Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.
Cybersecurity Law Amendments Take Effect January 1, 2026 to Support AI and Expand Enforcement
Originally enacted in 2017, China’s Cybersecurity Law (CSL) has served as the foundational legal framework for regulating network operations, protecting personal information, and securing critical information infrastructure. In October 2025, the Standing Committee of the National People’s Congress released a set of formal amendments to the CSL—the first major update since its enactment—intended to align the law with newer legislation and address emerging risks, including those related to artificial intelligence and cross-border cyber threats. These amendments will take effect on January 1, 2026.
While the amendments span a wide range of provisions, this post highlights several of the more consequential changes for multinational companies. Other revisions include updates to enforcement provisions, such as increased penalty thresholds and expanded liability for violations.
- State Support for AI Development and Safety
A newly proposed article affirms national support for AI development, marking the first explicit reference to artificial intelligence in the CSL. The provision outlines a multi-pronged approach: advancing basic research and algorithmic innovation, expanding access to training data and computing infrastructure, and strengthening ethical norms and safety oversight. It also encourages the use of AI and other emerging technologies to enhance cybersecurity management.
While the amendment signals strategic intent, it does not include detailed policy proposals or implementation mechanisms. However, given the CSL’s role as a high-level foundational law, it is likely that more specific implementing regulations or technical standards will follow in support of these objectives.
- Clarifying Compliance Obligations for Personal Information Processing
The amendments also address a long-standing compliance ambiguity by explicitly requiring network operators to adhere not only to the CSL, but also to the Civil Code and the Personal Information Protection Law (PIPL) when processing personal data. This clarification reinforces the integrated nature of China’s data governance framework and aligns with recommendations from legislative authorities.
- Expanding Extraterritorial Reach on Cyber Attacks
The revised draft broadens the CSL’s extraterritorial scope when dealing with cross border cyber attacks. Previously limited to overseas activities that harmed critical information infrastructure (CII), the new language covers any foreign conduct that endangers China’s network security. In serious cases, authorities may impose sanctions such as asset freezes or other punitive measures. This expansion could signal a more assertive enforcement posture on offshore activities that may impact China’s networks.
Incident Reporting Measures Take Effect November 1, 2025: Clarifying Obligations for Onshore Infrastructure
China’s incident reporting obligations could become more structured and operationally clear with the implementation of the Administrative Measures for National Cybersecurity Incident Reporting on November 1, 2025. Issued by the Cyberspace Administration of China (CAC) in September 2025, the Measures consolidate and formalize requirements that were previously dispersed across various laws and regulations, including the Cybersecurity Law itself. While not entirely new, this development represents a welcome step towards clarifying expectations—particularly for incidents affecting onshore infrastructure—by setting out defined thresholds, timelines, and reporting procedures in a single, unified framework.
- Scope and Applicability
The Reporting Measures apply to all network operators that build or operate networks in China or provide services through networks located in China. This geographic framing is notable: while many global companies may have Chinese users or data flows, the Measures appear to limit reporting obligations to incidents that occur within China’s borders. This could mean that offshore breaches—even those affecting Chinese data subjects—may fall outside the scope of the Measures.
- Severity Thresholds and Timelines
Incidents are categorized into four levels of severity, with “relatively major” incidents triggering mandatory reporting within 4 hours of discovery. Examples include the leakage of personal information affecting one million or more individuals or direct economic losses exceeding RMB 5 million (approximately USD 700,000). Operators must submit a preliminary report within this window, followed by a full report within 72 hours and a post-incident analysis within 30 days of resolution.
- Reporting Channels and Enforcement
The CAC has provided multiple reporting channels, including a dedicated hotline, website, email, and WeChat platforms, reflecting an effort to streamline compliance and encourage prompt engagement.
Importantly, the Measures also outline enforcement mechanisms: delays, omissions, or false reporting may result in penalties for both the organization and responsible individuals. Under the revised Cybersecurity Law, fines can now reach up to RMB 5 million for entities and RMB 500,000 for individuals. Conversely, timely and transparent reporting may mitigate liability or even exempt operators from penalties.
Looking Ahead
As both the legislative amendments to the Cybersecurity Law and the implementation of the incident reporting Measures continue to evolve, multinational companies should remain attentive to further developments. These changes reflect broader regulatory momentum, and future guidance or enforcement practices—potentially issued by the Cyberspace Administration of China, the Ministry of Public Security, or other relevant authorities—may shape how obligations are interpreted in practice.[1]
[1] This article includes contributions from Mingxin Liu.