I. Amendments to the Cybersecurity Law
Since its implementation on 1 June 2017, the Cybersecurity Law (CSL)1 has functioned as the foundational legal instrument governing China’s cybersecurity regime. Over the past three years, the Cyberspace Administration of China (CAC) has initiated two rounds for public comment on the proposed amendments, in response to the rapid emergence of new technologies, particularly artificial intelligence, and the new regulatory requirements and risk scenarios. On October 28, 2025, the Standing Committee of the 14th National People’s Congress adopted the Decision on Amending the Cybersecurity Law of the People’s Republic of China (the Amendments)2. The revised law was set to take effect on January 1, 2026.
The Amendments aim to strengthen legal responsibilities, increase penalties for cybersecurity violations, and achieve substantive coordination with the Data Security Law (DSL), the Personal Information Protection Law (PIPL), and the Administrative Penalty Law (APL) while also addressing emerging issues, including artificial intelligence governance and supply chain cybersecurity risks. Following are the key changes:
1. Artificial Intelligence Governance
The Amendments introduce a new Article 20 dedicated to artificial intelligence governance, underscoring the legislature’s forward-looking regulatory stance. The provision recognizes the importance of foundational research and core algorithmic capabilities, and promotes the construction of AI-related infrastructures, including access to training datasets and computing power. By emphasizing the need to improve ethical governance frameworks and enhance risk monitoring and security regulations, the Amendments elevate training data to a key regulatory concern in AI development. Regulators have already begun implementing supervisory mechanisms for AI technologies, including algorithmic security assessments, filing requirements for generative AI models and mandatory labelling of AI-generated content.
2. Alignment with Other Data Legislation
In relation to personal information protection, the amended Article 42 clarifies that network operators that process personal information shall also comply with the Civil Code and PIPL, as well as any other applicable laws and administrative regulations. This positions the Cybersecurity Law as a foundational framework that supports and coordinates the broader personal information protection regime.
With respect to Important Data, the Amendments incorporate obligations set out in DSL. The amended Article 71 reiterates that Critical Information Infrastructure Operators (CIIOs) shall store Important Data within China. For other data processors that are formally notified of processing Important Data, outbound data transfers shall undergo security assessments within two months of notification.
3. Enhanced Responsibilities of CIIOs
The amended Article 67 reinforces the cybersecurity responsibilities for CIIOs, by strengthening procurement oversight for network products and services. In addition to the existing requirement to evaluate potential national security risks before deploying such products or services, the Amendments impose an obligation to rectify violations within a prescribed time period and eliminate security risks. This reflects an increasing supply chain oriented approach to cybersecurity supervision, and signals heightened regulatory expectations for enterprises operating within critical infrastructure ecosystems.
4. A More Elaborate Administrative Penalty Framework
The amended Article 69 expands the scope of individual accountability, by extending liability beyond directly responsible managers to include other responsible personnel, such as security and technical staff, embedding cybersecurity obligations into enterprise-wide compliance systems.
The Amendments introduce a new Article 73 that incorporates mitigating mechanisms consistent with APL, enabling enforcement regulators to reduce or waive penalties where organizations proactively remedy harm, are coerced into violations, contribute materially to investigations, or commit minor first-time misconduct.
Article 67 has also been refined to address penalties for CIIOs that deploy network products or services which have not undergone or have failed cybersecurity review, expressly requiring rectification and the removal of national security risks.
For violations where network operators fail to perform their security protection obligations, the amended law significantly increases the penalties by introducing a three-tier regime—ordinary cases, cases resulting in serious consequences, and cases resulting in especially serious consequences. The maximum fine has been increased to RMB 10 million for business entities; for directly responsible persons in charge and other responsible personnel, the maximum fine has also been raised from RMB 100,000 to RMB 1 million.
5. Expanded Extraterritorial Reach
The revised Article 77 broadens the extraterritorial applicability of the CSL, by lowering the enforcement threshold against foreign entities. Previously, enforcement required proof of any serious consequences arising from acts that endangered the security of critical information infrastructure. Under the revised Article 77, liability now attaches to any activity that endangers China’s cybersecurity, making it easier for authorities to initiate cross-border enforcement. Where serious harm occurs, enforcement regulators may impose punitive measures such as the freezing of assets.
II. CAC’s Q&As on Security Management of Outbound Data Transfer
To strengthen policy outreach and compliance support of data export security management, in May 2025 the CAC published Q&As to help data handlers conduct cross-border data transfers efficiently and in compliance.3
Regarding the identification and filing (申报) of Important Data, the CAC notes that the national data security coordination mechanism coordinates the relevant authorities in developing Important Data catalogues, while local governments and sector regulators determine the specific Important Data lists applicable to their regions, industries and fields under the data classification and grading system, and apply enhanced protection to the data included in those lists.
Under the Regulation on Network Data Security Management (Article 29)4, network data handlers must identify and file Important Data in accordance with the national requirements; for data confirmed as Important Data, the relevant authorities should notify the data handler or publish the designation.
In practice, regulators are issuing industry-specific standards and rules on data classification and grading, and Important Data identification and filing (some has already been published in sectors such as industry, telecom, natural resources and statistics) and may also communicate requirements through meetings, written notices or direct notifications. Data handlers should follow the applicable standards, rules and regulatory requirements to complete identification and filing in a timely manner.
Importantly, the CAC indicates that where no sector/field standards or filing rules have been issued and the data handler has not been notified by the competent authorities that it must identify or file Important Data, the handler’s failure to identify or file and apply enhanced protection will not be treated as a violation of Important Data protection requirements and, on that basis alone, will not trigger administrative penalties.
Regarding cross-border transfers of Important Data, the CAC explains that when Important Data collected or generated in China needs to be provided overseas, the data handler must pass a CAC-organized data export security assessment, as required under the Cybersecurity Law (Article 37), the Data Security Law (Article 31), the Regulation on Network Data Security Management (Article 37) and related rules including the Measures for Security Assessment of Data Exports and the Provisions on Promoting and Regulating Cross-border Data Flows (‘the CBDT Promoting Provisions’). The filing process should follow the CAC’s published Security Assessment Application Guidelines.
Important Data may be exported if the security assessment concludes that the export will not endanger national security or public interest.
The CAC further indicates that if a data handler has not been notified and the data has not been publicly designated as Important Data, the handler generally does not need to apply for a security assessment as an ‘Important Data’ export, and the transfer will not be treated as an illegal export of Important Data or be penalized on that basis. Once the data handler is notified or the data is publicly designated as Important Data, and the handler must continue exporting such data, they must apply for a data export security assessment within two months via the provincial CAC where it is located, and then conduct the cross-border transfer in accordance with the assessment result.
III. Important Data in the Industrial Sector
In 2025, three industry standards were developed to strengthen the identification and protection of Important Data in the industrial sector:
The Guidelines for Identifying Important Data in the Industrial Sector (YD/T 4981-2024) (the Guidelines)5, which set out the principles, procedures and dimensions for identifying Important Data, and provide a practical framework for data classification and grading.
The Data Security Protection Requirements for Industrial Enterprises (YD/T 4982-2024)6, which provide foundational and lifecycle-based security protection requirements, guiding enterprises to establish robust protection systems.
The Specifications for Data Security Risk Assessment in the Industrial Sector (YD/T 6415-2025)7, which set forth the principles, procedures and methodologies for conducting risk assessments, covering activities involving Important and Core Data.
Together, these three industry standards establish a full-chain regulatory framework of identification-protection-assessment, providing the foundations for data security compliance in industrial enterprises.
As the baseline standard for industrial data classification and grading, the Guidelines apply across the entire industry and the full data lifecycle. They cover 20 industrial sectors: steel, nonferrous metals, rare earths, petrochemicals, chemicals, building materials, automotive, general machinery, special machinery, civil aviation, civil shipbuilding, light industry, textiles, home appliances, food, pharmaceuticals, electronics, civil explosives, energy conservation and software and IT services. The scope extends beyond production data to all data generated or collected throughout the industrial data lifecycle, including data from research and development, design, manufacturing, operations management, platform operations and application services.
The Guidelines establish a closed-loop process for Important Data identification, comprising sorting, identification, internal approval and regulatory filing. Data asset sorting requires cross-functional coordination among R&D, production and operations teams to inventory and classify all data assets and produce a baseline asset list tailored to the enterprise’s operations. Important Data identification then screens the classified data against the criteria set out in the Guidelines to generate a preliminary list of Important Data. Internal approval involves multi-level review by the relevant business, security and legal functions to validate the preliminary list. Regulatory filing requires submission of the finalized Important Data list to the competent authority, with any material changes to the list promptly updated and re-filed, thereby enabling dynamic and ongoing oversight.
The Guidelines also set out multi-dimensional criteria for identifying Important Data. Data that falls within any of the following dimensions should be treated as Important Data. The national secrets dimension covers data directly involving state secrets, as well as original non-classified data used to generate classified materials, reflecting the need to safeguard national security interests. The national security dimension includes data relevant to economic security, technological security, cybersecurity and AI security, which is consistent with China’s holistic national security approach. The industry development security dimension captures core data linked to industrial competitiveness, supply chain security, economic operations, production safety and green development—for example, key process parameters in the chemical industry or core supply chain node data in the automotive sector. The export-controlled items cover core technologies, design documents, production processes, methods and source code relating to export-controlled industrial products, aligning with export control and trade security requirements. The Guidelines also provide industry-specific criteria tailored to individual subsectors.
The Guidelines further emphasize that industrial data processors need, in parallel, to conduct the identification and reporting of personal information involving over 10 million individuals, in accordance with the Regulations on the Administration of Network Data Security, ensuring the coordinated governance of Important Data and large-scale personal information.
As these legal reforms take effect, proactive legal assessments and timely policy adjustments will be essential for maintaining alignment with China’s developing data regulations. By prioritizing these actions, multinational corporations can effectively manage the regulatory requirements while preserving business flexibility.
IV. The Regulations on the Administration of Network Data Security
The Regulations on the Administration of Network Data Security were issued in September 2024 and took effect on 1 January 2025.8 They supplement and operationalize key obligations under the CSL, DSL, PIPL. The Regulations apply to network data processing activities conducted within the PRC, and also to certain activities conducted outside the PRC where such activities harm (or may harm) PRC national security, the public interest, or the lawful rights and interests of PRC individuals or organizations. For example, they cover certain offshore personal information processing activities where the purpose is to provide products or services to individuals in the PRC or to monitor the behavior of individuals in the PRC.
The Regulations require network data handlers to establish and maintain incident response plans for network data security incidents. If an incident occurs, the handler must immediately activate the plan, take measures to prevent escalation, remediate security risks, and report to the relevant competent authorities in accordance with applicable requirements.
Where a network data handler provides personal information or Important Data to another network data handler, or entrusts another network data handler to process such data, the parties must document the processing purpose, method, and scope and the relevant data security obligations through a contract or similar arrangement.
The transferring/entrusting party must also supervise the recipient’s performance of its obligations. Records of the provision of, or entrusted processing of, personal information and Important Data must be retained for at least three years.
The Regulations also address offshore data handlers. Where an overseas network data handler processes the personal information of individuals in the PRC and is required under Article 53 of the PIPL to establish a dedicated entity in the PRC or appoint a PRC representative, it must submit the relevant entity/representative’s name and contact details (and other required information) to the local CAC office at the prefecture-city level. The CAC office must promptly notify other competent authorities at the same level.
In addition, a network data handler that processes the personal information of more than 10 million individuals must also comply with certain requirements that apply to Important Data handlers. In practice, this means that once the scale of personal information processing reaches this threshold, the handler may become subject to additional compliance obligations that are similar to those imposed on handlers of Important Data.
For handlers of Important Data, the Regulations impose enhanced obligations. For example, before an Important Data handler provides, entrusts the processing of, or jointly processes Important Data with another party, it must conduct a risk self-assessment. The assessment should focus on the lawfulness, legitimacy, and necessity of the processing purpose/method/scope; risks of tampering, destruction, leakage, illegal acquisition, or illegal use and the potential impact on national security, the public interest, and the lawful rights and interests of individuals and organizations; the recipient’s integrity and compliance record; whether contractual security terms effectively bind the recipient; and whether the proposed technical and organizational measures are adequate.
For cross-border transfers, where Important Data collected and generated within the PRC truly needs to be provided overseas, the data handler must undergo the CAC-organized data export security assessment. However, if the handler has not been notified by the relevant authorities and the data has not been publicly designated as “Important Data”, the handler generally is not required to submit the data export security assessment treating such data as Important Data.
The Regulations also impose obligations on “network platform service providers”, including additional requirements for large platform operators (e.g., platforms with more than 50 million registered users or 10 million monthly active users).
For serious violations, the Regulations provide for penalties including fines of up to RMB 10 million for entities (and, in serious cases, potential revocation of the business license) and fines of up to RMB 1 million for directly responsible individuals. Where the same conduct also violates the CSL, DSL, and/or PIPL, enforcement authorities may impose penalties under those laws as well. The Regulations also contemplate a form of leniency, under which enforcement authorities may decide not to impose, or may reduce, penalties where the relevant party timely rectifies, takes effective remedial measures, and eliminates or mitigates the harmful consequences (subject to the authority’s discretion and the circumstances of the case).
V. Data Security in M&A Transactions
The updated data security regime also imposes more stringent regulatory obligations on M&A activities involving Important Data. Article 32 of the Regulations on the Administration of Network Data Security provides that if a handler of Important Data undergoes a merger, division, dissolution, bankruptcy or any other circumstance that may affect the security of Important Data, it must take measures to ensure the security of the network data and report to the relevant competent authority at or above the provincial level its disposal plan for the Important Data, as well as the name (or individual name) of the recipient and the recipient’s contact information. If the competent authority is unclear, the handler must report to the data security coordination mechanism at or above the provincial level.
Industry sources indicate that the CAC is currently formulating new rules to strengthen data security regulations in the context of M&A transactions, including requirements that may affect due diligence data access, cross-border data transfers and post-closing integration.
Data compliance due diligence has become an indispensable part of M&A transactions. Prospective buyers should confirm whether the target has properly classified and graded its data assets, particularly where it processes Important Data or sensitive personal information, and whether the required privacy impact assessments have been completed. Buyers should also review the legality of any cross-border data transfers, including whether the target has implemented the applicable transfer mechanisms (such as entering into and filing the standard contract, where required), and assess any existing compliance gaps or prior regulatory actions that could result in successor liability.
VI. Guidelines on Promoting Cross-Border Data Transfers in the Financial Sector
In April 2025, China’s central bank (People’s Bank of China or PBOC) and several regulators (including the National Financial Regulatory Administration (NFRA), China Securities Regulatory Commission (CSRC), the State administration of Foreign Exchange (SAFE), the CAC and the National Data Administration) jointly issued the Compliance Guidelines on Promoting and Regulating Cross-border Data Flows in the Financial Industry (the Financial Data CBDT Promoting Guidelines). The Financial Data CBDT Promoting Guidelines aim to clarify when financial-sector data may be transferred abroad, identify specific circumstances and data item lists that can be transferred, and require financial institutions to adopt appropriate managerial and technical safeguards to protect data security.
Operationally, the Guidelines categorize common financial business scenarios and align them with China’s 2024 CBDT Promoting Provisions on facilitating cross-border data flows. They identify 47 scenarios that may be exempt from certain cross-border transfer compliance requirements (such as applying for CAC security assessment, signing a standard contract or obtaining certification, depending on the applicable mechanism). For scenarios that are not exempt but where there is a practical need to transfer data abroad, the Guidelines list an additional 61 common scenarios. Together, these 108 scenarios are presented as regulator-recognized situations where cross-border transfers may be necessary, intend to streamline or pre-organize the regulators’ review work and improve the efficiency of subsequent security assessment processes. The PBOC plans to update and refine the Guidelines based on implementation experience.
The Financial Data CBDT Promoting Guidelines have been circulated to financial institutions in China but have not been publicly promulgated yet.
VII. Representative Enforcement Cases Regarding Cross-Border Data Transfers
Recent enforcement activities demonstrate that cross-border data regulation has moved beyond conceptual rulemaking and into substantive operational oversight.
In May 2025, media outlets reported that French fashion brand Dior suffered a data breach, and users in mainland China had received official SMS warning messages from Dior. In response, China’s public security bureau initiated an administrative investigation into Dior (Shanghai) on the personal data leakage9. In the investigation, authorities found that Dior (Shanghai) had transferred personal information to Dior’s headquarters in France without completing the applicable cross-border transfer compliance mechanism (i.e., security assessment, standard contract or certification, as required). Dior (Shanghai) also failed to provide adequate notice to individuals regarding overseas processing and did not obtain the required separate consent. It did not implement adequate security safeguards, including encryption. Administrative penalties were imposed, and the matter is regarded as China’s first publicly reported penalty for the unlawful cross-border transfer of personal information. The case was also cited as a model enforcement matter in which the public security authority (i.e., the police) took action for non-compliance against a data handler with cross-border personal information transfer obligations.
This case is significant because it is a leading enforcement action against a multinational company in China relating to the cross-border transfer of a large volume of Chinese consumers’ personal information. It underscores that multinational companies operating in China must comply with the requirements under the PIPL and related data security laws, including completing the applicable cross-border data transfer (CBDT) mechanism (such as obtaining a CAC security assessment clearance or completing a standard contract filing, as required). The case serves as a warning for organizations that process large volumes of personal information—particularly consumer goods companies, financial institutions, cross-border payment providers, e-commerce businesses and other platform companies.
In another enforcement matter in Guiyang in September 202510, the local CAC offices conducted an enforcement interview with a company over a suspected abnormal cross-border data transmission. The authorities found that the company had not complied with China’s data export security management requirements and had not adequately completed the necessary security assessment and compliance review measures. Due to insufficient cybersecurity training and a lack of staff awareness, the company enabled a ‘cloud data’ synchronization/storage function on equipment connected to the public internet via a public IP address, creating a security risk during data transmission and resulting in unauthorized outbound data flows. The company promptly disabled the relevant function, and the incident reportedly did not have serious consequences. The investigation also found that the company’s network device logs were retained for less than six months, indicating an inadequate performance of their cybersecurity responsibilities. The local CAC office issued an administrative warning and ordered rectification under the PRC Cybersecurity Law and Data Security Law.
The above enforcement cases illustrate the regulators’ increasing capability and willingness to take action against non-compliant CBDT involving personal information and other sensitive data. As China’s data security and privacy framework becomes more mature and enforcement authorities gain experience, we expect regulatory scrutiny and enforcement in this area to become more active in the coming years.
VIII. Conclusion
In sum, 2025 is a year in which China has continued to refine and complete its data security and privacy framework. With the core legislation and implementing rules largely in place, enforcement authorities are becoming increasingly active in enforcing China’s data security and personal information protection regime. Multinationals doing business in China should pay particular attention to the following areas.
First, companies should be prepared for regulatory scrutiny following any leakage of a large volume of Chinese individuals’ personal information, especially where the leaked data is transmitted or accessible offshore. We have seen multiple enforcement matters in which the public security authorities and the CAC identified overseas exposure of personal information and initiated investigations into PRC entities of multinational groups. In practice, leakage may occur due to basic security gaps—for example, legacy or unused devices connected to public networks without adequate protection. Multinationals should therefore identify and remediate potential security gaps and maintain a practical incident response plan covering emergency response, mitigation measures, and, where required, notifications to affected individuals and/or regulators.
Second, companies should remain cautious when dealing with “Important Data,” particularly in transactions involving government agencies or state-owned enterprises. Relevant data processing and commercial agreements should include appropriate contractual controls to mitigate the risk of inadvertently receiving, processing, or exporting Important Data or other sensitive data from counterparties. Multinationals operating in China should also closely monitor Important Data catalogues and related guidelines issued by local governments and industry regulators to assess whether any of their data may fall within the scope of Important Data and take actions accordingly.
Third, continued attention should be paid to cross-border data transfers. Following the CAC’s recent Q&As and ongoing regulatory developments, multinationals should reassess whether their cross-border data transfer activities comply with applicable requirements, including whether a CAC security assessment or standard contract filing is required. Even where formal mechanisms are not required, companies should still conduct a reasonable internal risk assessment covering the data to be exported, the rationale for the transfer, the associated risks, and the security measures in place.
For further information, please contact:
ZHOU, Ting (Kenneth), Partner, JunHe
Zhou_Kenneth@junhe.com
1.http://www.npc.gov.cn/zgrdw/npc/xinwen/2016-11/07/content_2001605.htm
2.http://www.npc.gov.cn/npc/c2/c30834/202510/t20251028_449048.html
3.https://www.cac.gov.cn/2025-05/30/c_1750315283722063.htm
4.https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm
5.https://std.samr.gov.cn/hb/search/stdHBDetailed?id=2F7B4471A6C6F3B1E06397BE0A0A6557
6.https://hbba.sacinfo.org.cn/attachment/onlineRead/52b3104e401cf4087191c227716156e8b2e6a8e29586307e641fde428b6ec04f
7.https://std.samr.gov.cn/hb/search/stdHBDetailed?id=3833D6BFC0C938C0E06397BE0A0A2BA5
8.https://www.gov.cn/zhengce/zhengceku/202409/content_6977767.htm
9.https://mp.weixin.qq.com/s/0NZ852z1Jo7w4HkYiGJgVg
10.https://mp.weixin.qq.com/s?__biz=MzU1MzAzNzcwNw==&mid=2247500392&idx=1&sn=3536baedc85e86afd48634fb7eaa8443&scene=21&poc_token=HKoNLWmjLOvcyucCYpEY6Lc3FmoPz1695LKuLYHm
