China’s Cybersecurity Law Amendments

The Cyberspace Administration of China has recently issued a new draft of the amendments to the 2021 Cybersecurity Law (CSL) on March 8^th, 2025. The Cybersecurity Law defined its scope thusly:

“This Law is formulated for the purposes of protecting cybersecurity, safeguarding cyberspace sovereignty, national security and public interests, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization” (Article 1)

“This Law shall apply to the construction, operation, maintenance and use of networks as well as the supervision and administration of cybersecurity within the territory of the People’s Republic of China.” (Article 2)

The purpose of the amendments is to reconcile the Cybersecurity Law’s lower fines in comparison with financial penalties stipulated in  the Data Security Law and the Personal Information Protection Law. These discrepancies  created a peculiar sort of legal insecurity and lacunae by which non-compliant operators tried to seep in between the cracks and get away with their many violations. In response to such challenges, an initial draft of the amendments to the CSL was released in 2022 but was never finalized.

The recent amendments are an attempt to:

1.     Align the CSL with China’s broader cybersecurity and data  framework, like the Data Security Law and the Personal Information Protection Law, creating a unified framework for ybersecurity in China;

2.   Create a more effective deterrence against any type of data violation via harsher penalties and clearer enforcement mechanisms, ensuring a better enforcement of the law and an effective deterrence against any kind of data violation and better compliance across businesses and  industries; the enhancement of cyber threats risk prevention.

Key changes:

The amendments to Article 54 provide harsher penalties

·         Fines are now scaled based on consequences (scaling from general to severe violations) and the amendments introduce license revocation for severe violations.

The newly added Article 61 ensures that only certified cybersecurity products are sold in the Market by imposing a harsh set of penalties for any violation of such requirement, from confiscation of illegal gains to fines equaling to RMB 30k-100k.

Articles62 and 63 broaden the scope of application by not only mentioning the shutting down of non-compliant websites, but also non-compliant applications.