Keywords: 中国 China;网络安全与数据合规 Cybersecurity and Data Compliance;人工智能与信息技术 Artificial Intelligence and Information Technology
2025年10月28日,第十四届全国人大常委会第十八次会议表决通过《全国人民代表大会常务委员会关于修改〈中华人民共和国网络安全法〉的决定》。本次修订共涉及14项条款,聚焦于明确网络安全在总体国家安全观下的定位、纳入人工智能等新技术监管、强化法律责任体系。
On October 28, 2025, the 18th Session of the Standing Committee of the 14th National People's Congress approved the Decision of the Standing Committee of the National People's Congress on Amending the Cybersecurity Law of the People's Republic of China. This amendment includes 14 provisions and aims to clarify cybersecurity's role within the broader context of national security, incorporate new technologies like artificial intelligence into the regulatory scope, and enhance the legal liability system.
新法于2026年1月1日起施行,标志着中国网络安全治理进入更加体系化、精准化的新阶段。本文旨在阐述核心修订内容,帮助在华投资的外国企业了解更多信息。
The new law takes effect on January 1, 2026, signaling a new phase of more systematic and precise cybersecurity governance in China. This article outlines the key amendments and provides practical guidance for foreign companies operating in China.
一、修订概况与总体影响评估
I. Overview of the Amendments and Overall Impact Assessment
本次修订是《网络安全法》自2017年实施以来的首次重大修改,旨在回应数字技术迅猛发展带来的新型安全挑战。
This amendment is the first major revision of the Cybersecurity Law since its implementation in 2017, aiming to address new security challenges arising from the rapid development of digital technologies.
修订内容主要分布于总则、网络安全支持与促进、网络运行安全、网络信息安全及法律责任章节,其中对“法律责任”部分的修改达10处之多,凸显了立法者通过强化法律后果来提升监管效能的明确意图。
The amended contents are mainly distributed across the chapters of General Provisions, Cybersecurity Support and Promotion, Cyber Operation Security, Cyber Information Security, and Legal Liability, among which the amendments to the "Legal Liability" section amount to as many as ten, highlighting the clear intention of the legislators to enhance regulatory effectiveness by strengthening legal consequences.
对于在华经营的外国企业而言,此次修订并非为企业创设全新的义务,而是在原有监管框架基础上的深化、细化与强化。其核心影响在于:法律规则的可操作性与可预见性增强,合规要求的层次性与针对性更为分明,违法成本的确定性与严厉性显著提高。理解这些变化,有助于企业将合规压力转化为优化治理、提升风险管理水平的契机。
For foreign enterprises operating in China, this amendment does not create entirely new obligations but represents a deepening, refinement, and strengthening based on the existing regulatory framework. Its core impacts lie in: enhanced operability and predictability of legal rules, clearer layering and specificity of compliance requirements, and significantly increased certainty and severity of the costs of violations. Understanding these changes helps enterprises turn compliance pressure into an opportunity to improve governance and enhance risk management capabilities.
二、将人工智能纳入规制范畴
II. Inclusion of Artificial Intelligence within the Scope of Regulation
新《网络安全法》新增第二十条规定:“国家支持人工智能基础理论研究和算法等关键技术研发,推进训练数据资源、算力等基础设施建设,完善人工智能伦理规范,加强风险监测评估和安全监管,促进人工智能应用和健康发展。国家支持创新网络安全管理方式,运用人工智能等新技术,提升网络安全保护水平。”
The new Cybersecurity Law adds Article 20, which provides: "The state supports the research and development of basic theories and key technologies such as algorithms for artificial intelligence, promotes the construction of infrastructure such as training data resources and computing power, improves ethical norms for artificial intelligence, strengthens risk monitoring and assessment, and security supervision, and promotes the application and healthy development of artificial intelligence. The state supports innovation in network security management methods, uses new technologies such as artificial intelligence, and enhances the level of network security protection."
该条款首次在法律层面将人工智能明确为数字基础设施的重要组成部分(包括算法、训练数据资源、算力),并确立了 “鼓励创新”与“规范发展”并行的监管基调。对于开发或应用AI技术的企业,这意味着需在产品全生命周期中嵌入合规设计,特别是在算法透明度、数据治理、伦理审查和持续风险监测等方面建立内部控制机制。
This provision, for the first time at the legal level, explicitly defines artificial intelligence as an important component of digital infrastructure (including algorithms, training data resources, and computing power) and establishes a regulatory tone in which "encouraging innovation" and "regulated development" proceed in parallel. For enterprises that develop or apply AI technologies, this means embedding compliance design throughout the entire product lifecycle and establishing internal control mechanisms, particularly regarding algorithm transparency, data governance, ethical review, and continuous risk monitoring.
三、处罚力度显著提升
III. Significant Increase in Penalty Severity
修订后的第六十一条整合并升级了原第五十九条和第六十条,根据违法后果设置四级处罚标准:
Revised Article 61 integrates and upgrades former Articles 59 and 60 and sets out four levels of penalties based on the consequences of violations:
一般违法处以1万元以上5万元以下罚款;
For general violations, a fine of between RMB 10,000 and RMB 50,000 shall be imposed;
拒不改正或导致危害后果的,处以5万元以上50万元以下罚款,并对直接负责人员处1万元以上10万元以下罚款;
For refusal to make corrections or where harmful consequences are caused, a fine between RMB 50,000 and RMB 500,000 shall be imposed, and the directly responsible persons shall be fined between RMB 10,000 and RMB 100,000;
造成严重危害的,处以50万元以上200万元以下罚款,个人罚款5万元以上20万元以下,并可以责令暂停相关业务、停业整顿、吊销许可证或营业执照;
Where serious harm is caused, a fine between RMB 500,000 and RMB 2 million shall be imposed, individuals shall be fined between RMB 50,000 and RMB 200,000, and suspension of relevant business, suspension for rectification, or revocation of permits or business licenses may also be ordered;
造成特别严重危害的,处以200万元以上1000万元以下罚款,个人罚款20万元以上100万元以下,同样可适用停业、吊销证照等措施。
Where particularly serious harm is caused, a fine between RMB 2 million and RMB 10 million shall be imposed, individuals shall be fined between RMB 200,000 and RMB 1 million, and measures such as business suspension or revocation of certificates or licenses may likewise apply.
修改后的条款对网络运营者不履行安全保护义务、关键信息基础设施运营者违法等行为的罚款上限全面提高,并引入了与违法行为后果严重程度相挂钩的阶梯式处罚机制,这种阶梯式设计使责任边界高度清晰。
The revised provision comprehensively raises the upper limits of fines for acts such as network operators' failure to perform security protection obligations and violations by critical information infrastructure operators, and introduces a tiered penalty mechanism linked to the severity of the consequences of violations. This tiered design makes the boundaries of liability highly clear.
四、规则衔接更加清晰
IV. Clearer Alignment of Rules
本次修订另一显著的部分是对法律责任的系统性强化。通过逻辑整合与衔接,将不同法律的规则清晰衔接,构建了更严密的责任体系。
Another notable part of this amendment is the systematic strengthening of legal liabilities. It clearly aligns the rules of different laws through logical consolidation and connection, creating a more rigorous liability system.
第四十二条新增的内容是,“网络运营者处理个人信息,应当遵守本法和《中华人民共和国民法典》、《中华人民共和国个人信息保护法》等法律、行政法规的规定。”该款明确了有关个人信息处理多部法律之间的衔接要求,确保个人信息权益保护的一致性。这要求企业必须进行一体化合规管理,任何数据处理活动都需满足多重法律标准。
The added paragraph in Article 42 provides: "When network operators handle personal information, they shall comply with this Law and the provisions of the Civil Code of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and other laws and administrative regulations." This paragraph clarifies the alignment requirements between multiple laws relating to the handling of personal information and ensures the consistency of personal information rights protection. This requires enterprises to carry out integrated compliance management, and any data processing activities must meet multiple legal standards.
在统一个人信息权益保护的基调上,新修订《网络安全法》将原第六十四条、第六十六条、第七十条合并,整合为新的第七十一条,并在该条第二款规定,“侵害个人信息权益的”,“依照有关法律、行政法规的规定处理、处罚”,实现了与《个人信息保护法》的责任条款无缝衔接,避免了法律适用上的模糊地带。
Under the overall tone of unifying personal information rights protection, the newly revised Cybersecurity Law merges former Articles 64, 66, and 70 into new Article 71 and provides in Paragraph 2 of this article that "where personal information rights are infringed, handling and punishment shall be carried out in accordance with the relevant laws and administrative regulations," thereby achieving seamless connection with the liability provisions of the Personal Information Protection Law and avoiding grey areas in the application of the law.
五、关键信息基础设施运营者的责任更加细致
V. More Detailed Responsibilities for Critical Information Infrastructure Operators
修订后的第六十七条将原第六十五条修改为:关键信息基础设施运营者使用未经安全审查或安全审查未通过的网络产品或服务,由有关主管部门责令停止使用,处采购金额一倍以上十倍以下罚款,并对直接负责人员处1万元以上10万元以下罚款。
Revised Article 67 amends former Article 65 to: Where a critical information infrastructure operator uses network products or services that have not undergone security review or have failed security review, the competent authorities shall order cessation of use and impose a fine of between one and ten times the procurement amount, and the directly responsible persons shall be fined between RMB 10,000 and RMB 100,000.
该修改将罚款标准与采购金额挂钩,实现了责任与业务规模的匹配。这意味着企业,特别是可能被认定为关键信息基础设施运营者的企业,在采购核心网络设备或服务时,必须将网络安全审查作为供应链管理的关键一环。在选择供应商(尤其是云服务商)时,应将其安全合规能力作为重要评估指标,并在合同中明确相关责任。
This amendment links the fine standards to the procurement amount, achieving alignment between liability and business scale. This means that enterprises, especially those that may be identified as critical information infrastructure operators, must treat cybersecurity review as a key component of supply chain management when procuring core network equipment or services. When selecting suppliers (especially cloud service providers), their security and compliance capabilities should be taken as important evaluation indicators, and relevant responsibilities should be clearly defined in contracts.
Conclusion
Overall, the amendments to the new Cybersecurity Law promote China's cybersecurity governance toward a more mature and refined stage by elevating strategic positioning, incorporating new technology regulation, and strengthening legal liabilities: emphasizing security while also encouraging development; clarifying responsibilities while also providing buffer mechanisms.
对于在华外国企业而言,此次修订更多是法律框架的清晰化,而非监管环境的收紧,这代表着一个规则更明晰、执法更可预期的营商环境正在形成。企业需要保持稳健的网络与数据治理能力,持续关注政策动态,保障在华业务的长期、稳定与成功发展。
For foreign enterprises in China, this amendment is more a clarification of the legal framework than a tightening of the regulatory environment, representing the formation of a business environment with clearer rules and more predictable law enforcement. Enterprises need to maintain robust network and data governance capabilities, continuously monitor policy developments, and ensure the long-term, stable, and successful development of their business in China.
END
D'Andrea & Partners Legal Counsel will continue to provide information on investment in China. If you have any questions related to any business and legal information in general, feel free to contact us at:
info@dandreapartners.com.
意大利德恩瑞律师事务所将继续提供相关的信息。若有更多关于中国的投资相关的信息,您可以通过以下邮箱联系我们的专业人员咨询相关问题: info@dandreapartners.com。
D'Andrea & Partners Legal Counsel is a leading international law firm, with our European headquarters situated in Milan, Italy, and our Asia-Pacific headquarters based in Shanghai, China. Our firm has a strong presence across major cities in China. Our firm has a strong presence across major cities in China, India, Italy, UAE, and Vietnam, as well as a Russian-speaking Desk. We are one of the very few international law firms in China duly authorized by the Ministry of Justice of the PRC to operate as a Representative Office of a foreign law firm in China.
意大利德恩瑞律师事务所是一家领先的国际律师事务所,我们的欧洲总部位于意大利米兰,亚太总部位于中国上海。我们的公司在中国、印度、意大利、阿联酋、越南等主要城市都有强大的业务,并设有俄罗斯语言服务台。我们是为数不多的经中华人民共和国司法部正式授权,在中国设立代表处经营的国际律师事务所之一。
Disclaimer
The above content is provided for informational purposes only. The provision of this article does not create an attorney-client relationship between D'Andrea & Partners and the reader and does not constitute legal advice. Legal advice must be tailored to the specific circumstances of each case, and the contents of this article are not a substitute for legal counsel.
声明
以上内容仅供参考。本文的规定并不构成德恩瑞律师事务所和读者之间的律师-客户关系,也不能作为法律建议。法律咨询必须针对每个案件的具体情况,本文的内容不能取代法律咨询。
Would you like to learn more? Scan the QR code to download the publications on Amazon!
你想了解更多关于投资相关的信息吗?扫描图中二维码,请从亚马逊下载我们的电子书!
Latest Articles 近期内容
DP Group Recap | December 2025
Mediation&Assisted Negotiation in Italy: When They Are Mandatory
