On 14 May 2025 the Standing Committee of the National People’s Congress, China’s legislative body, published its 2025 work plan, including plans to deliberate draft amendment to the 2017 Cybersecurity Law proposed by the Cyberspace Administration of China (CAC). ARTICLE 19 warns that the proposed amendment doubles down on China’s repressive digital norms, further illustrating the human rights concerns inherent in China’s model of cybersecurity governance.
In March, ARTICLE 19 published Cybersecurity with Chinese Characteristics: Digital governance in the Indo-Pacific and the Taiwanese alternative, analysing China’s repressive digital governance and the concerns associated with their broader adoption.
As we have previously shown, the 2017 Cybersecurity Law has been foundational to much of China’s digital governance model and has influenced similarly repressive laws in other countries. The law establishes provisions on data localisation, real-name identity verification, tight monitoring and censorship, and network shutdowns, while simultaneously weakening cybersecurity. It grants the CAC supra-regulatory powers in cybersecurity efforts and imposes strict obligations not only on critical information infrastructure (CII) operators but also non-CII operators, encouraging them to follow similar rules – effectively extending state control over all online actors.
In an explanatory note, the CAC outlines the amendment is needed to align the Cybersecurity Law with more recent legislation, such as the 2021 Data Security Law, and to address new cyber challenges. More concerningly, it also reiterates how the Cybersecurity Law provides the legal foundation for cyber sovereignty – one of China’s core authoritarian digital governance norms – stressing Xi Jinping’s imperative for China to become a cyber superpower. This raises concerns around further deteriorating digital rights in China but also around prospects of China continuing its efforts to influence global governance through cybersecurity norms setting.
The most concerning changes proposed by the amendment involve significant increases in penalties, including greater liability for management personnel, and the reinforcement of censorship and surveillance as core elements of cybersecurity governance.
ARTICLE 19 highlights the following concerns in particular:
The amendment adds penalties and increases fines for vaguely worded network security consequences
Revised Article 59 increases fines for network and CII operators’ non-compliance with varied cybersecurity duties. It doubles the maximum penalty for actions that impact local CII, or cause other vaguely worded consequences to network security, to 2 million yuan ($278,186 USD) and introduces a new penalty for causing CII to ‘lose its main function and other particularly serious consequences for cybersecurity’, with a maximum fine of 10 million yuan ($1,390,930 USD).
Directly responsible personnel will face stricter liability, arguably as a means of outsourcing tighter oversight. In the 2017 Law, the harshest penalty for responsible personnel is 200,000 yuan ($27,818 USD). The amendment introduces a new fine for responsible management personnel carrying a maximum penalty of 1 million yuan ($139,093 USD).
The violations mentioned above may also result in penalties including the suspension of offending websites and applications, or revocation of business licenses. This reflects a change in scope introduced by the amendment, as penalties would extend to applications, not just websites.
A newly proposed Article 64 expands on the enhanced penalties for network or CII operators who fail to prevent certain prohibited acts. This includes activities vaguely deemed to endanger cybersecurity, or providing software, other technical support, or expenses for prohibited activities. This could impact cybersecurity researchers and digital security practitioners, and –considering the emphasis on controlling information as part of China’s approach to cybersecurity – could be extended to those who provide VPNs and other circumvention tools, already effectively criminalised in China.
Because the law in China is often weaponised in service of the Chinese Communist Party (CCP), increased penalties signal that non-compliance with Party priorities in digital governance will be met with ever-harsher penalties.
This becomes even more concerning when taken together with the emphasis put on censorship and surveillance as fundamental components of cybersecurity governance.
The amendment reinforces censorship and surveillance
While Article 64 discussed above bans the transmission of ‘prohibited’ information, draft Article 69 explicitly outlines penalties for non-compliance with censorship and surveillance obligations.
As with the 2017 Law, network operators are required to ‘strengthen management’ of user information. In practice, this compels active filtering and other forms of surveillance. Upon discovery of ‘prohibited’ information, network operators are to immediately halt its transmission, delete it, prevent it from spreading, save records, and report it to the authorities.
The Law also compels a proactive role for cybersecurity and related official agencies to perform ‘network information security supervision and management’, meaning active surveillance for ‘prohibited’ content. When the authorities discover ‘prohibited’ content, they are required to order network operators to destroy it. These obligations also apply to electronic information service providers as well as application software download providers.
Unsurprisingly, the draft explicitly reiterates requirements on preventing ‘prohibited’ information from outside of China – a reminder that the epitome of internet fragmentation, the Great Firewall of China, is synonymous with the Party’s approach to CII governance. This in turn raises serious concerns around the dissemination of China’s model for cybersecurity governance.
As with other violations, the draft also significantly increases fines for failure to adhere to the strict surveillance and censorship imperatives. This illustrates an increasingly concerning trend of conflating information control with information infrastructure security in ways wholly at odds with international human rights law on freedom of expression and internet governance principles.
For example, the previous maximum fine for network and CII operators’ failure to control ‘prohibited’ information flow was 500,000 yuan ($69,546 USD). The draft increases the fine in cases of unspecified ‘serious’ circumstances to 2 million yuan ($278,186 USD). The maximum penalty for directly responsible personnel has been doubled to 200,000 yuan ($27,818 USD). Offending businesses will face closure, license revocation, or website blocking.
The draft goes on to outline that, should network operators fail to block ‘prohibited’ content leading to further unspecified ‘particularly serious’ impacts or consequences, they will be subjected to a maximum fine of 10 million yuan ($1,390,930 USD), and administrative penalties. Directly responsible personnel will be fined upwards of 1 million yuan.
Moreover, the draft combines the language in previous provisions into a new Article 71, further citing obligations of strict control over ‘permissible’ expression and data localisation requirements.
It cites requirements to adhere to strict limitations of expression that are often applied arbitrarily to justify censorship and imprisonment for exercising the right to freedom of expression. The penalties for violation of these provisions are not explicitly listed in the law, which only says they will be ‘punished in accordance with the provisions of the relevant laws and administrative regulations’.
The law holds that network users must abide by the Constitution, which establishes the primacy of the CCP over all else, a justification used to criminalise any speech critical of the Party. It continues that no one shall use the internet to endanger national security, incite subversion of national sovereignty, incite separatism, or advocate ethnic hatred, all charges often used against human rights defenders and marginalized ethnic communities in China. It further prohibits the dissemination of false information, which is frequently used to arbitrarily restrict information critical of the state. ARTICLE 19 reiterates that the veracity of information alone is not a permissible characteristic for restrictions on freedom of expression. Furthermore, content-based regulations should not be part of cybersecurity regulations.
Finally, the draft amendment restates the data localisation requirement incumbent upon CII operators to store personal information or data within China. Chinese law grants the authorities access to user data. Localisation arguably serves to facilitate access. This raises severe privacy concerns, exemplified by Apple’s decision in 2017 to transfer all Chinese iCloud data from the US to China, in compliance with the Cybersecurity Law, followed in 2018 by further storing of all iCloud decryption keys in the same facility in China.
Conclusion
China’s vision of digital governance, based on centralised CCP control and cyber sovereignty, poses real challenges to international human rights, internet freedom, and democratic institutions. As China continues to increase its global influence in digital norms, pursuing its ambitions of achieving cyber superpower status, it will continue to push for adoption of its own model of cybersecurity governance. This is not mere speculation – the CAC explicitly states that it sees its cybersecurity model as part of China’s vision of becoming a cyber superpower.
ARTICLE 19 acknowledges that the operation of network and critical information infrastructure requires provisions to prevent and respond to cyber-attacks. At the same time, cybersecurity measures must not infringe on human rights, and information infrastructure security cannot be conflated with the surveillance and control of information. The draft amendment to the Cybersecurity Law, rather than addressing new and emerging cybersecurity vulnerabilities, doubles down on existing freedom of expression concerns in the 2017 Law. These concerns are only magnified by China’s own stated ambition to expand its cyber power through the development and dissemination of cybersecurity governance norms around the world.
The international community, especially internet governance actors, should pay close attention to China’s evolving norms in cybersecurity to better prepare to prevent gradual normalisation of its repressive measures.