China: Cybersecurity Law Amendment enters into force

On 1 January 2026, the Cybersecurity Law Amendment enters into force. The amendment introduces a new article stipulating that cybersecurity governance shall follow the leadership of the Communist Party of China and align with the national security framework. It also expands the law to cover the development and oversight of artificial intelligence, including research, infrastructure, ethical standards, and supervision mechanisms. The provisions on personal information handling have been revised to require network operators to comply with the Cybersecurity Law, the Civil Code, the Personal Information Protection Law, and related regulations. Penalties for non-compliance with cybersecurity obligations have been updated, increasing fines for incidents that endanger network security or result in significant data breaches. Additional provisions address violations involving uncertified network equipment, unauthorised disclosure of cybersecurity information, and the use of unapproved network products by operators of critical information infrastructure. Sanctions may include business suspension, licence revocation, and fines of up to RMB 10 million in serious cases. The amendment also consolidates and renumbers several articles, aligns penalties with the Administrative Penalty Law, and allows for mitigation or exemption of sanctions under certain circumstances. Furthermore, it introduces measures such as asset freezes against foreign entities engaged in activities that harm the cybersecurity of the People’s Republic of China.