Written by: Haim Ravia, Dotan Hammer
Chinese regulators have recently revised the country’s cybersecurity framework, reflecting a shift toward more proactive oversight in areas such as artificial intelligence (AI) safety and clearer requirements for infrastructure incident reporting. These updates may indicate key regulatory priorities for the year ahead.
The first change is a formal amendment to China’s foundational Cybersecurity Law (CSL), representing the first major update since its enactment in 2017. The amendments aim to align the law with newer legislation and tackle emerging risks, including those associated with AI and cross-border cyber threats. These significant changes are set to take effect on January 1, 2026. Key changes include:
- State Support for AI Development and Safety – The CSL now explicitly references AI, promoting research, data access, and ethical oversight while encouraging the use of AI in cybersecurity management.
- Personal Information Processing Compliance – Network operators must comply not only with the CSL but also with the Civil Code and the Personal Information Protection Law (PIPL) when processing personal data, clarifying the integrated nature of China’s data governance framework.
- Expanded Extraterritorial Reach – The CSL now covers cross-border cyber activities that endanger China’s network security, enabling authorities to impose sanctions such as freezing assets or other penalties.
In addition to the changes to the CSL, China’s new Administrative Measures for National Cybersecurity Incident Reporting will streamline and clarify incident reporting obligations. These measures will take effect on November 1, 2025, and will consolidate previously scattered requirements into a single framework, introducing clear thresholds, timelines, and procedures, particularly for incidents involving onshore infrastructure. Key changes include:
- Scope and Applicability – The measures apply to all network operators that build or operate networks in China or provide services through networks located in China, meaning breaches occurring outside of China will be out of scope.
- Severity Thresholds and Timelines – Incidents will have four levels of severity; those categorized as “relatively major” will require reporting within 4 hours.
- Reporting Channels and Enforcement – Multiple reporting channels are provided, which may assist with liability mitigation.
