As the digital tide surges forward, cybersecurity defenses must remain rock-solid.
On January 1, 2026, the newly revised Cybersecurity Law of the People’s Republic of China officially came into effect. This marks the first major revision since the law’s initial implementation in 2017, signaling a new phase in China’s cybersecurity governance framework.
This revision focuses on frontier areas such as artificial intelligence governance, enhanced legal liabilities, and cross-border data regulation, placing significantly higher demands on enterprises’ cybersecurity capabilities. Under the new regulatory environment, data protection is evolving from traditional “backup and recovery” toward comprehensive data resilience—the core safeguard for stable enterprise development in the intelligent era.
Key Changes in the New Cybersecurity Law
This revision is not a minor adjustment, but a systematic enhancement of the cybersecurity legal framework based on the holistic national security concept. Its core changes are reflected in three key pillars:
Fundamental Principles and Strategic Elevation
Article 3 of the revised law explicitly establishes upholding the leadership of the Communist Party of China and implementing the holistic national security concept as the fundamental principles of cybersecurity work. It also introduces, for the first time at the legal level, the strategic objective of advancing China’s development into a cyber powerhouse. This elevates cybersecurity to a higher strategic position within national development, emphasizing the coordinated advancement of development and security.
Forward-Looking AI Governance Framework
The newly added Article 20 represents a forward-looking legislative response to the development and security of artificial intelligence. It supports fundamental AI research, algorithm development, and infrastructure construction, while requiring the improvement of AI ethics frameworks, enhanced risk monitoring, assessment, and security supervision. This provides a higher-level legal basis for the healthy development of AI and future specialized legislation, reflecting a philosophy of “regulating through development and developing through regulation.”
Comprehensive Upgrade of Liability and Legal Coordination
A core focus of the revision is the establishment of a more deterrent and systematic liability regime, while strengthening alignment with the Data Security Law and the Personal Information Protection Law.
-
Unprecedented Penalties
Fines have been significantly increased. For violations causing particularly severe consequences—such as the loss of core functions of critical information infrastructure—penalties may reach up to RMB 10 million, with substantial fines imposed on directly responsible individuals, implementing a “dual-penalty” mechanism that extends accountability to individuals. -
Tiered Penalties and Precise Regulation
A refined, tiered penalty framework has been introduced based on operator type (general network operators vs. critical information infrastructure operators) and the severity of violations, reflecting a precise, classified governance approach. -
Strengthened Supply Chain Accountability
Explicit penalties have been added for selling or providing network key equipment or cybersecurity products that have not passed required security certification or testing, reinforcing supply chain security. -
Expanded Extraterritorial Applicability
Article 77 expands jurisdiction from acts that “harm critical information infrastructure” to acts that “endanger the cybersecurity of the People’s Republic of China,” removing the prerequisite of “serious consequences” and significantly strengthening legal deterrence against overseas threats.
Enterprise Compliance Risk Analysis
From “Passive Compliance” to “Proactive Immunity”
With the implementation of the new law, enterprises face multi-dimensional compliance challenges and should pay close attention to the following risk areas:
Risks in AI Applications
The law requires AI product development and deployment to follow the principle of “security and ethics by design.” Enterprises must build controllable, trustworthy, and auditable technical systems from the outset, ensuring training data security and algorithm transparency to avoid data leakage or ethical risks arising from AI applications.
Heightened Data Security Responsibilities
Personal information protection requirements have been strengthened, explicitly requiring network operators to comply with laws such as the Civil Code and the Personal Information Protection Law. For example, if an employee uploads spreadsheets containing personal data to public AI tools, the enterprise may face fines ranging from RMB 500,000 to 2 million, while directly responsible individuals may face fines of RMB 50,000 to 200,000.
Upgraded Protection for Critical Information Infrastructure
Articles such as Article 67 further clarify responsibility standards and align with the Regulations on the Security Protection of Critical Information Infrastructure. Operators are required to implement disaster recovery backups for key systems and databases and conduct regular emergency drills. Using network products or services that have not passed security reviews may result in fines ranging from one to ten times the procurement amount.
Reinforced Network Equipment Supply Chain Security
New penalty provisions target the sale or provision of uncertified or non-compliant network key equipment and cybersecurity products. In severe cases, relevant business licenses or operating permits may be revoked.
Info2soft Compliance Enablement
Empowering Enterprises to Build a Data Resilience Foundation
In response to the stringent requirements of the revised Cybersecurity Law, Info2soft, a leading provider of data replication and disaster recovery solutions, has proactively developed an AI-driven data resilience foundation platform. By integrating intelligent technologies throughout the data protection lifecycle, Info2soft helps government and enterprise users address increasingly complex cybersecurity challenges.
AI-Driven Intelligent Security Protection
Leveraging artificial intelligence for real-time threat monitoring and early warning, Info2soft delivers microsecond-level data recovery precision and second-level business failover, meeting regulatory requirements for rapid cybersecurity incident response.
Dedicated Protection for Critical Information Infrastructure
For key sectors such as finance, energy, and transportation, Info2soft provides tailored data protection solutions. Through multi-layered, multi-granularity data replication and disaster recovery technologies, critical business systems can be rapidly restored after cyberattacks, minimizing business disruption.
Compliance Assurance for Cross-Border Data Flows
For enterprises expanding globally, Info2soft offers cross-border data transmission solutions aligned with regulatory requirements. Through encryption, access control, and other technical safeguards, enterprises can ensure compliant cross-border data transfers while supporting international operations.
The revised Cybersecurity Law defines the security baseline for the intelligent era, and data resilience will serve as the solid foundation upon which enterprises can innovate with confidence. As a trusted partner in digital transformation, Info2soft will continue to help customers build future-ready security architectures—enabling sustained innovation and stable growth while maintaining full regulatory compliance.