China: National People’s Congress opened public consultation on Cybersecurity Law (Draft Amendment)

On 12 September 2025, the National People’s Congress of China opened a consultation on the Cybersecurity Law (Draft Amendment), until 11 October 2025. It proposes increasing penalties for network operators and critical information infrastructure operators that fail to fulfil their cybersecurity protection obligations, introducing tiered fines for severe incidents such as large-scale data leaks or loss of critical infrastructure functionality. The Bill also prohibits the sale or provision of network equipment and cybersecurity products without required security certification or testing and increases penalties for engaging in unauthorised cybersecurity certification, testing, or risk assessment activities, or for disclosing cybersecurity vulnerabilities and attack information without approval. Additional provisions penalise critical information infrastructure operators that use network products or services that have not undergone, or have failed, mandatory security reviews. The Bill clarifies the liability for network operators that fail to handle illegal online information in accordance with regulatory requirements and consolidates provisions addressing personal information infringements and cross-border data transfers. It further introduces leniency clauses allowing administrative penalties to be reduced or waived when violations are minor, promptly corrected, or not intentional.