China CSL Amendments
Cybersecurity Law of the People's Republic of China (2025 Amendments)
First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.
Jurisdiction
China
Enacted
Oct 28, 2025
Effective
Jan 1, 2026
Enforcement
Cyberspace Administration of China (CAC)
Adopted October 28, 2025; effective January 1, 2026
Cyberspace Administration of ChinaWhy It Matters
Elevates AI governance from regulation to legislation level in China. Significantly higher penalties create stronger compliance incentives. Expanded extraterritorial reach affects foreign companies serving Chinese users.
Recent Developments
First formal incorporation of AI governance into China's foundational cybersecurity legislation. Penalty caps increased 10x from original 2017 law. Leniency provisions added for voluntary disclosure and cooperation.
At a Glance
Who Must Comply
- Network operators
- Critical information infrastructure (CII) operators
- Cybersecurity product and service providers
- Foreign entities conducting activities affecting China's cybersecurity
Safety Provisions
- New Article 20: State support for AI basic research, algorithm development, and key technologies
- Commitment to AI training data resources and computing infrastructure development
- AI ethical norms improvement requirements
- AI risk monitoring and safety assessment strengthening
- Enhanced supply chain cybersecurity for key network equipment and specialized cybersecurity products
- Mandatory safety certification and testing for network equipment
Exemptions
Administrative Penalty Leniency
Lighter, reduced, or exempted penalties available under Administrative Penalty Law
- • Proactively eliminating harmful consequences
- • Voluntarily disclosing violations not yet known to authorities
- • Cooperating with investigations
- • Minor violations promptly corrected without causing harm
Compliance & Enforcement
Key Dates
Jan 1, 2026
All amended provisions take effect
Penalties
CNY 10M; license revocation
Primary Source
Cyberspace Administration of China
https://www.cac.gov.cn/
View on map
China
Focus Areas
Cite This
APA
China. (2025). Cybersecurity Law of the People's Republic of China (2025 Amendments).
Related Regulations
China GenAI Labeling Rules
Mandatory labeling of AI-generated content (implicit for all, explicit where applicable). Released by State Administration for Market Regulation and Standardization Administration of China. Complements existing GenAI interim measures with three national standards for AI security and governance.
China GenAI Rules
Requires generative AI providers to ensure content "upholds Core Socialist Values," implement content controls, and file algorithms with CAC within 10 business days.
AU National AI Plan
National AI policy roadmap replacing previously proposed mandatory AI guardrails. Focuses on leveraging existing legal frameworks rather than new mandatory requirements. Establishes the Australian AI Safety Institute (AISI) to monitor, test, and share information on AI risks and harms.
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
India DPDP Act
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Myanmar Cybersecurity Law
Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.
Last updated January 27, 2026. Verify against primary sources before relying on this information.