On March 28, 2025, the Cyberspace Administration of China (CAC) released the second draft amendment to the Cybersecurity Law of the People’s Republic of China (hereinafter referred to as “the Amendment”) for public consultation. This is the second proposed revision since the law came into effect in 2017, following the release of the first draft amendment in 2022.

The Amendment aims to align with China’s evolving national security legal framework, enhance the institutional foundation for cybersecurity governance, establish a unified and coordinated legal liability system, fill regulatory gaps, clarify enforcement mechanisms, and define clear safety baselines and risk thresholds.

Revisions primarily focus on Chapter VI of the Cybersecurity Law, which deals with legal liabilities. The overarching goal is to unify and strengthen the legal liability system and increase the cost of violations.

I. Background

Since its implementation in 2017, the Cybersecurity Law has served as a foundational piece of legislation for China's cyberspace governance. The new amendment, released for public consultation on March 28, 2025, marks a renewed legislative effort to enhance China’s national security framework and elevate the country’s cybersecurity governance capabilities.

Key objectives of the revision include:

• Responding to new national security and data governance imperatives;

• Addressing enforcement gaps and clarifying legal responsibility;

• Increasing the cost of violations to enhance deterrence;

• Strengthening oversight of critical information infrastructure (CII);

• Elevating compulsory requirements for certification and security testing to legal obligations.

II. Key Changes in the Amendment

1. Increased penalties for violations (Articles 59, 69, etc.)

• The maximum corporate fine increases from RMB 1 million to RMB 10 million;

• The maximum individual fine increases to RMB 1 million;

• Severe consequences such as large-scale data breaches or disruptions to CII operations now trigger the highest tier of penalties.

Purpose: to significantly raise the cost of violations and deter serious non-compliance.

2. Compulsory certification and security testing (New Article 61)

• Network critical equipment and specialized cybersecurity products must pass certification or testing according to national standards;

• CAC and relevant departments under the State Council will jointly determine  the applicable product catalogue;

• Non-compliance will lead to heightened penalties.

This elevates technical compliance from regulatory practice to legal obligation: “certify before market entry.”

3. Consolidation and enhancement of legal responsibility provisions (Articles 64, 69, 71)

• Previously fragmented articles (e.g., Articles 68 and 69) are merged for streamlined enforcement;

• New cross-reference mechanisms apply the most severe penalties if violations cause serious consequences;

• Article 71 introduces stricter accountability for violations involving personal information and important data, with special emphasis on CII operators.

Objective: enhance clarity and enforceability under the principle of “equal responsibility, equal penalty.”

4. Introduction of penalty mitigation clauses (New Article 72)

• Administrative penalties may be reduced or waived for minor violations with minimal harm;

• However,  the definitions of “minor” or “minimal harm” remain vague, raising concerns about inconsistent enforcement.

This clause offers flexibility and appeal options for businesses, but may create legal uncertainties in practice.

III. Potential Impact on Enterprises and Stakeholders

(1) Rising compliance costs

• Increased penalty ceilings pose financial risks for mid- and large-sized enterprises, particularly in tech sectors;

• Suppliers and service providers in CII-related industries (e.g., ICT, cloud services) must ensure product conformity with certification/testing requirements.

(2) More flexible, yet less predictable enforcement

• Although  penalty mitigation provisions suggest leniency, the lack of clear criteria could lead to inconsistent interpretations;

• Enterprises must closely monitor how local enforcement authorities apply terms such as  “minor violation” and “minimal harm.”

(3) Greater exposure for foreign businesses

• While foreign companies are unlikely to be classified as CII operators, their products/services involved in CII scenarios are still subject to relevant clauses;

• Businesses  operating in telecom, energy, transport, and data platform sectors in  China must remain vigilant.

IV. Recommendations

1. Proactively assess whether your products/services fall under the CAC certification/testing catalogue;

2. Strengthen internal compliance programs to address new provisions in the Cybersecurity Law;

3. Clarify responsibility and data security mechanisms in CII-related business operations;

4. Foreign businesses are advised to consult with local compliance experts to assess risk, particularly in CII-linked supply chains;

5. Stay informed on the final legislative version and supporting implementation guidelines and adjust strategies accordingly.

Sector-Specific Implications and Compliance Strategies

A. Cloud Computing Sector

Risks & Impacts

• High risk of CII association: Cloud services supporting finance,  government, or transportation sectors are likely considered part of the  CII ecosystem;

• Mandatory  certification/testing (Article 61): Core infrastructure like virtual      machines, security gateways, and databases may require prior CAC approval;

• Data  breach liability (Article 59): Major data leaks or service outages could trigger the highest tier of penalties (up to RMB 10 million).

Recommendations

• Clarify whether your operations classify as CII or CII service providers;

• Conduct certification pathway assessments for infrastructure components (domestic      or imported);

• Design detailed customer data protection agreements to manage shared liability;

• Develop and file emergency response plans for cybersecurity incidents.

B. Automotive Industry (especially Intelligent & Connected Vehicles)

Risks & Impacts

• Vehicle systems under cybersecurity product scope (Articles 22, 61):

• Smart cockpits, OTA platforms, T-BOX modules may require security       certification/testing;

• Personal data violations incur heavier penalties (Article 71):

• Processing  driving behavior, location data, or voice recordings without consent can  trigger significant fines;

• CII-related platform disruptions (Article 59):

• In-house or third-party telematics/cloud platforms going offline may be deemed CII incidents.

Recommendations

• Conduct compliance audits of vehicle networking and software systems;

• Clarify data handling responsibilities across suppliers, OEMs, and dealers;

• Ensure OTA platforms support logging, rollback, and intrusion prevention;

• Prepare for cross-border data transfer risk assessments and filings.

C. Platform Economy (e-Commerce, App Providers, Social Platforms)

Risks & Impacts

• Dual  responsibility for content and product security (Articles 48, 22):

• Includes user content review and App code security scanning;

• Severe  penalties for malware or security flaws—now also apply to App download      platforms;

• Articles  68 & 69 merged with heavier sanctions:

• Illegal data collection or failure to moderate illegal content could trigger fines up to RMB 10 million;

• User  data breach triggers Article 64 liability;

• Penalty mitigation clause (Article 72) lacks clarity—post-violation  corrections may not suffice.

Recommendations

• Establish a vulnerability reporting and patching mechanism before App release;

• Enforce  stricter real-name verification and activity logging for vendors and      publishers;

• Conduct algorithm and content distribution compliance assessments;

• Improve  cross-border data governance (e.g., standard contracts or security      assessments);

• Engage with local CAC offices for enforcement guidance and regulatory clarity.

V. Cross-Sector Compliance Checklist