements of relevant competent departments, establish a dynamic identity verification system to dynamically verify the true identity of users of mobile phone cards, IoT cards, bank accounts, payment accounts, and network accounts.

In regions or periods with a high incidence of cybercrime, service providers shall increase the frequency of dynamic identity verification as required by relevant competent departments; where abnormal operation of a mobile phone card, IoT card, bank account, payment account, or network account is discovered, dynamic identity verification shall be conducted promptly. Where identity verification fails, measures such as restricting, suspending, or terminating the relevant service shall be adopted.

Where an individual or organization objects to the restriction, suspension, or termination of a relevant service, the telecommunications, financial, internet, or other service provider shall promptly review the matter, and shall restore the relevant service if the review confirms it should be restored.

**Article 17.** The State shall build and provide a national network identity authentication public service, through which telecommunications, financial, internet, and other service providers may register and verify the true identity of users.

For mobile phone cards, IoT cards, bank accounts, payment accounts, and network accounts presenting cybercrime risk, and for network application services used to commit cybercrime, the relevant industry competent department may require telecommunications, financial, internet, and other service providers to re-verify user identity through the national network identity authentication public service or other means.

No individual or organization may damage or interfere with the operation of the national network identity authentication public service.

**Article 18.** Telecommunications, financial, and internet service providers handling applications by individuals or organizations for mobile phone cards, bank accounts, payment accounts, or network accounts shall set numerical caps on such accounts in accordance with relevant state regulations.

## Chapter III. Governance of the Cybercrime Ecosystem

**Article 19.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide that person with support or assistance such as internet access, cloud computing services, computing-power aggregation and leasing, server hosting, network storage, communications transmission, domain name resolution, content distribution, development and operations (DevOps), advertising promotion, or payment settlement.

**Article 20.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide or disguisedly provide that person with financial support by:

(1) moving funds through an unlawful payment platform established by another person;

(2) placing advertising or promotional information on an unlawful website established by another person that involves obscenity, gambling, or similar content; or

(3) other means of providing or disguisedly providing financial support to another person's use of the network to commit an unlawful or criminal act.

**Article 21.** No individual or organization may, while knowing that funds, data, or virtual network property are the proceeds of another person's network-related unlawful or criminal activity, conceal, transfer, acquire, sell on another's behalf, or otherwise disguise or conceal such proceeds.

**Article 22.** No individual or organization may engage in any of the following acts that infringe upon citizens' personal information or endanger data security:

(1) unlawfully collecting, storing, using, processing, transmitting, providing, disclosing, or deleting personal information or data; or

(2) providing personal information or data support to another person while knowing that person is engaged in unlawful or criminal activity.

**Article 23.** No individual or organization may, while knowing that another person is using the network to commit an unlawful or criminal act, provide that person with assistance such as personnel recruitment, training, or document processing.

**Article 24.** No individual or organization may, in violation of relevant state regulations, discover, collect, or publish network product security vulnerabilities as an unlawful or criminal activity, or disseminate or transmit design schemes, network topologies, core source code, or other information concerning important information systems that could endanger network security.

**Article 25.** Without the approval of the cyberspace administration department or public security authorities at or above the provincial level, or authorization from the competent industry department or the network operator, no individual or organization may conduct network security vulnerability scanning, penetration testing, or other activities that may affect network security on a network subject to Level 3 or higher classified protection under the Multi-Level Protection Scheme (MLPS).

Without the approval of the cyberspace administration department or public security authorities at or above the level of a city divided into districts, or authorization from the competent industry department or the network operator, no individual or organization may conduct such activities on a network subject to Level 2 or lower classified protection.

Where such activity is conducted lawfully or with approval or authorization, it shall be reported to the public security authorities at or above the county level five working days before the activity is carried out. Where laws or administrative regulations otherwise provide, such provisions shall prevail.

**Article 26.** No individual or organization may, while knowing that funds are the proceeds of another person's unlawful or criminal activity, engage in any of the following acts to move or settle such funds:

(1) providing services such as cash withdrawal or physical transport of cash for another person;

(2) using a bank account, payment account, or online transaction or top-up platform to unlawfully transfer funds through sham transactions or similar means; or

(3) using virtual currency or other virtual network property to provide fund-transfer services for another person.

**Article 27.** No individual or organization may provide, for payment, a service to delete information for another person, or a service such as blocking, replacing, or suppressing information that has the practical effect of deletion. No internet service provider or its personnel may charge, or disguisedly charge, a fee when another person lawfully applies for the deletion of unlawful information.

**Article 28.** No individual or organization may publish information in any of the following ways that disrupts network order:

(1) publishing false information;

(2) publishing information by unlawful means such as controlling a computer information system;

(3) controlling a large number of network accounts not registered in one's own name to publish information, or using bulk-control software or similar tools to provide fake comments, reposts, likes, or similar services;

(4) publishing information that violates public order and good morals in order to obtain traffic revenue or advertising revenue; or

(5) other acts that engage in traffic fraud or otherwise disrupt network order.

**Article 29.** Any individual or organization that places advertising or promotional information on the internet, or provides intermediary or similar services for advertising and promotion, shall comply with the following:

(1) where the information placed constitutes online advertising, the laws and regulations on online advertising shall be complied with; where the information placed does not constitute online advertising, the party placing the information and the intermediary service provider shall verify the true identity of the counterparty;

(2) verify whether the website or application on which the information is placed has been lawfully filed or licensed;

(3) check whether the website or application is one that is evidently unlawful, such as one involving obscenity, gambling, or the sale of prohibited items; and

(4) where a website, application, network account, communication group, or similar means is used to help another person place information, check whether the information placed constitutes unlawful information such as obscenity, gambling, or the sale of prohibited items.

**Article 30.** No individual or organization may engage in any of the following acts to help attract traffic to cybercrime:

(1) while knowing that another person is using the network to commit an unlawful or criminal act, inducing or deceiving users into adding the person as an instant-messaging contact, following a social media account, joining a communication group, or downloading an application;

(2) transferring the administrative rights of a public account, communication group, forum, or similar without completing and publicizing a real-name change of registration, or while knowing the rights will be used for unlawful or criminal activity; or

(3) other acts of knowingly providing traffic-attracting assistance to another person's use of the network to commit an unlawful or criminal act.

**Article 31.** No individual or organization may engage in any of the following acts to unlawfully promote an application or piece of software:

(1) providing an electronic signature, production, packaging, publishing, or download services under the guise of testing, for an unlawful application;

(2) embedding non-essential software that a user cannot uninstall, or forcibly embedding software without the user's consent; or

(3) providing promotional services for another person while knowing that person has unlawfully embedded software.

**Article 32.** No individual or organization may, without authorization from an internet service provider, develop, sell, or provide client software or a service platform that attaches to that provider's service and affects its normal operation or undermines fair trading by users.

**Article 33.** No individual or organization may engage in any of the following acts that disrupt normal network business order:

(1) conducting false or misleading commercial promotion through fabricated transactions or fabricated user reviews, or damaging another person's business reputation or product reputation, thereby interfering with the normal conduct of network transactions;

(2) fraudulently obtaining network coupons, subsidy funds, or similar benefits through fabricated transactions, fabricated customers, or other abnormal means; or

(3) other acts that disrupt normal network business order.

## Chapter IV. Cybercrime Prevention Obligations

**Article 34.** State organs, social organizations, and enterprises and public institutions shall perform the obligation to prevent, curb, and govern cybercrime in accordance with this Law and relevant laws and regulations.

The specific requirements for performing cybercrime prevention obligations shall be set out in laws, administrative regulations, or the mandatory requirements of national standards. Relevant national standards shall be formulated by the public security department of the State Council, the state cyberspace administration department, and the standardization administration department of the State Council in conjunction with competent industry departments.

**Article 35.** A network operator shall adopt the following necessary measures to ensure that the services it provides are protected from unlawful or criminal infringement and are not used to commit unlawful or criminal activity:

(1) establishing a dedicated body or designating dedicated personnel with direct responsibility for cybercrime prevention work, with the network operator's principal serving as the first person responsible;

(2) establishing cybercrime prevention management systems and operating procedures, adopting necessary technical measures, and regularly conducting internal cybercrime prevention training;

(3) establishing a cybercrime prevention work contingency plan and regularly conducting emergency response drills;

(4) strengthening management of third-party supply-chain units and personnel in key network operations and maintenance positions, and adopting necessary measures to strengthen network and data security monitoring and early warning;

(5) upon discovering a network attack threat or clues to network-related unlawful or criminal activity, promptly taking disposal measures, preserving relevant records, reporting to the public security authorities, and cooperating with investigations; and

(6) other necessary cybercrime prevention measures.

**Article 36.** An internet access service provider shall adopt the following measures to prevent its services from being used to commit unlawful or criminal activity:

(1) discovering and blocking websites, network addresses, and applications that violate relevant state regulations;

(2) discovering and blocking acts that endanger network security, such as interfering with, intruding into, attacking, or damaging network service facilities; and

(3) promptly addressing unlawful or criminal activity conducted using its services that has been notified by a relevant competent department.

**Article 37.** A telecommunications service provider shall adopt the following measures to prevent its services from being used to commit unlawful or criminal activity:

(1) discovering and blocking pseudo base stations, the unauthorized establishment or leasing of network or telephone lines, unauthorized alteration of installation address, unauthorized alteration of network service scope, and the use of IoT cards for non-IoT applications;

(2) discovering and blocking the erection of communication lines for unlawful or criminal activity, and the provision of equipment operation and maintenance or signal-boosting services for such activity; and

(3) promptly addressing unlawful or criminal activity conducted using its services that has been notified by a relevant competent department.

**Article 38.** Telecommunications, financial, internet, and other service providers shall adopt necessary measures to monitor and discover abnormal registration, control, or use of mobile phone cards, IoT cards, telephone lines, bank accounts, payment accounts, network accounts, and network lines in violation of relevant state regulations, and shall promptly block and dispose of such cards, numbers, and lines used to commit network-related unlawful or criminal activity.

With respect to a card, number, or line suspected of being used to commit network-related unlawful or criminal activity, the public security authorities may require the relevant service provider to stop providing service. Where a victim files a police report and applies for emergency suspension of payment, the public security authorities may, in accordance with relevant state regulations, make decisions such as emergency suspension of payment, expedited freezing, or return of funds, and financial service providers shall cooperate accordingly.

**Article 39.** Service providers offering domain name registration, host hosting, content distribution, and similar services shall adopt the following cybercrime prevention measures:

(1) a domain name registration service provider shall adopt measures to monitor, discover, block, and dispose of maliciously registered or counterfeit domain names, as well as measures to dispose of domain names used to commit unlawful or criminal activity;

(2) a provider of server hosting, space leasing, or cloud services shall adopt measures to monitor, discover, block, and dispose of unlawful information, websites, and applications, as well as denial-of-service attacks, malicious code, botnets, and unlawfully established virtual private networks; and

(3) a content distribution service provider shall adopt measures to monitor, discover, block, and dispose of unlawful information, websites, and applications.

**Article 40.** An internet service provider shall, according to the category of service it provides, adopt the following cybercrime prevention measures:

(1) a provider of information publishing services shall adopt measures to monitor, discover, prevent, block, and dispose of unlawful information, as well as fake reposts, comments, or likes, or the publication of information using large numbers of network accounts not registered in one's own name;

(2) a provider of online transaction services shall adopt measures to monitor, discover, prevent, block, and dispose of the sale or assembly of prohibited or controlled items, sham transactions, and other unlawful or suspicious transactions;

(3) a provider of online payment services shall adopt measures to monitor, discover, prevent, block, and dispose of payment settlement services provided for unlawful or abnormal transactions, such as those involving significantly abnormal payment amounts or abnormal account usage frequency;

(4) a provider of advertising and promotion services shall adopt measures to monitor, discover, prevent, block, and dispose of advertising promotion for unlawful or criminal activity, or the embedding of malicious code or insertion of unlawful information in advertising services;

(5) a provider of information search services shall adopt measures to monitor, discover, prevent, block, and dispose of the dissemination and promotion of unlawful information; a provider of paid information search services shall verify client qualifications in accordance with law, set an upper limit on the proportion of paid search results shown on a page, and apply a prominent label to paid search information;

(6) a provider of online gaming services shall adopt measures to monitor, discover, prevent, block, and dispose of the dissemination of unlawful information, disguised gambling activity, and abnormal or suspicious changes in virtual network property;

(7) a provider of application distribution services shall adopt measures to monitor, discover, prevent, block, and dispose of programs or tools specifically designed to intrude into or unlawfully control computer information systems, and unlicensed, unfiled, or unlawful applications that unlawfully process personal information;

(8) a provider of data interface services shall establish technical measures such as identity authentication and access control, and shall adopt measures to monitor, discover, prevent, block, and dispose of unlawful or unauthorized data calls;

(9) a provider of blockchain services shall adopt measures to monitor, discover, prevent, block, and dispose of the publication or dissemination of unlawful information, viruses, trojans, or malicious programs on the blockchain, or the provision of payment settlement or other assistance to unlawful or criminal activity through the blockchain; and

(10) a provider of AI-generated and composed content services shall adopt measures to monitor, discover, prevent, block, and dispose of the use of its services to create or disseminate rumors or other unlawful information, or to commit unlawful or criminal acts such as insult or defamation.

**Article 41.** Internet information service providers and manufacturers of mobile smart terminals shall adopt measures to monitor and discover AI-generated and composed information. Where such information is found without a label, they shall promptly take disposal measures such as removal, or shall add a label alerting users that the information is AI-generated and composed content.

**Article 42.** A network operator shall, at key stages such as the launch and operation of new technologies and applications, establish a cybercrime risk assessment system to prevent new technologies and applications from being used to commit unlawful or criminal activity.

An artificial intelligence service provider shall adopt measures to monitor, discover, prevent, block, and dispose of a user's use of its services to commit unlawful or criminal activity or engage in abnormal conduct such as bulk generation of malicious code, and shall preserve relevant records and report to the public security authorities or other competent departments.

**Article 43.** Network operators and data processors shall perform network and data security protection obligations, establish and improve network and data security management systems, and adopt technical measures and other necessary measures to prevent their network services and data from being used to commit unlawful or criminal activity.

An important data processor shall establish technical measures such as data labeling and tagging to monitor and identify the chain of provenance as important data is transferred among different parties.

**Article 44.** The state cyberspace administration department shall coordinate relevant departments and network operators in adopting technical measures and other necessary measures to block unlawful information originating from outside the territory of the People's Republic of China.

Where a network operator discovers a domain name, network address, network account, telephone line, network line, or application used to commit unlawful or criminal activity, it shall promptly take measures to block it and report to the public security authorities or other competent departments.

No individual or organization may, in violation of relevant state regulations, manufacture, sell, or provide devices, software, tools, lines, or services that provide technical support or assistance to another person in obtaining or disseminating information that has been lawfully blocked under the first paragraph of this Article.

**Article 45.** An institution that, for profit, provides services such as vulnerability scanning or penetration testing shall file with the public security authorities at or above the level of a city divided into districts.

Such an institution shall adopt measures to strengthen the training and management of its relevant personnel.

**Article 46.** Network security product and service providers shall adopt the following measures to prevent their products and services from being used to commit unlawful or criminal activity:

(1) reporting to the public security authorities at or above the level of a city divided into districts the IP addresses, domain names, and similar information used by the provider for network vulnerability scanning and penetration testing;

(2) where the provider offers crowdsourced testing platform services, verifying the relevant authorization documentation; and

(3) promptly reporting significant threat intelligence and program samples to the public security authorities and the cyberspace administration department.

**Article 47.** The name of a website or application shall not contain any of the following:

(1) information that laws or administrative regulations prohibit publishing or transmitting;

(2) an unauthorized use of, or an association with, the name of a Party or government organ, an enterprise or public institution, or another organization, or the name of a public figure, where doing so could deceive or mislead the public; or

(3) other names identified by a competent department at or above the provincial level as unsuitable for use.

**Article 48.** Public security authorities, cyberspace administration departments, or other relevant competent departments at or above the provincial level may issue a cyber-violence protection order to a victim of a cyber-violence incident.

A network operator shall, in accordance with the requirements of a cyber-violence protection order, adopt technical measures and other necessary measures to promptly address the cyber-violence incident and block the dissemination of related cyber-violence information.

**Article 49.** Public security authorities at or above the level of a city divided into districts may issue a warning notice to a perpetrator of cyber violence, ordering the perpetrator to cease the conduct.

**Article 50.** No individual or organization may engage in any of the following acts that infringe upon the lawful rights and interests of minors or harm their physical or mental health:

(1) using the network to organize, entice, instigate, deceive, coerce, or assist minors in committing unlawful or criminal activity;

(2) using the network to threaten, insult, defame, or otherwise maliciously damage the image of, or otherwise bully, minors;

(3) producing, copying, publishing, disseminating, or possessing obscene or pornographic information involving minors;

(4) disclosing a minor's criminal record that should be sealed, or information that could identify a minor involved in a case; or

(5) other acts that use the network to infringe upon the lawful rights and interests of minors or harm their physical or mental health.

**Article 51.** A network operator shall provide technical interfaces, decryption, and other technical support, assistance, and guarantees to the public security authorities and state security organs for their lawful safeguarding of national security, criminal investigation, and prevention and investigation of terrorist activities. The specific requirements shall be formulated by the public security department of the State Council in conjunction with relevant departments.

## Chapter V. Prevention of Cross-Border Cybercrime

**Article 52.** The public security authorities and relevant competent departments shall, in accordance with this Law and relevant laws and regulations, and pursuant to international treaties concluded or acceded to by the State or on the basis of the principle of equality and mutual benefit, carry out international law-enforcement cooperation on cybercrime prevention in respect of cybercrime committed outside the territory of, or using overseas network resources against, the People's Republic of China or its citizens or institutions, or cybercrime committed abroad by PRC citizens in violation of PRC law.

**Article 53.** Where an overseas individual or organization providing internet services or related network products or services to users within the territory of the People's Republic of China provides support or assistance to cybercrime activity, the state cyberspace administration department may, in accordance with law, adopt technical blocking measures against it.

**Article 54.** Where an overseas individual or organization uses the network to commit fraud, gambling, dissemination of obscene materials, or other crimes directed at the territory of the People's Republic of China, the proceeds of such crime, and any enterprises, securities, real property, or other assets in which such proceeds have been invested, shall be sealed, seized, or frozen in accordance with law, and may be confiscated in accordance with law following trial by a people's court. The relevant competent department may decide to restrict such individual or organization from making direct or indirect investment within the territory.

**Article 55.** Where an overseas institution, organization, or individual uses the network to fabricate or disseminate false information that harms the national sovereignty, security, or development interests, or the public interest, of the People's Republic of China, the relevant competent department may decide to freeze assets, restrict entry of relevant personnel, restrict direct or indirect investment within the territory, or take other measures.

**Article 56.** With respect to a PRC citizen who has been subjected to criminal punishment in accordance with law for using the network to commit, across borders, an act prescribed in Chapter III of this Law, the public security authorities at or above the level of a city divided into districts may, based on the circumstances of the offense and the need to prevent reoffending, decide to bar the citizen from leaving the territory for a period of six months to three years from the completion of the punishment.

## Chapter VI. Legal Liability

**Article 57.** Where an act in violation of Articles 11 through 13 of this Law disrupts the real-name registration system or similar systems, the public security authorities shall confiscate the unlawful gains and impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 20,000, a fine of up to RMB 200,000 shall be imposed; where the circumstances are serious, detention of up to 15 days may also be imposed.

For an individual or organization subject to administrative punishment under the preceding paragraph, the relevant competent department may place them on a blacklist and order relevant service providers to adopt disciplinary measures such as restricting use of services or restricting or prohibiting the opening of cards or accounts.

**Article 58.** Where a person manufactures, sells, provides, or uses a device, software, tool, or service in violation of Article 14, Article 15, the third paragraph of Article 17, or the third paragraph of Article 44 of this Law, the public security authorities, cyberspace administration department, competent telecommunications department, market regulation department, or other departments shall, according to their respective duties, confiscate the item and impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 50,000, a fine of up to RMB 500,000 shall be imposed; where the circumstances are serious, the public security authorities may also impose detention of up to 15 days.

**Article 59.** Where an act in violation of Articles 19 through 33 of this Law disrupts network order, the public security authorities, cyberspace administration department, competent telecommunications department, and competent financial, market regulation, culture and tourism, or other departments shall, according to their respective duties, order suspension of the relevant business, suspension of operations for rectification, closure of the website or application, or revocation of the business license or permit, and shall impose a fine of one to ten times the unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 50,000, a fine of up to RMB 500,000 shall be imposed; where the circumstances are serious, the public security authorities may also impose detention of up to 15 days.

**Article 60.** Where a telecommunications, financial, internet, or other service provider commits any of the following acts, the relevant competent department shall order rectification and issue a warning or public criticism, or impose a fine of RMB 50,000 to RMB 500,000; where the circumstances are serious, a fine of RMB 500,000 to RMB 5,000,000 shall be imposed, and the relevant competent department may also order suspension of the relevant business, suspension of operations for rectification, closure of the website or application, or revocation of the business license or permit, and impose a fine of RMB 10,000 to RMB 200,000 on the directly responsible person in charge and other directly liable personnel:

(1) failing to implement real-name registration or similar systems, or to verify the true identity of users in accordance with law, in violation of Article 16 or the first or second paragraph of Article 17 of this Law;

(2) failing to implement cybercrime prevention obligations, or to adopt monitoring, discovery, blocking, or disposal measures in accordance with law, in violation of Articles 34 through 43 or the second paragraph of Article 48 of this Law;

(3) failing to perform obligations such as filing of network security products or services in accordance with law, in violation of Article 45 or Article 46 of this Law;

(4) failing to perform website and application name management obligations in accordance with law, in violation of Article 47 of this Law; or

(5) failing to provide technical support, assistance, and guarantees in accordance with law, in violation of Article 51 of this Law.

**Article 61.** Where an act in violation of Article 50 of this Law infringes upon the lawful rights and interests of minors, the public security authorities shall impose a fine of up to RMB 200,000; where the circumstances are serious, a fine of up to RMB 500,000 or up to ten times the unlawful gains shall be imposed, and detention of up to 15 days may also be imposed.

**Article 62.** Administrative punishments lawfully imposed by the cyberspace administration department, competent telecommunications department, public security authorities, and other relevant departments for acts in violation of this Law shall be entered into credit archives in accordance with laws and administrative regulations.

**Article 63.** Where a violation of relevant provisions of this Law — disrupting real-name registration or similar systems, disrupting network order, or failing to implement cybercrime prevention obligations — causes another person to suffer loss from cybercrime infringement, civil liability shall be borne in accordance with law according to fault.

**Article 64.** Where a telecommunications, financial, internet, or other service provider fails to perform the cybercrime prevention obligations prescribed by this Law and thereby infringes upon the lawful rights and interests of a large number of individuals, or causes harm to national interests or the public interest, the people's procuratorate, a relevant competent department, or a relevant social organization may, in accordance with law, bring a public-interest lawsuit before a people's court.

**Article 65.** Where personnel of the cyberspace administration department, competent telecommunications department, public security authorities, or other relevant departments neglect their duties, abuse their power, engage in malpractice for personal gain, or solicit or accept property from others by taking advantage of their position, and the conduct does not constitute a crime, they shall be given sanctions in accordance with law.

**Article 66.** Where a violation of this Law constitutes a violation of public security management, the public security authorities shall impose public security administrative punishment in accordance with law; where a crime is constituted, criminal liability shall be pursued in accordance with law.

## Chapter VII. Supplementary Provisions

**Article 67.** For the purposes of this Law, "cybercrime" means a crime that is directed at, or primarily committed by means of, the network, and that endangers national security, public security, or the personal or property safety of citizens.

**Article 68.** This Law shall come into force on [date to be determined].
