The Amendments, which took effect on January 1, 2026, will impact network operators and CIIOs within China and overseas.

By Rhys McWhirter, Hui Xu, and Bianca H. Lee

On October 28, 2025, the Standing Committee of the PRC National People’s Congress (NPC) introduced amendments to the Cybersecurity Law (CSL) (the Amendments). The Amendments, which took effect on January 1, 2026, tighten enforcement and broaden the CSL’s extraterritorial reach.

Key Points:

• The Amendments broaden the scope of overseas activities that could be subject to enforcement by PRC authorities to include any activities overseas that endanger the PRC’s cybersecurity. Overseas enforcement under the CSL previously only applied to overseas activities that endangered critical information infrastructure.
• Increased fines and new penalties for cybersecurity violations. Fines for violations of cybersecurity obligations and failure to remove illegal content under the CSL are set to increase, with the highest fine reaching RMB 10 million for network operators and CIIOs and RMB 1 million for that violator’s directly responsible individuals where the violation causes “particularly serious consequences” in the PRC. New financial penalties are introduced for other violations of the CSL, namely, the sale and provision of critical network equipment and dedicated cybersecurity products that are uncertified or have not passed the relevant security certification/testing requirements.
• The Amendments outline circumstances where penalties may be mitigated or waived under the PRC Administrative Penalty Law, such as where the violator cooperates with investigations or takes steps to mitigate the harm. Penalties could also be waived for first-time violations that cause minor harm and were promptly corrected.

For more details, see our Client Alert.