Cybersecurity Law Revision Progresses With Expected Hike In Penalties

Takeaways

• In September, China concluded an administrative penalty case related to personal information protection, once again underscoring the importance of compliance with cross-border data transfer requirements and personal information protection impact assessments. The public security cyber department found that a company providing foundational datasets for AI training failed to conduct personal information protection impact assessment before processing sensitive biometric data such as facial information. The company was penalized and ordered to rectify the issue.
• The National People's Congress launched the third round of public consultation on the Draft Amendment to the Cybersecurity Law. The draft largely aligns with the version released by the Cyberspace Administration of China in March and proposes a significant increase in the maximum penalties for violations of cybersecurity obligations. If adopted, the maximum fine for enterprises could reach RMB 10 million.
• In addition, the Measures for the Management of National Cybersecurity Incident Reports were issued in September and will take effect on November 1. Depending on the severity level of the incident, enterprises must report to the relevant authorities within 1 to 4 hours.

Regulatory Highlights

Cyberspace Administration of China (CAC) Issues the Measures on the Management of National Cybersecurity Incident Reports

The Measures will take effect on November 1, 2025. Under these rules, network operators in China must report cybersecurity incidents based on their severity classification. For incidents involving Critical Information Infrastructure (CII), reports must be submitted to the protection department and public security authorities within 1 hour. Central and state government departments and their directly affiliated units must report to cyberspace administration office of their respective departments within 2 hours. Other network operators must report to the provincial-level cyberspace administration within 4 hours. If an incident is deemed major or particularly severe, the relevant departments must also escalate the report to the national cyberspace administration or even the public security department of the State Council within a specified timeframe.

The Measures do not directly specify penalties for failure to report but state that violations will be handled under applicable laws and administrative regulations. Also, where delayed, omitted, falsified, or concealed reports result in serious consequences, enterprises and responsible individuals will face aggravated penalties.

Currently, Article 57 of the Personal Information Protection Law establishes a data breach notification regime, with maximum penalties of RMB 50 million or 5% of the previous year's revenue for general violations of personal information protection obligations. Article 45 of the Data Security Law sets a maximum fine of RMB 2 million for failure to report, which may rise to RMB 10 million if core data is involved.

Currently, the cyberspace authorities have opened six types of cybersecurity incident reporting channels, including the 12387 cybersecurity incident reporting hotline, website, WeChat mini-program, WeChat official account, email, and fax, for network operators, social organizations, and individuals to report security incidents.

The National People's Congress Launches the Third Round of Public Consultation on the Amendment Draft to Cybersecurity Law

Following the second public consultation by the CAC in March this year, on September 12, the National People's launched a 30-day public consultation on the third draft amendment to the Cybersecurity Law. This revision primarily focuses on the legal liability provisions (Articles 59 to 75), with several adjustments made based on the previous draft. Overall, the amendment reflects a balanced approach to enforcement: while significantly increasing the upper limit of penalties, it also refines the penalty tiers and enforcement methods for different types of legal responsibilities, and applies severe measures—such as app shutdowns and license revocations—with caution. Key highlights include:

• Increase penalties for general enterprises: For non-Critical Information Infrastructure Operators (CIIO) that fail to fulfill their cybersecurity protection obligations, conduct certification and testing activities or publish system vulnerabilities in violation of regulations, or fail to handle illegal information, the draft significantly raises the penalty limits. Previously, first-time violations were generally subject to a warning; under the new draft, fines may be imposed concurrently. For refusal to rectify or where harmful consequences occur, penalties for enterprises and responsible individuals may increase by 2 to 10 times.
• Improve liability determination: The draft introduces new legal liabilities for providing uncertified products. Authorities may order rectification, halt illegal activities, issue warnings, confiscate illegal gains, and impose fines of up to three times the value of those gains.
• Improve penalty gradient: For CIIOs, the draft adds particularly serious scenarios—such as large-scale data leaks, partial or complete system failures—under which enterprises may face fines of up to RMB 10 million. General enterprises that commit certain violations (e.g., installing malicious programs or neglecting product risks) resulting in similar consequences will be penalized under the same standards.
• Adapt liability forms to the digital environment: For example, the term "website shutdown" is revised to "website or application shutdown." Severe penalties such as service suspension and license revocation are to be applied cautiously. The draft also introduces provisions for mitigating, reducing, or waiving penalties to encourage enterprises to fulfill basic obligations in daily operations and to proactively eliminate or reduce harm in the event of data incidents.
• Continue to apply the provisions of CAC's draft on the direct application of penalties from Personal Information Protection Law and Data Security Law.

Judicial Protection

The Supreme People's Court has issued Jurisdiction Rules for Internet Courts, bringing disputes over network data, personal information and privacy rights into the centralized jurisdiction of Internet courts. Compared with the 2018 Regulations, the new regulations shift some traditional Internet disputes - such as copyright, e-commerce contract, financial loan contract disputes, etc. - to the jurisdiction of primary courts. At the same time, four new categories of cases will be trialed in the Internet courts, which are: (1) disputes over ownership, infringement and contract of network data, (2) disputes over the protection of network personal information and privacy rights, (3) disputes over the ownership, infringement and contract of network virtual property, and (4) disputes over network unfair competition. Corresponding adjustments have also been made to the jurisdiction over administrative cases and cases involving foreign parties or those from Hong Kong and Macao.

Data Compliance

The CAC Proposed the Provisions on the Establishment of Personal Information Protection Supervisory Committees by Large-scale Network Platforms, which solicited public opinions from September 12 to October 12. The draft further elaborates on Article 58 of the Personal Information Protection Law, which mandates large-scale platforms to establish independent supervisory bodies primarily composed of external members to oversee personal information protection practices. Notably, while the Regulations on the Management of Network Data Security previously defined large-scale platforms as those with over 50 million registered users or 10 million monthly active users, complex business models, and significant impact on national security, economic operations, or public welfare, the new draft introduces a list-based identification mechanism. If formally adopted, this approach would enhance legal certainty in compliance efforts.

On September 16, the National Cybersecurity Technical Committee of Standardization Administration (TC260) released the official version of National Standard System for Data Security (2025 Edition) and National Standard System for Personal Information Protection (2025 Edition).

Internet Compliance

On September 15, TC260 released the Cybersecurity Standard Practice Guide – Security Requirements for Data Processing During Internet Platform Service Suspension. The guide stipulates that internet platforms must cease collecting new personal information and important data from the date of service suspension and implement appropriate security measures based on data classification and grading. For personal information, platforms must publish a disposal notice at least 20 working days in advance and proactively delete or anonymize the data. If retention is necessary, measures such as encryption and access control must be applied. For important data, platforms must submit a disposal plan 45 working days before suspension. After deletion, they must conduct an effectiveness assessment to ensure that the data cannot be identified or recovered.

Cross-border Data Transfer

China plans to formulate a national-level negative list for cross-border data transfer in Pilot Free Trade Zones (FTZs). On September 22, the Ministry of Commerce and 8 other authorities jointly released the Measures on Several Policies for Promoting Service Exports, emphasizing the importance of promoting and regulating cross-border data flows. The document calls for the optimization, adjustment, and dynamic updating of the negative list for cross-border data transfers in pilot free trade zones, and proposes exploring the development of a nationwide version. It also supports qualified regions in piloting streamlined arrangements for the internal cross-border transfer of personal information within multinational corporations, allowing free flow of personal data within such corporations that have passed security assessments or obtained certification.

The Security Certification Requirements for Cross-border Processing of Personal Information, China's first recommended national standard in this domain, was officially released and will take effect on March 1, 2026. The standard outlines the basic principles, core requirements, and rights protection obligations that relevant parties must follow when conducting cross-border personal information processing. It serves as a reference for both data processors seeking to standardize their cross-border activities and certification bodies conducting personal information protection assessments.

On September 5, Chongqing Cyberspace Administration and 2 other local authorities released the Negative List for Cross-border Data Transfer of China (Chongqing) Pilot Free Trade Zone, along with its supporting administrative measures and implementation guidelines. The first batch focuses on the intelligent connected vehicles sector, covering 4 business activities, 9 business scenarios, and 110 data items, effectively encompassing the entire business chain of the industry.

Artificial Intelligence

On September 15, during the "Network Protection - 2025" Special Campaign, Public Security Cybersecurity Department discovered that a technology company, whose core business is providing foundational datasets for AI model training, failed to conduct a personal information protection impact assessment before processing sensitive biometric personal information such as facial data. The local public security authority imposed administrative penalties and ordered rectification in accordance with the Personal Information Protection Law.

CAC continues to advance filing for deep synthesis and generative AI services. According to CAC's announcement on September 10, as of August 31, 2025, a total of 538 generative AI services in China have completed filing, and 263 generative AI applications or functions have completed registration. In terms of deep synthesis services, the CAC released the 13th batch of algorithm filing information on the September 11, with a total of 586 algorithms successfully filed.

On September 15, the AI Security Governance Framework (Version 2.0) was officially released at the main forum of the 2025 National Cyber Security Publicity Week. Based on the 2024 version of the Framework, Version 2.0 integrates the development and application practice of AI technology, continuously tracks changes in risks, improves and optimizes risk classification, explores risk grading, and dynamically adjusts and updates prevention and governance measures.

Enforcement

The Ministry of Public Security released 6 typical administrative law enforcement cases of the "Network Protection - 2025" Special Campaign. These cases involved government service systems, SMS platforms, campus card payment systems, tourism platforms, apps, and multinational enterprises, which failed to fulfill obligations regarding cybersecurity, personal information protection, or cross-border data compliance, leading to data leaks or system attacks. All relevant responsible entities were imposed administrative penalties and ordered to rectify.

On September 16, CAC issued 10 typical law enforcement cases related to cybersecurity, data security, and personal information protection. Among them, seven involved enterprise systems with inadequate security measures, leading to webpage tampering, data leaks, or data theft. Two cases involved illegal collection of personal information, and one case concerned a deep synthesis service that failed to complete the required filing. All involved enterprises were penalized and ordered to rectify the violations. The unregistered deep synthesis service app was removed from app stores.

CAC strengthened the governance of information content on internet platforms. On September 10, CAC launched a campaign on regulating news content, urging websites and platforms to enhance content management and address a batch of accounts violating regulations Over 1,200 accounts were found to impersonate news organizations, conduct unauthorized news gathering and editing, misuse news column images, or publish false information. Starting from the 11, the cyberspace authorities also took enforcement measures against Xiaohongshu, Kuaishou, Weibo, Toutiao, and UCsuccessively for failing to fulfill their primary responsibilities for information content management.Measures included interviews, orders to rectify within a time limit, warnings, and strict accountability for responsible personnel. All five platforms responded by stating they "sincerely accept the penalties, have learned serious lessons, and have immediately established dedicated rectification teams."

In September, the National Financial Regulatory Administration (NFRA) and the People's Bank of China (PBC) jointly released multiple administrative penalty decisions. These targeted national commercial banks, policy-based financial institutions, and local small and medium-sized banks for issues such as non-compliant regulatory data submission and inadequate system controls. Among them, China Merchants Bank Co., Ltd. was issued a warning and fined RMB 600,000 for inadequate data security management.

On September 10, the National Computer Virus Emergency Response Center (CVERC) disclosed 69 mobile apps that had illegal collection and use of personal information. These apps span high-frequency usage categories such as ride-hailing, education, office management, and media tools. Violations fell into 12 categories, with the most prominent being failure to implement security measures like encryption and de-identification—affecting 41 apps.

On September 18, MIIT reported 29 apps/mini-programs for illegal collection and use of personal information. Key issues included: (1) illegal collection of personal information, (2) mandatory, frequent or excessive permission requests, (3) frequent auto-start and linked-start behaviors, and (4) forced use of targeted recommendation functions. MIIT stated that these apps must rectify in accordance with regulations, and failure to do so will result in further enforcement measures.

Worldwide News

On September 15, local time, the China-US held an economic and trade talk in Madrid. The two sides reached a basic consensus on resolving the TikTok issue through measures such as entrusting U.S. user data and content security operations to third parties, and licensing the use of intellectual property rights including algorithms. The Chinese government will review and approve matters related to TikTok's technology export and IP licensing in accordance with the law.

On September 12, theEU Data Actstarted to apply in the European Union. The core of the Act is to grant users of connected devices control over their data and unlock data innovation opportunities for small businesses. After the Act takes effect, manufacturers of connected devices (such as cars, smart TVs, industrial machinery, etc.) must allow users (including business users) to access, use, and share the raw data generated by these smart devices with third parties. Failure to comply may result in regulatory penalties.

The EU-U.S. Data Privacy Framework (DPF), in place since 2023, allows certified organizations to freely transfer personal data from the EU to the U.S., with the U.S. committed to providing protection equivalent to EU standards. Less than two months after its launch, French MP Philippe Latombe challenged the framework's legality, arguing that U.S. intelligence agencies could still access EU citizens' data and that the safeguards were insufficient. On September 4, the General Court of the European Union dismissed the challenge, ruling that the DPF meets the requirements of the GDPR and prior EU judgments, providing temporary legal certainty for transatlantic data transfers. However, the ruling applies to the framework as it stood at the time of adoption, and future changes—especially in light of past developments under the Trump administration—may affect cross-border data flows.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.