China Legal Notes
Administrative LawData Privacy

👉 Cybersecurity Law (2025 Amendment)

网络安全法(2025修正) — Full English translation

Cybersecurity Law of the People's Republic of China

中华人民共和国网络安全法

Sources:

All information in this document is authentic in Chinese. The English translation is for reference only.

(Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016; amended in accordance with the Decision on Amending the Cybersecurity Law of the People's Republic of China at the 18th Session of the Standing Committee of the 14th National People's Congress on October 28, 2025)

2025 Amendment (Effective January 1, 2026)

This text incorporates the October 2025 amendments to the Cybersecurity Law. Key changes include: a new provision on CPC leadership (Article 3), AI governance provisions (Article 20), substantially increased penalties throughout Chapter VI, and enhanced enforcement mechanisms for serious cybersecurity incidents.

Table of Contents

Chapter I — General Provisions

Article 1

This Law is enacted for the purposes of safeguarding cybersecurity, preserving cyberspace sovereignty and national security as well as the public interest of society, protecting the lawful rights and interests of citizens, legal persons, and other organizations, and promoting the sound development of informatization of the economy and society.

Article 2

This Law applies to the construction, operation, maintenance, and use of networks, as well as the supervision and administration of cybersecurity, within the territory of the People's Republic of China.

Article 3

Cybersecurity work shall uphold the leadership of the Communist Party of China, implement the holistic national security concept, coordinate development and security, and advance the building of a strong cyber nation.

Article 4

The State adheres to the principle of attaching equal importance to cybersecurity and informatization development, follows the guidelines of proactive utilization, scientific development, administration according to law, and ensuring security, advances the construction of network infrastructure and interconnectivity, encourages innovation and application of network technologies, supports the cultivation of cybersecurity talent, establishes and improves the cybersecurity safeguard system, and enhances cybersecurity protection capabilities.

Article 5

The State formulates and continually refines the cybersecurity strategy, clarifies the fundamental requirements and principal objectives for safeguarding cybersecurity, and puts forward cybersecurity policies, work tasks, and measures for key areas.

Article 6

The State adopts measures to monitor, defend against, and handle cybersecurity risks and threats originating from both within and outside the territory of the People's Republic of China, protects critical information infrastructure from attacks, intrusions, interference, and destruction, punishes illegal and criminal activities conducted through networks in accordance with law, and maintains the security and order of cyberspace.

Article 7

The State advocates honest, trustworthy, healthy, and civilized conduct on networks, promotes the dissemination of core socialist values, adopts measures to raise the awareness and level of cybersecurity throughout society, and fosters an environment in which the entire society jointly participates in promoting cybersecurity.

Article 8

The State actively conducts international exchanges and cooperation in the areas of cyberspace governance, research and development of network technologies, formulation of standards, combating illegal and criminal activities on networks, and other areas, promotes the building of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.

Article 9

The national cyberspace authority is responsible for the overall coordination of cybersecurity work and related supervision and administration. The telecommunications department and the public security department under the State Council, and other relevant organs, shall be responsible for cybersecurity protection, supervision, and administration within their respective areas of responsibility, in accordance with this Law and relevant laws and administrative regulations.

The cybersecurity protection, supervision, and administration duties of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant national provisions.

Article 10

Network operators conducting business and service activities must comply with laws and administrative regulations, respect social ethics, observe business ethics, act in good faith, fulfill cybersecurity protection obligations, accept supervision from the government and the public, and bear social responsibility.

Article 11

The construction and operation of networks, or the provision of services through networks, shall comply with the provisions of laws and administrative regulations and the mandatory requirements of national standards, and adopt technical measures and other necessary measures to safeguard network security and stable operation, effectively respond to cybersecurity incidents, prevent illegal and criminal activities on networks, and maintain the integrity, confidentiality, and availability of network data.

Article 12

Network-related industry organizations shall, in accordance with their charters, strengthen industry self-discipline, formulate codes of conduct for cybersecurity, guide members in strengthening cybersecurity protection, improve the level of cybersecurity protection, and promote the healthy development of the industry.

Article 13

The State protects the rights of citizens, legal persons, and other organizations to use networks in accordance with law, promotes universal network access, improves the level of network services, provides safe and convenient network services to society, and ensures the lawful, orderly, and free flow of network information.

Any individual or organization using networks shall comply with the Constitution and laws, observe public order, and respect social ethics; shall not endanger cybersecurity; and shall not use networks to engage in activities that endanger national security, honor, or interests, incite subversion of state power or overthrow of the socialist system, incite separatism or undermine national unity, advocate terrorism or extremism, advocate ethnic hatred or ethnic discrimination, disseminate violent, obscene, or pornographic information, fabricate or disseminate false information to disrupt the economic or social order, or infringe upon the reputation, privacy, intellectual property, or other lawful rights and interests of others.

Article 14

The State supports the research and development of network products and services conducive to the healthy growth of minors, punishes in accordance with law the use of networks to engage in activities harmful to the physical and mental health of minors, and provides a safe and healthy network environment for minors.

Article 15

Any individual or organization shall have the right to report conduct endangering cybersecurity to the cyberspace authority, telecommunications department, public security department, and other departments. The department receiving the report shall promptly handle it in accordance with law; where the matter does not fall within the duties of that department, it shall promptly refer it to the department with authority to handle it.

The relevant departments shall keep confidential the relevant information of the informant and protect the lawful rights and interests of the informant.

Chapter II — Cybersecurity Support and Promotion

Article 16

The State establishes and improves the cybersecurity standards system. The standardization administrative department under the State Council and other relevant departments under the State Council shall, according to their respective duties, organize the formulation and timely revision of national standards and industry standards for cybersecurity management and for the security of network products, services, and operations.

The State supports the participation of enterprises, research institutions, institutions of higher learning, and network-related industry organizations in the formulation of national and industry standards for cybersecurity.

Article 17

The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall make overall plans, increase investment, support key cybersecurity technology industries and projects, support the research, development, and application of cybersecurity technologies, promote safe and trustworthy network products and services, protect intellectual property rights in network technologies, and support the participation of enterprises, research institutions, institutions of higher learning, and other entities in national cybersecurity technology innovation projects.

Article 18

The State promotes the construction of a socialized cybersecurity service system and encourages relevant enterprises and institutions to carry out cybersecurity certification, testing, risk assessment, and other security services.

Article 19

The State encourages the development of technologies for the protection and utilization of network data security, promotes the opening of public data resources, and drives technological innovation and economic and social development.

Article 20

The State supports basic theoretical research on artificial intelligence and the research and development of key technologies such as algorithms, promotes the construction of infrastructure such as training data resources and computing power, improves ethical norms for artificial intelligence, strengthens risk monitoring, assessment, and security supervision, and promotes the application and healthy development of artificial intelligence.

The State supports innovative approaches to cybersecurity management, leveraging artificial intelligence and other new technologies to enhance the level of cybersecurity protection.

Article 21

People's governments at all levels and their relevant departments shall organize and carry out regular cybersecurity awareness education, and guide and supervise relevant entities in conducting cybersecurity awareness education.

Mass media shall conduct targeted cybersecurity awareness education for the public.

Article 22

The State supports enterprises and education and training institutions such as institutions of higher learning and vocational schools in conducting cybersecurity-related education and training, adopts multiple approaches to cultivate cybersecurity talent, and promotes the exchange of cybersecurity professionals.

Chapter III — Network Operations Security

Section 1 — General Provisions

Article 23

The State implements a tiered cybersecurity protection system. Network operators shall, in accordance with the requirements of the tiered cybersecurity protection system, fulfill the following security protection obligations to safeguard networks from interference, destruction, or unauthorized access, and to prevent network data from being leaked, stolen, or tampered with:

  1. Formulate internal security management systems and operating procedures, designate persons responsible for cybersecurity, and implement cybersecurity protection responsibilities;

  2. Adopt technical measures to prevent computer viruses, network attacks, network intrusions, and other conduct endangering cybersecurity;

  3. Adopt technical measures to monitor and record network operating status and cybersecurity incidents, and retain relevant network logs for no fewer than six months in accordance with applicable provisions;

  4. Adopt measures such as data classification, backup of important data, and encryption;

  5. Other obligations as prescribed by laws and administrative regulations.

Article 24

Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not install malicious programs; upon discovering security defects, vulnerabilities, or other risks in their network products or services, they shall immediately take remedial measures and, in accordance with applicable provisions, promptly notify users and report to the relevant competent departments.

Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not cease providing security maintenance within the time period prescribed or agreed upon by the parties.

Where network products or services have the function of collecting user information, their providers shall clearly inform users and obtain their consent; where personal information is involved, they shall also comply with the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.

Article 25

Critical network equipment and specialized cybersecurity products shall, in accordance with the mandatory requirements of relevant national standards, undergo security certification by a qualified institution or pass security testing before they may be sold or provided. The national cyberspace authority, together with relevant departments under the State Council, shall formulate and publish a catalog of critical network equipment and specialized cybersecurity products, and promote mutual recognition of security certification and security testing results to avoid duplicative certification and testing.

Article 26

When network operators provide users with network access and domain name registration services, handle procedures for fixed-line telephone, mobile telephone, or other network access, or provide users with information publishing, instant messaging, or other services, they shall require users to provide authentic identity information when entering into agreements with users or confirming the provision of services. Where users do not provide authentic identity information, network operators shall not provide them with the relevant services.

The State implements a trusted network identity strategy, supports the research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition among different electronic identity authentication systems.

Article 27

Network operators shall formulate emergency response plans for cybersecurity incidents and promptly handle security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; when an incident endangering cybersecurity occurs, they shall immediately activate the emergency response plan, adopt corresponding remedial measures, and report to the relevant competent departments in accordance with applicable provisions.

Article 28

The conduct of cybersecurity certification, testing, risk assessment, or other such activities, and the public release of cybersecurity information such as system vulnerabilities, computer viruses, network attacks, and network intrusions, shall comply with relevant national provisions.

Article 29

No individual or organization shall engage in illegally intruding into the networks of others, interfering with the normal functioning of the networks of others, stealing network data, or other activities endangering cybersecurity; nor shall they provide programs or tools specifically designed for engaging in network intrusion, interference with normal network functioning and protective measures, theft of network data, or other activities endangering cybersecurity; nor shall they, knowing that another person is engaged in activities endangering cybersecurity, provide that person with technical support, advertising, promotion, payment settlement, or other assistance.

Article 30

Network operators shall provide technical support and assistance to public security organs and state security organs for their lawful activities in maintaining national security and investigating crimes.

Article 31

The State supports cooperation among network operators in the collection, analysis, notification, and emergency response of cybersecurity information, so as to enhance the security safeguard capabilities of network operators.

Relevant industry organizations shall establish and improve cybersecurity protection standards and coordination mechanisms for their industries, strengthen analysis and assessment of cybersecurity risks, periodically issue risk warnings to members, and support and assist members in responding to cybersecurity risks.

Article 32

Information obtained by cyberspace authorities and relevant departments in the course of fulfilling their cybersecurity protection duties may only be used for the purpose of maintaining cybersecurity and shall not be used for other purposes.

Section 2 — Operational Security of Critical Information Infrastructure

Article 33

The State shall, on the basis of the tiered cybersecurity protection system, implement enhanced protection for critical information infrastructure in important industries and sectors such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure the destruction, loss of function, or data leakage of which may seriously endanger national security, the national economy and people's livelihoods, or the public interest. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

The State encourages network operators other than those operating critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 34

In accordance with the division of duties prescribed by the State Council, the departments responsible for the security protection of critical information infrastructure shall respectively formulate and organize the implementation of security plans for the critical information infrastructure in their respective industries and sectors, and guide and supervise security protection efforts for the operation of critical information infrastructure.

Article 35

The construction of critical information infrastructure shall ensure that it has the capability to support the stable and continuous operation of business, and that security technical measures are planned, constructed, and put into use simultaneously.

Article 36

In addition to the obligations prescribed in Article 23 of this Law, operators of critical information infrastructure shall also fulfill the following security protection obligations:

  1. Establish dedicated security management bodies and designate persons responsible for security management, and conduct security background reviews of such responsible persons and personnel in key positions;

  2. Regularly conduct cybersecurity education, technical training, and skills assessment for employees;

  3. Carry out disaster recovery backups of important systems and databases;

  4. Formulate emergency response plans for cybersecurity incidents and regularly conduct drills;

  5. Other obligations as prescribed by laws and administrative regulations.

Article 37

Where the procurement of network products and services by operators of critical information infrastructure may affect national security, such procurement shall undergo a national security review organized by the national cyberspace authority together with relevant departments under the State Council.

Article 38

Operators of critical information infrastructure procuring network products and services shall, in accordance with applicable provisions, enter into security and confidentiality agreements with providers, specifying the obligations and responsibilities for security and confidentiality.

Article 39

Personal information and important data collected and generated during the operations of critical information infrastructure operators within the territory of the People's Republic of China shall be stored domestically. Where it is genuinely necessary to provide such data abroad due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace authority together with relevant departments under the State Council; where laws or administrative regulations provide otherwise, those provisions shall prevail.

Article 40

Operators of critical information infrastructure shall, either on their own or by engaging a cybersecurity service provider, conduct at least one annual assessment and evaluation of the security of their networks and potential risks, and submit the assessment and evaluation findings and improvement measures to the relevant department responsible for the security protection of critical information infrastructure.

Article 41

The national cyberspace authority shall coordinate relevant departments in adopting the following measures for the security protection of critical information infrastructure:

  1. Conduct random inspections and testing of security risks in critical information infrastructure, propose improvement measures, and, when necessary, engage cybersecurity service providers to conduct security risk assessment and evaluation of the networks;

  2. Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills, so as to improve the level and collaborative response capacity for handling cybersecurity incidents;

  3. Facilitate the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service providers;

  4. Provide technical support and assistance for emergency response to cybersecurity incidents and restoration of network functions.

Chapter IV — Network Information Security

Article 42

Network operators shall maintain strict confidentiality of the user information they collect and shall establish and improve user information protection systems.

Network operators processing personal information shall comply with the provisions of this Law, the Civil Code of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and administrative regulations.

Article 43

Network operators collecting and using personal information shall follow the principles of lawfulness, legitimacy, and necessity, publicly disclose the rules for collection and use, expressly state the purposes, methods, and scope of collecting and using information, and obtain the consent of the individual whose information is collected.

Network operators shall not collect personal information unrelated to the services they provide, shall not collect or use personal information in violation of the provisions of laws, administrative regulations, or the agreements of the parties, and shall process the personal information they store in accordance with the provisions of laws, administrative regulations, and agreements with users.

Article 44

Network operators shall not disclose, tamper with, or destroy personal information they have collected; without the consent of the individual whose information was collected, they shall not provide personal information to others. However, this does not apply where the information has been processed so that a specific individual cannot be identified and the original data cannot be restored.

Network operators shall adopt technical measures and other necessary measures to ensure the security of the personal information they have collected and prevent information disclosure, damage, or loss. When the disclosure, damage, or loss of personal information occurs or may occur, they shall immediately take remedial measures and, in accordance with applicable provisions, promptly notify users and report to the relevant competent departments.

Article 45

Where an individual discovers that a network operator has collected or used their personal information in violation of the provisions of laws, administrative regulations, or the agreements of the parties, the individual shall have the right to request the network operator to delete their personal information; where the individual discovers that personal information collected or stored by a network operator contains errors, the individual shall have the right to request the network operator to make corrections. The network operator shall take measures to carry out the deletion or correction.

Article 46

No individual or organization shall steal or otherwise illegally obtain personal information, nor shall they illegally sell or illegally provide personal information to others.

Article 47

Departments having cybersecurity supervision and administration duties in accordance with law, and their personnel, must maintain strict confidentiality of personal information, privacy, and trade secrets that come to their knowledge in the course of fulfilling their duties, and shall not disclose, sell, or illegally provide such information to others.

Article 48

Any individual or organization shall be responsible for their use of networks, and shall not establish websites or communications groups for the purpose of carrying out fraud, imparting criminal methods, manufacturing or selling prohibited items, controlled items, or other illegal or criminal activities, nor shall they use networks to publish information relating to the carrying out of fraud, manufacturing or selling prohibited items, controlled items, or other illegal or criminal activities.

Article 49

Network operators shall strengthen the management of information published by their users and, upon discovering information the publication or transmission of which is prohibited by laws or administrative regulations, shall immediately cease the transmission of such information, take remedial measures such as deletion to prevent the information from spreading, retain relevant records, and report to the relevant competent departments.

Article 50

Electronic information sent or application software provided by any individual or organization shall not contain malicious programs and shall not contain information the publication or transmission of which is prohibited by laws or administrative regulations.

Electronic information transmission service providers and application software download service providers shall fulfill their security management obligations and, where they are aware that their users have engaged in the conduct described in the preceding paragraph, shall cease providing services, take remedial measures such as deletion, retain relevant records, and report to the relevant competent departments.

Article 51

Network operators shall establish systems for complaints and reports regarding network information security, publicly disclose the methods for filing complaints and reports and other relevant information, and promptly accept and handle complaints and reports relating to network information security.

Network operators shall cooperate with the supervision and inspections lawfully conducted by cyberspace authorities and relevant departments.

Article 52

Where the national cyberspace authority and relevant departments, in the course of performing their network information security supervision and administration duties in accordance with law, discover information the publication or transmission of which is prohibited by laws or administrative regulations, they shall require the network operator to cease transmission, take remedial measures such as deletion, and retain relevant records; for such information originating from outside the territory of the People's Republic of China, they shall notify the relevant institutions to adopt technical measures and other necessary measures to block its dissemination.

Chapter V — Monitoring, Early Warning, and Emergency Response

Article 53

The State establishes a cybersecurity monitoring and early warning and information notification system. The national cyberspace authority shall coordinate relevant departments in strengthening the collection, analysis, and notification of cybersecurity information, and shall, in accordance with applicable provisions, issue cybersecurity monitoring and early warning information in a unified manner.

Article 54

Departments responsible for the security protection of critical information infrastructure shall establish and improve cybersecurity monitoring and early warning and information notification systems for their respective industries and sectors, and report cybersecurity monitoring and early warning information in accordance with applicable provisions.

Article 55

The national cyberspace authority shall coordinate relevant departments in establishing and improving cybersecurity risk assessment and emergency response mechanisms, formulate cybersecurity incident emergency response plans, and regularly organize drills.

Departments responsible for the security protection of critical information infrastructure shall formulate cybersecurity incident emergency response plans for their respective industries and sectors and regularly organize drills.

Cybersecurity incident emergency response plans shall classify cybersecurity incidents based on factors such as the degree of harm and scope of impact following the occurrence of an incident, and shall specify corresponding emergency response measures.

Article 56

When the risk of a cybersecurity incident increases, the relevant departments of people's governments at or above the provincial level shall, in accordance with the prescribed authority and procedures, and based on the characteristics of the cybersecurity risk and the potential harm, adopt the following measures:

  1. Require relevant departments, institutions, and personnel to promptly collect and report relevant information, and strengthen monitoring of cybersecurity risks;

  2. Organize relevant departments, institutions, and professional personnel to analyze and assess cybersecurity risk information, and forecast the likelihood of the occurrence of an incident, the scope of its impact, and the degree of harm;

  3. Issue cybersecurity risk warnings to the public, and publish measures for avoiding or mitigating harm.

Article 57

Upon the occurrence of a cybersecurity incident, the cybersecurity incident emergency response plan shall be immediately activated, the cybersecurity incident shall be investigated and assessed, network operators shall be required to adopt technical measures and other necessary measures to eliminate security risks and prevent the expansion of harm, and warning information relevant to the public shall be promptly issued.

Article 58

Where relevant departments of people's governments at or above the provincial level, in the course of performing their cybersecurity supervision and administration duties, discover that a network poses a relatively significant security risk or that a security incident has occurred, they may, in accordance with the prescribed authority and procedures, summon the legal representative or principal person in charge of the network operator for an interview. The network operator shall, as required, adopt measures to carry out rectification and eliminate the risk.

Article 59

Where emergencies or workplace safety accidents occur as a result of cybersecurity incidents, they shall be handled in accordance with the provisions of the Emergency Response Law of the People's Republic of China, the Work Safety Law of the People's Republic of China, and other relevant laws and administrative regulations.

Article 60

Where it is necessary to maintain national security and social public order and to respond to major emergencies involving public security, the State Council may decide or approve the adoption of temporary measures such as restrictions on network communications in specific areas.

Chapter VI — Legal Liability

Article 61

Where a network operator fails to fulfill the cybersecurity protection obligations prescribed in Articles 23 and 27 of this Law, the relevant competent department shall order corrections and issue a warning, and may impose a fine of not less than RMB 10,000 but not more than RMB 50,000; where the operator refuses to make corrections or the violation results in harm to cybersecurity or other consequences, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Where an operator of critical information infrastructure fails to fulfill the cybersecurity protection obligations prescribed in Articles 35, 36, 38, and 40 of this Law, the relevant competent department shall order corrections and issue a warning, and may impose a fine of not less than RMB 50,000 but not more than RMB 100,000; where the operator refuses to make corrections or the violation results in harm to cybersecurity or other consequences, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Where the conduct described in the preceding two paragraphs causes serious consequences harmful to cybersecurity, such as the leakage of a large volume of data or the loss of partial functions of critical information infrastructure, the relevant competent department shall impose a fine of not less than RMB 500,000 but not more than RMB 2,000,000 on the entity, and fines of not less than RMB 50,000 but not more than RMB 200,000 on the directly responsible person(s) in charge and other directly responsible personnel; where especially serious consequences harmful to cybersecurity are caused, such as the loss of primary functions of critical information infrastructure, a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000 shall be imposed on the entity, and fines of not less than RMB 200,000 but not more than RMB 1,000,000 shall be imposed on the directly responsible person(s) in charge and other directly responsible personnel.

Article 62

Where any of the following acts is committed in violation of Article 24, paragraphs 1 and 2, and Article 50, paragraph 1, of this Law, the relevant competent department shall order corrections and issue a warning; where corrections are refused or the violation results in harm to cybersecurity or other consequences, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the directly responsible person(s) in charge shall be fined not less than RMB 10,000 but not more than RMB 100,000:

  1. Installing malicious programs;

  2. Failing to immediately take remedial measures upon discovering security defects, vulnerabilities, or other risks in their products or services, or failing to promptly notify users and report to the relevant competent departments in accordance with applicable provisions;

  3. Ceasing to provide security maintenance for their products or services without authorization.

Where the conduct described in items 1 or 2 of the preceding paragraph causes the consequences prescribed in Article 61, paragraph 3, of this Law, penalties shall be imposed in accordance with that paragraph.

Article 63

Where Article 25 of this Law is violated by selling or providing critical network equipment or specialized cybersecurity products that have not undergone security certification or security testing, or that have failed to pass security certification or do not meet security testing requirements, the relevant competent department shall order the cessation of sales or provision, issue a warning, and confiscate unlawful gains; where there are no unlawful gains or the unlawful gains are less than RMB 100,000, a concurrent fine of not less than RMB 20,000 but not more than RMB 100,000 shall be imposed; where the unlawful gains are RMB 100,000 or more, a concurrent fine of not less than one time but not more than five times the unlawful gains shall be imposed; where the circumstances are serious, suspension of relevant business, suspension of operations for rectification, or revocation of relevant business permits or business licenses may additionally be ordered. Where laws or administrative regulations provide otherwise, those provisions shall prevail.

Article 64

Where a network operator violates Article 26, paragraph 1, of this Law by failing to require users to provide authentic identity information, or by providing relevant services to users who do not provide authentic identity information, the relevant competent department shall order corrections; where corrections are refused or the circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the operator may additionally be ordered to suspend relevant business, suspend operations for rectification, close websites or applications, or have relevant business permits or business licenses revoked; the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Article 65

Where Article 28 of this Law is violated by conducting cybersecurity certification, testing, risk assessment, or other such activities, or by publicly releasing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, or network intrusions, the relevant competent department shall order corrections and issue a warning, and may impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where corrections are refused or the circumstances are serious, a fine of not less than RMB 100,000 but not more than RMB 1,000,000 shall be imposed, and the violator may additionally be ordered to suspend relevant business, suspend operations for rectification, close websites or applications, or have relevant business permits or business licenses revoked; the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Where the conduct described in the preceding paragraph causes the consequences prescribed in Article 61, paragraph 3, of this Law, penalties shall be imposed in accordance with that paragraph.

Article 66

Where Article 29 of this Law is violated by engaging in activities endangering cybersecurity, or by providing programs or tools specifically designed for activities endangering cybersecurity, or by providing others with technical support, advertising, promotion, payment settlement, or other assistance for activities endangering cybersecurity, and the violation does not constitute a crime, the public security organs shall confiscate unlawful gains and impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where the circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a concurrent fine of not less than RMB 100,000 but not more than RMB 1,000,000 may be imposed.

Where a work unit engages in the conduct described in the preceding paragraph, the public security organs shall confiscate unlawful gains and impose a fine of not less than RMB 100,000 but not more than RMB 1,000,000, and the directly responsible person(s) in charge and other directly responsible personnel shall be punished in accordance with the preceding paragraph.

Persons who violate Article 29 of this Law and are subject to public security administrative sanctions shall be prohibited from engaging in cybersecurity management and key positions in network operations for a period of five years; persons who are subject to criminal penalties shall be permanently prohibited from engaging in cybersecurity management and key positions in network operations.

Article 67

Where an operator of critical information infrastructure violates Article 37 of this Law by using network products or services that have not undergone a security review or that have failed to pass a security review, the relevant competent department shall order corrections within a specified time limit, order cessation of use, and order the elimination of the impact on national security; a fine of not less than one time but not more than ten times the procurement amount shall be imposed; the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.

Article 68

Where Article 48 of this Law is violated by establishing websites or communications groups for the purpose of carrying out illegal or criminal activities, or by using networks to publish information relating to carrying out illegal or criminal activities, and the violation does not constitute a crime, the public security organs shall impose detention of not more than five days, and may concurrently impose a fine of not less than RMB 10,000 but not more than RMB 100,000; where the circumstances are relatively serious, detention of not less than five days but not more than fifteen days shall be imposed, and a concurrent fine of not less than RMB 50,000 but not more than RMB 500,000 may be imposed. Websites and communications groups established for the purpose of carrying out illegal or criminal activities shall be closed.

Where a work unit engages in the conduct described in the preceding paragraph, the public security organs shall impose a fine of not less than RMB 100,000 but not more than RMB 500,000, and the directly responsible person(s) in charge and other directly responsible personnel shall be punished in accordance with the preceding paragraph.

Article 69

Where a network operator violates Article 49 of this Law by failing to cease the transmission of information the publication or transmission of which is prohibited by laws or administrative regulations, failing to take remedial measures such as deletion, failing to retain relevant records, or failing to report to the relevant competent departments, or where a network operator violates Article 52 of this Law by failing to cease the transmission of information the publication or transmission of which is prohibited by laws or administrative regulations as required by the relevant departments, failing to take remedial measures such as deletion, or failing to retain relevant records, the relevant competent department shall order corrections, issue a warning and public notice, and may impose a fine of not less than RMB 50,000 but not more than RMB 500,000; where corrections are refused or the circumstances are serious, a fine of not less than RMB 500,000 but not more than RMB 2,000,000 shall be imposed, and the violator may additionally be ordered to suspend relevant business, suspend operations for rectification, close websites or applications, or have relevant business permits or business licenses revoked; the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 50,000 but not more than RMB 200,000.

Where the conduct described in the preceding paragraph results in an especially serious impact or especially serious consequences, the relevant competent department shall impose a fine of not less than RMB 2,000,000 but not more than RMB 10,000,000, order the suspension of relevant business, suspension of operations for rectification, closure of websites or applications, or revocation of relevant business permits or business licenses, and impose fines of not less than RMB 200,000 but not more than RMB 1,000,000 on the directly responsible person(s) in charge and other directly responsible personnel.

Where an electronic information transmission service provider or an application software download service provider fails to fulfill the security management obligations prescribed in Article 50, paragraph 2, of this Law, penalties shall be imposed in accordance with the preceding two paragraphs.

Article 70

Where a network operator violates the provisions of this Law and engages in any of the following conduct, the relevant competent department shall order corrections; where corrections are refused or the circumstances are serious, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the directly responsible person(s) in charge and other directly responsible personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000:

  1. Refusing or obstructing the supervision and inspections lawfully conducted by relevant departments;

  2. Refusing to provide technical support and assistance to public security organs or state security organs.

Article 71

Where any of the following conduct is committed, it shall be handled and punished in accordance with relevant laws and administrative regulations:

  1. Publishing or transmitting information the publication or transmission of which is prohibited under Article 13, paragraph 2, of this Law and other laws and administrative regulations;

  2. Violating the provisions of Article 24, paragraph 3, and Articles 43 through 45 of this Law by infringing upon personal information rights and interests;

  3. Violating Article 39 of this Law by an operator of critical information infrastructure storing personal information and important data outside the territory of China, or providing personal information and important data to parties outside the territory of China.

Where Article 46 of this Law is violated by stealing or otherwise illegally obtaining personal information, or illegally selling or illegally providing personal information to others, and the violation does not constitute a crime, the public security organs shall impose penalties in accordance with relevant laws and administrative regulations.

Article 72

Where there is conduct in violation of the provisions of this Law, it shall be recorded in credit archives and made public in accordance with relevant laws and administrative regulations.

Article 73

Where the provisions of this Law are violated, but circumstances exist for lighter punishment, mitigated punishment, or waiver of punishment as prescribed in the Administrative Penalty Law of the People's Republic of China, lighter punishment, mitigated punishment, or waiver of punishment shall be applied in accordance with those provisions.

Article 74

Where operators of government affairs networks of state organs fail to fulfill the cybersecurity protection obligations prescribed by this Law, the organ at the next higher level or the relevant organ shall order corrections; the directly responsible person(s) in charge and other directly responsible personnel shall be given sanctions in accordance with law.

Article 75

Where cyberspace authorities and relevant departments violate Article 32 of this Law by using information obtained in the course of fulfilling their cybersecurity protection duties for other purposes, the directly responsible person(s) in charge and other directly responsible personnel shall be given sanctions in accordance with law.

Where personnel of cyberspace authorities and relevant departments are derelict in their duties, abuse their authority, or practice favoritism and engage in malpractice, and the violation does not constitute a crime, sanctions shall be given in accordance with law.

Article 76

Where a violation of the provisions of this Law causes harm to another person, civil liability shall be borne in accordance with law.

Where a violation of the provisions of this Law constitutes a violation of public security administration, public security administrative penalties shall be imposed in accordance with law; where it constitutes a crime, criminal liability shall be pursued in accordance with law.

Article 77

Where overseas institutions, organizations, or individuals engage in activities that endanger the cybersecurity of the People's Republic of China, legal liability shall be pursued in accordance with law; where serious consequences are caused, the public security department under the State Council and the relevant departments may also decide to freeze the assets of, or adopt other necessary sanctions against, such institutions, organizations, or individuals.

Chapter VII — Supplementary Provisions

Article 78

The following terms used in this Law shall have the meanings set forth below:

  1. "Network" refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.

  2. "Cybersecurity" refers to the ability to prevent attacks, intrusions, interference, destruction, and unauthorized use of networks, as well as accidental incidents, through the adoption of necessary measures, so as to maintain the network in a state of stable and reliable operation and to ensure the integrity, confidentiality, and availability of network data.

  3. "Network operator" refers to the owner or administrator of a network and a network service provider.

  4. "Network data" refers to various types of electronic data collected, stored, transmitted, processed, and generated through networks.

  5. "Personal information" refers to various types of information recorded electronically or by other means that, alone or in combination with other information, can identify the personal identity of a natural person, including but not limited to the natural person's name, date of birth, identification document number, personal biometric information, address, telephone number, and similar information.

Article 79

The operational security protection of networks that store or process information involving state secrets shall, in addition to complying with this Law, comply with the provisions of laws and administrative regulations on the protection of state secrets.

Article 80

The security protection of military networks shall be separately prescribed by the Central Military Commission.

Article 81

This Law shall take effect on June 1, 2017.

👉 Data Security Law

数据安全法 — Full English text (NPC official translation)

Environmental Law

环境保护法 — Environmental protection laws of the PRC

2026 © Denis Shushin.

Disclaimer: The content presented on this website is intended for informational purposes only and does not constitute legal advice. Laws and regulations may change, and the information provided may not reflect the most current legal developments. We encourage visitors to consult a qualified legal advisor before making any decisions based on this content.

On this page

Cybersecurity Law of the People's Republic of China
中华人民共和国网络安全法
Table of Contents
Chapter I — General Provisions
Article 1
Article 2
Article 3
Article 4
Article 5
Article 6
Article 7
Article 8
Article 9
Article 10
Article 11
Article 12
Article 13
Article 14
Article 15
Chapter II — Cybersecurity Support and Promotion
Article 16
Article 17
Article 18
Article 19
Article 20
Article 21
Article 22
Chapter III — Network Operations Security
Section 1 — General Provisions
Article 23
Article 24
Article 25
Article 26
Article 27
Article 28
Article 29
Article 30
Article 31
Article 32
Section 2 — Operational Security of Critical Information Infrastructure
Article 33
Article 34
Article 35
Article 36
Article 37
Article 38
Article 39
Article 40
Article 41
Chapter IV — Network Information Security
Article 42
Article 43
Article 44
Article 45
Article 46
Article 47
Article 48
Article 49
Article 50
Article 51
Article 52
Chapter V — Monitoring, Early Warning, and Emergency Response
Article 53
Article 54
Article 55
Article 56
Article 57
Article 58
Article 59
Article 60
Chapter VI — Legal Liability
Article 61
Article 62
Article 63
Article 64
Article 65
Article 66
Article 67
Article 68
Article 69
Article 70
Article 71
Article 72
Article 73
Article 74
Article 75
Article 76
Article 77
Chapter VII — Supplementary Provisions
Article 78
Article 79
Article 80
Article 81