posted 3 hours ago
Below is a brief overview of the most recent developments and key takeaways from the revised draft of the Cybersecurity Law (“Revised Draft”[1]), issued on March 28, 2025 by the Cyberspace Administration of China (“CAC”). This marks the second public revision since the law became effective in June 2017 and reflects a concerted effort in 5 areas to enhance legal clarity and enforcement practices.
1. Enhance Legal Framework Integration
a) The Revised Draft aims to better align the Cybersecurity Law with other regulatory frameworks – including the Personal Information Protection Law and the Data Security Law – ensuring a cohesive approach to protecting national security, personal data, and public interests.
b) It explicitly provides for smoother coordination between legal provisions, avoiding duplication while reinforcing regulatory consistency.
2. Refine the Classification of Offenses and Tiers of Penalties
a) The Revised Draft introduces a refined, three-tier scale for offenses: general offenses, aggravated cases, and particularly severe situations (e.g., massive data breaches or critical information infrastructure failures).
b) Compared with the currently effective version, penalty ranges have been significantly raised. For instance, fines for network operators now range from modest amounts for initial breaches to substantially higher sums for severe consequences, with specific rules applicable to both enterprise and individual liabilities.
c) The provision “violations shall be punished upon occurrence” revises the previous rule that penalties were only imposed after repeated violations, emphasizing direct accountability.
| Offenses | Penalties | ||
| Tiers | Specifics | Enterprise | Directly Responsible Individual |
| General Offenses | Network Operators: | 1) Order for corrections;2) Issue a warning;3) Possible fine of 10,000 RMB to 50,000 RMB. | / |
| Critical Information Infrastructure Operator (“CIIO”) | 1) Order for corrections;2) Issue a warning;3) Fine of 50,000 RMB to 100,000 RMB. | ||
| Aggravated Cases:Refusal to correct;Leading to consequences such as cyber security incidents etc. | Network Operators: | Fine of 50,000 RMB to 500,000 RMB; | Fine of 10,000 RMB to 100,000 RMB |
| CIIO | Fine of 100,000 RMB to 1,000,000 RMB. | ||
| Particularly Serious Situations: | (1) Causing massive data leakage; (2) Leading to severe consequences such as critical information infrastructure’s partial loss of functionalities | 1) Fine of 500,000 RMB to 2,000,000 RMB; 2) Ordered to suspend related business, shut down for rectification, close websites or applications; 3) Revocation of related business permits or business licenses. | Fine of 50,000 RMB to 200,000 RMB |
| Leading to particularly serious consequences such as critical information infrastructure’s total loss of functionalities etc. | 1) Fine of 2,000,000 RMB to 10,000,000 RMB;2) Ordered to suspend related business, shut down for rectification, close websites or applications; 3) Revocation of related business permits or business licenses. | Fine of 200,000 RMB to 1,000,000 RMB | |
3. Focus on Critical Information Infrastructure and Cybersecurity Products
a) New provisions clarify that sales or provision of network-critical equipment and cybersecurity-specific products must meet mandatory security certification standards, and
b) This move addresses a previous regulatory gap by explicitly establishing legal liability for distributing non-compliant or insecure products.
4. Strengthen Enforcement and Flexible Discretion
a) The Revised Draft introduces a “leniency principle” in administrative penalties, allowing for reduced or waived penalties when operators proactively mitigate harm or promptly rectify breaches.
b) Enhanced enforcement measures now include the potential for business suspension, license revocation, or mandated operational corrections, particularly for non-compliance that affects network integrity or national security.
5. Emphasis on Platform Responsibility and Coordinated Governance
a) There is a notable shift in the regulatory approach towards online platforms. Rather than imposing direct content-related penalties, the focus has shifted to strengthening overall compliance systems and robustness of internal controls.
b) Operators are encouraged to develop technical and procedural safeguard measures, including user traceability and emergency response mechanisms, to effectively manage and mitigate risks.
Concurrent Regulatory Initiatives
A noteworthy development was, on the same day as the draft release, regulatory authorities launched this year’s special enforcement action plan[2] aims on personal information protection. This action covers mobile applications, SDKs, smart devices among other areas – signalling an intensified crackdown on data and cybersecurity related non-compliances.
In summary, the Revised Draft reflects a balanced approach between stringent penalties for serious breaches and more flexible measures for early remediation. Businesses are strongly encouraged to conduct a thorough review of their cybersecurity protocols and compliance frameworks, ensuring that internal management systems remain aligned with these evolving regulatory requirements. The consultation ends on April 27, 2025, and comments can be submitted via email or postal mail to the CAC.
Should you have any questions or require further analysis on how these changes may impact your operations, please do not hesitate to contact our team.
Data Protection Team
Global Law Office
Author
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
