China's Amended Cybersecurity Law Takes Effect

- The recent changes represent the first major revision to China's core Cybersecurity Law (CSL) since it was enacted in 2017. This amendment aligns the CSL with other key regulations like the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), creating a more integrated and stringent data governance framework. - Penalties for non-compliance have been significantly increased. For Critical Information Infrastructure Operators (CIIOs), fines can now reach up to RMB 10 million (approx. US$1.43 million). Regulators can also now issue fines immediately for certain violations without first issuing a warning and a rectification order. - The law's expanded scope for "Critical Information Infrastructure Operators" (CIIOs) now broadly covers sectors that, if compromised, could harm national security or public interest, including public communications, energy, finance, and e-government services. Companies identified as CIIOs face the strictest requirements, including mandatory security reviews for procured network products and services that may affect national security. - A new article (Article 20) was added to the law, explicitly stating that the state supports the development of AI technologies. This includes backing for basic theoretical research, algorithm development, and the construction of training data and computing infrastructure, signaling that AI development is a national strategic priority within this stricter regulatory environment. - The law strengthens supply chain security by mandating that CIIOs only use network products and services that have passed a national security review. This creates a more complex procurement process and requires robust supplier due diligence and contractual controls to ensure all components in the tech stack are compliant. - The amendment broadens the law's extraterritorial scope. Previously focused on overseas activities targeting critical infrastructure within China, it now applies to any overseas activities by organizations or individuals that are deemed to endanger China's overall cybersecurity. - In parallel with the CSL, China has been implementing more specific regulations around algorithms, including the "Regulations on the Management of Algorithmic Recommendation in Internet Information Services." These rules require service providers to be transparent about the basic principles and main mechanics of their recommendation algorithms. - The amendments introduce a basis for leniency in administrative penalties. Regulators can now officially reduce or waive penalties for minor, first-time violations, especially if the company takes proactive steps to eliminate or mitigate any harm caused.