China: National People’s Congress closes public consultation on Cybersecurity Law (Draft Amendment)

On 11 October 2025, the Parliament of China closes its consultation on the Cybersecurity Law (Amendment Draft). It proposes increasing penalties for network operators and critical information infrastructure operators that fail to fulfil their cybersecurity protection obligations, introducing tiered fines for severe incidents such as large-scale data leaks or loss of critical infrastructure functionality. The Bill also prohibits the sale or provision of network equipment and cybersecurity products without required security certification or testing and increases penalties for engaging in unauthorised cybersecurity certification, testing, or risk assessment activities, or for disclosing cybersecurity vulnerabilities and attack information without approval. Additional provisions penalise critical information infrastructure operators that use network products or services that have not undergone, or have failed, mandatory security reviews. The Bill clarifies the liability for network operators that fail to handle illegal online information in accordance with regulatory requirements and consolidates provisions addressing personal information infringements and cross-border data transfers. It further introduces leniency clauses allowing administrative penalties to be reduced or waived when violations are minor, promptly corrected, or not intentional.