Cybersecurity Law Amended — New Rules Take Effect January 1, 2026

Cybersecurity Law amended — effective January 1, 2026

Key Points

What happened

On October 28, 2025, the 18th meeting of the Standing Committee of the 14th National People’s Congress (Shísì Jiè Quánguó Rénmín Dàibiǎo Dàhuì Chángwěihuì 第十四届全国人大常委会) voted to adopt amendments to the Cybersecurity Law (Wǎngluò Ānquán Fǎ 网络安全法).

The revised law will enter into force on January 1, 2026.

Why the change

The Cybersecurity Law first established in 2016 is the foundational statute for China’s cybersecurity regime.

The recent amendments are intended to adapt the law to new threats and technological developments.

The revisions also aim to clarify legal responsibilities for cybersecurity.

And the changes are designed to better coordinate the Cybersecurity Law with related legislation.

Key points in the amendment

The headline changes are concise and practical for companies, investors, researchers, and regulators to parse.

• Strengthened legal responsibility: The updated law clarifies and tightens obligations and legal liabilities for entities and individuals responsible for network security.

• Improved coordination with other laws: Provisions were adjusted to ensure better legal alignment and avoid conflicts with related statutes and regulatory frameworks.

• Explicit support for artificial intelligence: The amended law explicitly states that the state supports basic theoretical research and core algorithm development for Artificial Intelligence (Rén Gōng Zhìnéng 人工智能), and it promotes construction of foundational facilities such as training data resources and computing power (suànlì 算力).

• Ethics, risk monitoring and safety supervision: The revisions call for improved AI ethics guidance, stronger risk monitoring and evaluation mechanisms, and more robust safety supervision to promote healthy AI development and application.

What the AI language means in practice

By naming AI research, algorithms, training data, and computing power explicitly, the law signals a twin objective.

One objective is to encourage domestic research and development in AI and related infrastructure.

The other objective is to strengthen oversight where systemic risks may arise from AI deployment and networks.

This balance matters for founders and product teams building AI systems in China.

It means investment in compute and labeled training data gets legal recognition as a national priority.

It also means algorithm governance, risk assessment, and ethical compliance are now an explicit regulatory focus.

Implementation timeline

The amended Cybersecurity Law (Wǎngluò Ānquán Fǎ 网络安全法) is scheduled to come into force on January 1, 2026.

Organizations that operate networked systems, provide critical information infrastructure, or develop and deploy AI solutions should review their compliance programs and risk-management practices now to prepare for the new requirements.

Practical next steps for teams include updating internal policies on data governance, documenting algorithmic development and testing, and reviewing incident-response plans.

What to watch next

The amendments set the framework, but the details will matter for implementation and enforcement.

• Regulatory guidance and implementation rules: Watch ministries and agencies responsible for cybersecurity and AI oversight for follow-up rules and clarification.

• Industry-level standards and technical guidance: Expect standards on data governance, algorithm transparency, risk assessment, and ethical compliance to emerge.

• Enforcement actions and administrative measures: Future enforcement will clarify how the strengthened liabilities will be applied in practice.

Why this matters to investors, founders, techies and marketers

If you invest in Chinese AI or networked services, the amendments are a structural change to the regulatory environment.

If you build or operate AI systems in China, compliance and documented safety practices are moving from best practice to legal expectation.

If you market tech products in China, prepare for new compliance narratives to influence buyer decisions and procurement requirements.

In short, the amendment links innovation incentives with regulatory guardrails, which changes how risk and opportunity get evaluated across the ecosystem.

Quick checklist for teams operating in China

• Map assets: Identify networked systems and critical information infrastructure under your control.

• Data inventory: Document training data sources and governance practices.

• Algorithm logs: Keep records of algorithm development, testing, and performance monitoring.

• Risk processes: Set up or strengthen AI risk monitoring and ethical review workflows.

• Compliance playbook: Prepare documentation and reporting processes to meet future regulatory guidance.

Takeaway

The Cybersecurity Law amendment tightens legal responsibilities, aligns rules across laws, and explicitly supports AI research while increasing oversight.

For startups, investors and enterprises, it means planning for compliance and ethical risk controls is now part of building AI and networked products in China.

Cybersecurity Law amended — effective January 1, 2026

References

• 网络安全法完成修改 自2026年1月1日起施行 – 新华社
• 网络安全法完成修改 自2026年1月1日起施行 – 东方财富网
• National People’s Congress (NPC) – National People’s Congress