China CSL Amendments
Cybersecurity Law of the People's Republic of China (2025 Amendments)
First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.
Jurisdiction
China
Enacted
Oct 28, 2025
Effective
Jan 1, 2026
Enforcement
Cyberspace Administration of China (CAC)
Adopted October 28, 2025; effective January 1, 2026
Cyberspace Administration of ChinaWhy It Matters
Elevates AI governance from regulation to legislation level in China. Significantly higher penalties create stronger compliance incentives. Expanded extraterritorial reach affects foreign companies serving Chinese users.
Recent Developments
First formal incorporation of AI governance into China's foundational cybersecurity legislation. Penalty caps increased 10x from original 2017 law. Leniency provisions added for voluntary disclosure and cooperation.
At a Glance
Who Must Comply
- Network operators
- Critical information infrastructure (CII) operators
- Cybersecurity product and service providers
- Foreign entities conducting activities affecting China's cybersecurity
Safety Provisions
- New Article 20: State support for AI basic research, algorithm development, and key technologies
- Commitment to AI training data resources and computing infrastructure development
- AI ethical norms improvement requirements
- AI risk monitoring and safety assessment strengthening
- Enhanced supply chain cybersecurity for key network equipment and specialized cybersecurity products
- Mandatory safety certification and testing for network equipment
Exemptions
Administrative Penalty Leniency
Lighter, reduced, or exempted penalties available under Administrative Penalty Law
- • Proactively eliminating harmful consequences
- • Voluntarily disclosing violations not yet known to authorities
- • Cooperating with investigations
- • Minor violations promptly corrected without causing harm
Compliance & Enforcement
Key Dates
Jan 1, 2026
All amended provisions take effect
Penalties
CNY 10M; license revocation
Primary Source
Cyberspace Administration of China
https://www.cac.gov.cn/
View on map
China
Focus Areas
Compliance Help
AI risk monitoring and safety assessments required; supply chain security certifications mandatory for key network equipment
See how NOPE helpsCite This
APA
China. (2025). Cybersecurity Law of the People's Republic of China (2025 Amendments).
Related Regulations
China GenAI Labeling Rules
Mandatory labeling of AI-generated content (implicit for all, explicit where applicable). Released by State Administration for Market Regulation and Standardization Administration of China. Complements existing GenAI interim measures with three national standards for AI security and governance.
China GenAI Rules
Requires generative AI providers to ensure content "upholds Core Socialist Values," implement content controls, and file algorithms with CAC within 10 business days.
Nepal AI Policy
Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
India DPDP Act
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Myanmar Cybersecurity Law
Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.
Last updated January 27, 2026. Verify against primary sources before relying on this information.