Significant changes are underway in China’s cybersecurity ecosystem. On 27 April 2025, the Cyberspace Administration of China closed public consultation on important updates to its Cybersecurity Law. These proposed amendments aim to strengthen enforcement, align with China’s newer data laws, and introduce steeper penalties for non-compliance. Whether you operate in China or work with Chinese partners, it’s a good time to understand what’s ahead. We have explained the key changes for you below.

🇨🇳 China Aligns Cybersecurity Law with Data and Privacy Regime

China is tightening the screws on cybersecurity compliance. On 27 April 2025, the Cyberspace Administration of China (CAC) concluded public consultation on a second draft of amendments to the Cybersecurity Law.

This law, originally effective in 2017, is being revamped to sync up with China’s newer data protection statutes, notably the Data Security Law (2021) and Personal Information Protection Law (2021) and to impose tougher penalties for security breaches. Beijing is updating its cybersecurity playbook for the era of big data and critical infrastructure.

Key proposed changes aim to harmonize overlapping laws and enhance enforcement mechanisms:

Higher Fines and Liability

The draft amendments dramatically raise the financial stakes for security lapses. Network operators responsible for breaches leading to personal data leaks or disruptions of critical infrastructure could face fines from CNY 10,000 up to 10 million (approximately $1.5K to $1.5M)​.

This aligns the Cybersecurity Law’s once-modest fines with the heftier penalties in the Data Security Law and PIPL. The CAC recognized the old law’s weaker deterrent effect and is introducing harsher penalties and clearer enforcement mechanisms to ensure violations have “meaningful consequences”. For companies operating in China, this means a data breach or security misstep could hit the bottom line much harder than before.