On January 1, 2026, China’s amended Cybersecurity Law came into force. First enacted in 2016 and effective in 2017, the law serves as the core legislation in China’s cybersecurity legal framework and has remained unchanged until now. The 14-article amendment, adopted by the National People’s Congress Standing Committee in October 2025, affirms state support for the development of artificial intelligence, increases fines for violations of cybersecurity obligations, expands the extraterritorial effect of the law, and makes other revisions.
New Article on AI Development and Cybersecurity
The amendment added a new article 20 to the Cybersecurity Law that specifically addresses AI, declaring the state will support basic theoretical AI research and the development of algorithms and other key technologies. The state will also support the construction of data-training resources, computing power, and other infrastructure. Additionally, it will encourage the use of innovative technologies such as AI to enhance cybersecurity protections.
Higher Fines for Failing to Fulfill Cybersecurity Obligations
The amendment increases the penalties for network operators and critical information infrastructure operators (CIIO) that fail to fulfill cybersecurity protection obligations. Under article 59 of the old Cybersecurity Law, the maximum fine for CIIOs in these cases was 1 million yuan Renminbi (RMB) (about US$143,000), and the maximum fine for other network operators was RMB100,000 (about US$14,300).
The amendment renumbers article 59 as article 61 and raises the maximum fine for CIIOs to RMB10 million (about US$1.43 million) when their acts result in “especially grave” consequences that endanger cybersecurity, such as a loss of major functions of critical information infrastructure. The amendment also raises the maximum fine to RMB2 million (about US$286,000) for other network operators if their acts result in grave consequences, such as a large-scale data leak.
Expanded Extraterritorial Effect
The amendment expands the Cybersecurity Law’s extraterritorial scope, stating that it applies not only to overseas conduct harming China’s critical information infrastructure but to any overseas conduct that harms China’s cybersecurity. Article 75 of the old law provided that any overseas institution, organization, or individual that engaged in attacks, intrusions, interference, damage, or other activities targeting critical information infrastructure in China and resulting in grave consequences would be held legally responsible. In these cases, China’s Ministry of Public Security and other relevant Chinese authorities may also impose sanctions, such as freezing assets, against those overseas parties.
Article 75 has been renumbered as article 77 and now provides that overseas parties performing any activities that endanger the cybersecurity of the People’s Republic of China will be held legally responsible, and sanctions may be imposed “when the activities result in grave consequences.”
Laney Zhang, Law Library of Congress
January 8, 2026
Read more Global Legal Monitor articles.
Read Law Library reports on China.