China’s regulatory framework for cybersecurity, data protection, and artificial intelligence has undergone its most significant update since the original Cybersecurity Law (CSL) took effect in 2017. Amendments to the CSL passed by the National People’s Congress Standing Committee on October 28, 2025, took effect on January 1, 2026, integrating AI governance obligations directly into foundational cybersecurity law, substantially increasing penalties, and extending the law’s extraterritorial reach to overseas organizations and individuals engaging in activities that harm China’s cybersecurity.

Concurrently, China’s State Council has placed a comprehensive set of new technology governance initiatives on its 2026 legislative agenda: new AI legislation, a cybercrime law, and updates to the classified protection of cybersecurity regulations. For multinational organizations operating in China or processing data related to Chinese residents, the legislative landscape is shifting rapidly on multiple fronts simultaneously.

This article addresses the CSL amendments currently in force, the pending 2026 legislative agenda items, and what compliance obligations these developments create for international organizations.

The Amended Cybersecurity Law: What Changed

China’s original Cybersecurity Law established the foundational framework for network operators, critical information infrastructure (CII) operators, and the state’s authority over data security and personal information within China. The 2026 amendments update that framework in four principal areas.

1. AI Governance Formally Written Into Cybersecurity Law

The most architecturally significant change in the 2026 CSL amendments is the explicit integration of AI governance obligations into the cybersecurity framework. For the first time, China’s foundational cybersecurity statute provides that the state will:

  • Support AI innovation and development
  • Promote the development of AI training data resources and computing infrastructure
  • Strengthen AI ethics regulation
  • Enhance AI risk assessment and security governance

This language may appear aspirational, but its inclusion in the CSL has concrete legal significance: it establishes the conceptual framework under which China’s AI governance requirements — currently distributed across separate regulations on algorithmic recommendation (effective 2022), deepfakes (effective 2022), generative AI (effective August 2023), and various sector-specific guidance documents — will be further developed and enforced.

The CSL amendments signal that China intends to treat AI governance as a cybersecurity matter, not merely a separate technology policy concern. This has organizational implications: compliance programs that treat Chinese AI regulation as separate from Chinese cybersecurity compliance will need to be integrated.

2. Significantly Higher Penalties

The 2026 CSL amendments substantially increase the maximum penalties available to regulators, particularly for critical information infrastructure operators.

Under the original CSL, the maximum fine for serious violations by CII operators was generally capped at RMB 1 million. The 2026 amendments raise the maximum fine to RMB 10 million (approximately USD 1.4 million at current exchange rates) when violations by CII operators result in “especially grave” consequences. For acts that constitute crimes, the amendments provide for criminal liability in addition to administrative penalties.

The penalty structure for general network operators has also been updated, with higher base penalties and expanded personal liability for individuals directly responsible for violations. Senior executives and responsible individuals (a category that includes security officers and compliance personnel) can face personal fines and, in serious cases, prohibitions from holding security-responsible roles in the future.

The penalty increases bring China’s enforcement toolkit closer to the level of GDPR (which permits fines of up to 4% of global annual turnover) while maintaining the fixed-maximum structure that has characterized Chinese regulatory enforcement historically.

3. Expanded Extraterritorial Reach

The original CSL applied to activities within China and to activities by overseas actors that specifically targeted or harmed China’s critical information infrastructure. The 2026 amendments expand this reach to cover “overseas organisations and individuals engaging in activities that harm China’s cybersecurity” — a formulation that extends beyond CII targeting to cover broader categories of cyber harm.

The practical scope of this expansion is still being interpreted, but the direction is clear: China intends to assert regulatory jurisdiction over cybersecurity-relevant conduct by non-Chinese entities when that conduct harms Chinese cybersecurity interests. For multinational organizations, this creates exposure if their cybersecurity incidents involve Chinese resident data, Chinese operations, or conduct that China could characterize as harming its cybersecurity.

The extraterritoriality expansion is particularly relevant in the context of cross-border data transfers. China’s Personal Information Protection Law (PIPL, effective November 2021) already imposes strict requirements on cross-border transfers of personal information collected in China. The CSL amendments reinforce and extend those requirements to the security dimension.

4. Strengthened CII Protection Obligations

The 2026 amendments update the obligations of critical information infrastructure operators, who face the highest compliance requirements under China’s cybersecurity framework. CII operators in sectors designated by the State Council — which include energy, transportation, water, finance, public services, and others — must comply with:

  • Enhanced security assessment requirements before any procurement of network products or services
  • Mandatory real-name authentication for certain network services
  • Expanded incident reporting obligations to regulatory authorities
  • Data localization requirements (data generated in China must be stored in China unless a security assessment has been completed and approved for cross-border transfer)

The CII sector designations and specific operational requirements are implemented through sector-specific regulations issued by sectoral regulators (the National Energy Administration for energy, CSRC for financial markets, etc.) in coordination with the Cyberspace Administration of China (CAC). Multinational organizations that qualify as CII operators in any designated sector face the most demanding compliance requirements.

The 2026 State Council Legislative Agenda

Beyond the CSL amendments already in force, China’s State Council published its 2026 legislative agenda identifying several additional technology governance priorities.

New Comprehensive AI Legislation

China’s current AI governance framework is distributed across sector-specific and application-specific regulations. The State Council’s 2026 agenda includes the development of comprehensive AI legislation — a law or regulations that would consolidate and expand China’s AI governance requirements into a unified framework.

The anticipated scope of comprehensive AI legislation includes:

  • Data and computing infrastructure governance: Regulations on AI training data quality, data provenance, and the computing infrastructure used for AI model development
  • Algorithm governance: Building on the 2022 algorithm recommendation regulations to address a broader range of AI decision-making contexts
  • AI ethics: Formalization of AI ethics requirements, potentially including human oversight mandates for high-risk AI applications
  • Risk assessment: Expanded security and risk assessment requirements for AI systems deployed in specified sectors or for specified use cases

For multinational organizations deploying AI systems in China, comprehensive AI legislation would create new compliance obligations — including potentially registration, security assessment, and disclosure requirements for AI products used in Chinese markets. The trajectory of Chinese AI regulation since 2022 suggests these requirements will be specific and operational, not merely aspirational.

Cybercrime Law

The State Council’s 2026 agenda includes preparation of a draft law on combating cybercrime for submission to the National People’s Congress. Chinese cybercrime law is currently addressed through the Criminal Law (as amended), the 2017 CSL, and various interpretations by the Supreme People’s Court. A dedicated cybercrime law would consolidate these provisions and likely expand the range of covered conduct and available penalties.

For multinational organizations, cybercrime law developments are relevant in two directions: as compliance obligations (what conduct by employees or contractors in China could constitute cybercrime), and as legal tools (whether Chinese cybercrime law provides remedies for cyberattacks originating in or affecting China).

Updated Classified Protection Regulations (ML-PS 2.0)

China’s Multi-Level Protection Scheme (MLPS, also referred to as Classified Protection or ML-PS) is the framework under which organizations are required to assess, classify, and secure their information systems according to a five-level classification scheme, with higher-classified systems subject to more demanding security requirements. The 2026 legislative agenda includes updates to the MLPS regulations — sometimes referred to as ML-PS 2.0 developments — to address cloud computing, AI, and big data environments that were not fully addressed in the original 2019 MLPS 2.0 regulations.

Organizations operating networks or information systems in China that are in scope for MLPS (which includes most commercial and government entities with significant network operations) should monitor these updates closely, as they may trigger new assessment and implementation obligations.

China’s Data Governance Ecosystem: The Overlapping Frameworks

Understanding China’s cybersecurity and AI governance amendments requires understanding how the CSL fits within a broader ecosystem of overlapping regulations:

Cybersecurity Law (CSL, 2017, amended 2026): Network operators, CII operators, general cybersecurity obligations, data storage and cross-border transfer (for general personal information)

Data Security Law (DSL, 2021): Applies to all data processing activities in China; data classification and grading requirements; important data governance; cross-border transfer of important data

Personal Information Protection Law (PIPL, 2021): Comprehensive privacy regulation for personal information of individuals in China; legal basis for processing; data subject rights; cross-border transfer requirements; extraterritorial application to overseas processing of Chinese residents’ personal information

Algorithm Recommendation Regulations (2022): Obligations for operators providing algorithmic recommendation services, including transparency, user rights to opt out of recommendation, and labeling requirements

Deepfake Regulations (2022): Requirements for deep synthesis technology providers, including content labeling and content moderation obligations

Generative AI Regulations (2023): Registration requirements, content security assessments, and transparency obligations for providers of generative AI services to the Chinese public

Forthcoming Comprehensive AI Legislation: Anticipated to consolidate and expand requirements across these existing AI-specific regulations

For multinational organizations operating across this regulatory landscape, the compliance challenge is not any individual regulation but the interactions among them — particularly the cross-border transfer requirements, which appear in different forms across the CSL, DSL, and PIPL, with partially overlapping scope and partially different requirements.

Implications for Multinational Organizations

Organizations With China Operations

For organizations with legal entities, employees, or network operations in China:

Assess CII status. Determine whether your China operations could be classified as critical information infrastructure in any of the designated sectors. CII status triggers the most demanding obligations under the amended CSL, including the highest penalty tier.

Audit cross-border data transfer compliance. The CSL amendments reinforce the existing framework under which personal information and important data collected or generated in China generally must be stored in China and may only be transferred abroad after completing a security assessment (for CII operators and for transfers exceeding specified thresholds), a personal information protection certification, or a standard contract approved by the CAC.

Review AI deployment in China. If you operate AI systems in China — whether customer-facing recommendation systems, generative AI features, or internal business automation — assess current compliance with existing AI regulations and begin monitoring the development of comprehensive AI legislation.

Update MLPS assessments. If your China network operations are subject to MLPS classification requirements, verify that current assessments reflect the updated regulatory environment and that implementation status matches classification requirements.

Organizations Processing Chinese Resident Data From Outside China

PIPL and the CSL amendments together create a framework under which overseas organizations that process the personal information of Chinese residents in connection with providing products or services, or analyzing or evaluating Chinese resident behavior, are subject to Chinese data protection requirements even without a physical presence in China. The 2026 CSL amendments’ expanded extraterritorial provisions reinforce this framework.

Organizations in this category should assess:

  • Whether their processing activities are subject to PIPL jurisdiction
  • Whether they have designated a representative or established a specialized organization in China as required for certain overseas processors
  • Whether their cross-border transfer mechanisms for data received from Chinese users comply with applicable requirements

Conclusion

The 2026 amendments to China’s Cybersecurity Law represent the most significant update to China’s foundational cybersecurity framework since the original law took effect in 2017. The integration of AI governance into the CSL, the substantial increase in penalties for CII operators, and the expansion of extraterritorial jurisdiction are structural changes that require compliance programs to be updated — not just monitored.

China’s 2026 State Council legislative agenda — comprehensive AI legislation, a cybercrime law, and updated classified protection regulations — signals that the pace of regulatory development in this space will continue. Organizations operating in or with China should treat Chinese cybersecurity and AI compliance as a priority area for 2026 and beyond, not a peripheral concern.

For multinationals navigating both Chinese regulatory requirements and European or U.S. frameworks, the overlapping and sometimes conflicting requirements — particularly around cross-border data transfers — require legal analysis tailored to specific operational facts. The stakes of non-compliance are rising on all sides.

This article is provided for informational purposes only and does not constitute legal advice. Organizations with specific questions about Chinese cybersecurity law compliance or multinational data governance should consult qualified legal counsel with expertise in Chinese law.