Significant changes are underway in China’s cybersecurity ecosystem. On 27 April 2025, the Cyberspace Administration of China closed public consultation on important updates to its Cybersecurity Law. These proposed amendments aim to strengthen enforcement, align with China’s newer data laws, and introduce steeper penalties for non-compliance. Whether you operate in China or work with Chinese partners, it’s a good time to understand what’s ahead. We have explained the key changes for you below.

🇨🇳 China Aligns Cybersecurity Law with Data and Privacy Regime

China is tightening the screws on cybersecurity compliance. On 27 April 2025, the Cyberspace Administration of China (CAC) concluded public consultation on a second draft of amendments to the Cybersecurity Law.

This law, originally effective in 2017, is being revamped to sync up with China’s newer data protection statutes, notably the Data Security Law (2021) and Personal Information Protection Law (2021) and to impose tougher penalties for security breaches. Beijing is updating its cybersecurity playbook for the era of big data and critical infrastructure.

Key proposed changes aim to harmonize overlapping laws and enhance enforcement mechanisms:

Higher Fines and Liability

The draft amendments dramatically raise the financial stakes for security lapses. Network operators responsible for breaches leading to personal data leaks or disruptions of critical infrastructure could face fines from CNY 10,000 up to 10 million (approximately $1.5K to $1.5M)​.

This aligns the Cybersecurity Law’s once-modest fines with the heftier penalties in the Data Security Law and PIPL. The CAC recognized the old law’s weaker deterrent effect and is introducing harsher penalties and clearer enforcement mechanisms to ensure violations have “meaningful consequences”. For companies operating in China, this means a data breach or security misstep could hit the bottom line much harder than before.

Integration with New Data Laws

The amendments make the Cybersecurity Law a better teammate to China’s broader data governance framework. For example, violations involving personal information or important data (such as illegal processing or export of such data) will now explicitly be handled under the PIPL or Data Security Law’s provisions​.

This change prevents double-jeopardy and ensures consistency: as the draft states, any action breaching personal data protection or cross-border data rules will be handled and punished in accordance with relevant laws” (i.e. PIPL or data security regulations). For businesses, this is a reminder that compliance must be holistic, you can’t choose one law to follow and ignore the others.

Data Export and Localization Controls

Notably, the draft demonstrates the requirement (from the 2017 law’s Article 37) that critical information infrastructure operators (CIIOs) must store personal information and important data within China unless they pass a security assessment for overseas transfer.

Violating these data export rules is explicitly flagged as an offence. By referring cross-border data breaches to the Data Security Law framework, China is reinforcing its stance on data leaving its borders.

Certification of Cyber Products

The amendments introduce penalties for selling or providing network equipment and cybersecurity products that are not certified or fail security testing​.

Likewise, CIIOs that use unapproved network products could be ordered to rectify and face fines. This echoes China’s broader push for supply chain security; foreign tech vendors may need to undergo Chinese certifications, and Chinese companies must vet their suppliers. For startups in the security or networking space, obtaining relevant Chinese certifications could become crucial to access that market.

Streamlined Enforcement & Leniency

In a bit of balance, the draft also provides that minor violations or those quickly corrected may get more lenient treatment​. This “forgive small mistakes, punish big ones” approach gives regulators flexibility.

It’s a hint to companies that promptly addressing vulnerabilities or compliance gaps could avert heavy sanctions. However, wilful or significant neglect will be met with full force.

From a strategic perspective, these changes signal that China’s regulatory regime is maturing. The Cybersecurity Law is being updated to match the potency of the PIPL and Data Security Law, creating a more unified front.

The latest amendments ensure the CSL aligns with the broader cybersecurity and data governance framework for a more cohesive regulatory system. This could mean compliance can’t be piecemeal.

If you collect personal info in China, you must follow PIPL’s consent and data-minimization rules; if you operate critical systems, you must follow all security mandates and ensure data stays onshore per law and now the CSL will directly point you to those obligations.

Founders and tech teams with Chinese operations should take note of the power shifts in enforcement. The CAC and related agencies are being armed with clearer mandates to police networks and data.

Penalties up to 10 million yuan demonstrates how serious China is about cybersecurity threats and data leakage​. Moreover, the focus on national security is evident especially with rules on critical infrastructure and foreign products.

This aligns with China’s geopolitical stance: reducing dependence on foreign tech and countering cyber risks amid global tensions​. Companies may need to reassess the tech they deploy in China (ensuring it’s approved) and beef up internal security measures to avoid becoming an object lesson under the new law.

Therefore, China’s Cybersecurity Law 2.0 is coming, and it is not business as usual. Expect stricter audits and enforcement actions once these amendments pass (likely later in 2025 - watch this space!).

If you are doing business in China’s digital economy, now is the time to future-proof your compliance: review data localization processes, get certifications for your IT products, and double-check that your incident response plans meet the new standards. The cost of complacency is about to go up sharply in the world’s largest internet market.