Cybersecurity Law of the People's Republic of China (Amended in 2025)
Cybersecurity Law of the People's Republic of China (Amended in 2025)
Cybersecurity Law of the People's Republic of China (Amended in 2025)
Order of the President of the People's Republic of China No. 61
October 28, 2025
(Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016; amended in accordance with the Decision of the Standing Committee of the National People's Congress on Revising the Cybersecurity Law of the People's Republic of China adopted at 18th Session of the Standing Committee of the National People's Congress on October 28, 2025)
Contents
Chapter I General Provisions
Chapter II Support and Promotion of Cybersecurity
Chapter III Network Operation Security
Section 1 General Provisions
Section 2 Operation Security of Critical Information Infrastructure
Chapter IV Network Information Security
Chapter V Monitoring, Early Warning and Emergency Response
Chapter VI Legal Liability
Chapter VII Supplementary Provisions
Chapter I General Provisions
Article 1 The Cybersecurity Law of the People's Republic of China (hereinafter referred to as this "Law") is enacted for the purposes of ensuring cybersecurity, safeguarding cyberspace sovereignty, national security and public interests, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization.
Article 2 This Law shall apply to the development, operation, maintenance and use of networks as well as the supervision and regulation of the cybersecurity within the territory of the People's Republic of China.
Article 3 It is imperative to uphold the leadership of the Communist Party of China in the cybersecurity work, adhere to the overall national security outlook, balance development and security, and advance the building of China into a cyber power.
Article 4 The State adheres to equal focus on cybersecurity and information-based development, follows the guidelines of positive use, scientific development, lawful management and security assurance, promotes the construction of cyber infrastructure and its interconnection, encourages the innovation in and application of cyber technologies, supports the cultivation of talents in respect of cybersecurity, establishes and perfects the cybersecurity guarantee system and raises the ability to protect cybersecurity.
Article 5 The State shall develop and continuously improve cybersecurity strategies, specify the basic requirements and main objectives for cybersecurity protection, and propose cybersecurity policies, working tasks and measures in key areas.
Article 6 The State shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both within and outside the territory of the People's Republic of China, to protect critical information infrastructure from attacks, intrusions, interference and damage, to punish illegal criminal activities on the network in accordance with the law and to preserve cyberspace security and order.
Article 7 The State shall advocate honest, faithful, healthy and civilized cyber behaviors, advance the spreading of the core socialist values, and take measures to improve the awareness and level of cybersecurity of the whole of society, forming a sound environment for promoting cybersecurity with the participation of all the public.
Article 8 The State shall actively carry out international exchange and cooperation in terms of cyberspace governance, research and development of cyber technologies, establishment of the standards thereof and fighting against illegal crimes committed on the network and other aspects, promote the construction of a peaceful, safe, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system for network governance.
Article 9 The national cyberspace authority is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and regulation. The competent telecommunications authority and public security authority under the State Council, and other relevant authorities shall be responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the provisions of this Law and other relevant laws and administrative regulations.
Responsibilities of relevant authorities under local people's governments at or above the county level for protecting, supervising and administering cybersecurity shall be determined in accordance with the relevant provisions of the State.
Article 10 Network operators, while conducting business and service activities, shall comply with laws and administrative regulations, show respect for social moralities, follow business ethics, act in good faith, perform the obligation of cybersecurity protection and accept supervision by the government and the public, and undertake social responsibilities.
Article 11 For the development and operation of a network or the provision of services through a network, it is a requirement to, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, take technical measures and other necessary measures to ensure the secure and stable operation of the network, effectively respond to cybersecurity incidents, prevent illegal crimes committed on the network, and maintain the integrity, confidentiality and availability of cyber data.
Article 12 Cyber-related industrial organizations shall, in accordance with their regulations, intensify industrial self-discipline, formulate regulations on cybersecurity behaviors, instruct their members to strengthen cybersecurity protection, raise the level of cybersecurity protection and promote the sound development of relevant industries.
Article 13 The State shall protect the rights of citizens, legal persons, and other organizations to use cyberspace according to the law, promote the popularity of network access, and raise the level of network services, so as to provide the public with secure and convenient network services and guarantee the orderly and free flow of network information in accordance with the law.
Any individual and organization using the network shall comply with the constitution and the laws, follow the public order and respect social moralities, and shall neither endanger cybersecurity, nor engage in activities by making use of the network that endanger the national security, honor and interests, incite to subvert the State power and overthrow the socialist system, incite to split the country and undermine the national unity, advocate terrorism and extremism, propaganda of ethnic hatred and discrimination, spread violent and pornographic information, fabricate or disseminate false information to disturb the economic and social order, or infringe on the fame, privacy, intellectual property and other lawful rights and interests of others.
Article 14 The State shall encourage the research and development of network products and services that are favorable to minors' healthy growth and take punitive measures against acts by making use of the network for those activities that do harm to the physical and psychological health of minors according to the law for the purpose of creating a secure and healthy network environment for minors.
Article 15 Any individual or organization shall have the right to report the activities that endanger cybersecurity to the cyberspace administration authorities, telecommunications authorities, public security authorities, etc. Any authority receiving a report shall promptly handle such report in accordance with the law and transfer the report to the authority with the jurisdiction if the said report is beyond its own responsibility.
The relevant authorities shall maintain the confidentiality of certain information on informants and protect their lawful rights and interests.
Chapter II Support and Promotion of Cybersecurity
Article 16 The State shall establish and improve the system of cybersecurity standards. The competent standardization authority under the State Council and other relevant authorities under the State Council shall, in accordance with their respective responsibilities, organize the formulation of relevant national and industrial standards for cybersecurity administration and the security of network products, services and operations and make revisions at appropriate times.
The State shall support enterprises, research institutions, institutions of higher education, and network-related industrial organizations in participating in the formulation of national and industrial standards on cybersecurity.
Article 17 The State Council and the people's governments of all provinces, autonomous regions and municipalities directly under the Central Government shall conduct the overall planning, increase the input, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote safe and reliable network products and services, and protect the intellectual property rights of network technologies and support enterprises, research institutes, institutions of higher education to participate in national innovation projects related to cybersecurity technologies.
Article 18 The State shall boost the development of a socialized service system for cybersecurity, and encourage the relevant enterprises and institutions to provide such security services as the cybersecurity certification, detection and risk assessment.
Article 19 The State shall encourage the development of technologies for protecting and using network data, promote the availability of public data resources and propel technological innovation and social and economic development.
Article 20 The State shall support fundamental research on artificial intelligence (AI) and research and development of key technologies such as algorithms, promote the development of infrastructure including training data resources and computing power, improve ethical norms for AI, strengthen risk monitoring, assessment, and security regulation, and promote AI application and sound development.
The State shall support the innovation of cybersecurity management approaches, and make use of AI and other new technologies to enhance the level of cybersecurity protection.
Article 21 People's governments at all levels and the relevant authorities thereof shall organize and provide regular publicity and education on cybersecurity, and guide, supervise and urge relevant entities to provide such publicity and education on cybersecurity in an effective way.
The mass media shall provide publicity and education on cybersecurity targeted at the public specifically.
Article 22 The State shall support enterprises, institutions of higher education, vocational schools and other education training institutions to carry out cybersecurity-related education and training, adopt various methods to cultivate talents for cybersecurity and promote the exchange of talents for cybersecurity.
Chapter III Network Operation Security
Section 1 General Provisions
Article 23 The State shall implement a system of graded protection for cybersecurity.
......
Order of the President of the People's Republic of China No. 61
October 28, 2025
(Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016; amended in accordance with the Decision of the Standing Committee of the National People's Congress on Revising the Cybersecurity Law of the People's Republic of China adopted at 18th Session of the Standing Committee of the National People's Congress on October 28, 2025)
Contents
Chapter I General Provisions
Chapter II Support and Promotion of Cybersecurity
Chapter III Network Operation Security
Section 1 General Provisions
Section 2 Operation Security of Critical Information Infrastructure
Chapter IV Network Information Security
Chapter V Monitoring, Early Warning and Emergency Response
Chapter VI Legal Liability
Chapter VII Supplementary Provisions
Chapter I General Provisions
Article 1 The Cybersecurity Law of the People's Republic of China (hereinafter referred to as this "Law") is enacted for the purposes of ensuring cybersecurity, safeguarding cyberspace sovereignty, national security and public interests, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization.
Article 2 This Law shall apply to the development, operation, maintenance and use of networks as well as the supervision and regulation of the cybersecurity within the territory of the People's Republic of China.
Article 3 It is imperative to uphold the leadership of the Communist Party of China in the cybersecurity work, adhere to the overall national security outlook, balance development and security, and advance the building of China into a cyber power.
Article 4 The State adheres to equal focus on cybersecurity and information-based development, follows the guidelines of positive use, scientific development, lawful management and security assurance, promotes the construction of cyber infrastructure and its interconnection, encourages the innovation in and application of cyber technologies, supports the cultivation of talents in respect of cybersecurity, establishes and perfects the cybersecurity guarantee system and raises the ability to protect cybersecurity.
Article 5 The State shall develop and continuously improve cybersecurity strategies, specify the basic requirements and main objectives for cybersecurity protection, and propose cybersecurity policies, working tasks and measures in key areas.
Article 6 The State shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both within and outside the territory of the People's Republic of China, to protect critical information infrastructure from attacks, intrusions, interference and damage, to punish illegal criminal activities on the network in accordance with the law and to preserve cyberspace security and order.
Article 7 The State shall advocate honest, faithful, healthy and civilized cyber behaviors, advance the spreading of the core socialist values, and take measures to improve the awareness and level of cybersecurity of the whole of society, forming a sound environment for promoting cybersecurity with the participation of all the public.
Article 8 The State shall actively carry out international exchange and cooperation in terms of cyberspace governance, research and development of cyber technologies, establishment of the standards thereof and fighting against illegal crimes committed on the network and other aspects, promote the construction of a peaceful, safe, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system for network governance.
Article 9 The national cyberspace authority is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and regulation. The competent telecommunications authority and public security authority under the State Council, and other relevant authorities shall be responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the provisions of this Law and other relevant laws and administrative regulations.
Responsibilities of relevant authorities under local people's governments at or above the county level for protecting, supervising and administering cybersecurity shall be determined in accordance with the relevant provisions of the State.
Article 10 Network operators, while conducting business and service activities, shall comply with laws and administrative regulations, show respect for social moralities, follow business ethics, act in good faith, perform the obligation of cybersecurity protection and accept supervision by the government and the public, and undertake social responsibilities.
Article 11 For the development and operation of a network or the provision of services through a network, it is a requirement to, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, take technical measures and other necessary measures to ensure the secure and stable operation of the network, effectively respond to cybersecurity incidents, prevent illegal crimes committed on the network, and maintain the integrity, confidentiality and availability of cyber data.
Article 12 Cyber-related industrial organizations shall, in accordance with their regulations, intensify industrial self-discipline, formulate regulations on cybersecurity behaviors, instruct their members to strengthen cybersecurity protection, raise the level of cybersecurity protection and promote the sound development of relevant industries.
Article 13 The State shall protect the rights of citizens, legal persons, and other organizations to use cyberspace according to the law, promote the popularity of network access, and raise the level of network services, so as to provide the public with secure and convenient network services and guarantee the orderly and free flow of network information in accordance with the law.
Any individual and organization using the network shall comply with the constitution and the laws, follow the public order and respect social moralities, and shall neither endanger cybersecurity, nor engage in activities by making use of the network that endanger the national security, honor and interests, incite to subvert the State power and overthrow the socialist system, incite to split the country and undermine the national unity, advocate terrorism and extremism, propaganda of ethnic hatred and discrimination, spread violent and pornographic information, fabricate or disseminate false information to disturb the economic and social order, or infringe on the fame, privacy, intellectual property and other lawful rights and interests of others.
Article 14 The State shall encourage the research and development of network products and services that are favorable to minors' healthy growth and take punitive measures against acts by making use of the network for those activities that do harm to the physical and psychological health of minors according to the law for the purpose of creating a secure and healthy network environment for minors.
Article 15 Any individual or organization shall have the right to report the activities that endanger cybersecurity to the cyberspace administration authorities, telecommunications authorities, public security authorities, etc. Any authority receiving a report shall promptly handle such report in accordance with the law and transfer the report to the authority with the jurisdiction if the said report is beyond its own responsibility.
The relevant authorities shall maintain the confidentiality of certain information on informants and protect their lawful rights and interests.
Chapter II Support and Promotion of Cybersecurity
Article 16 The State shall establish and improve the system of cybersecurity standards. The competent standardization authority under the State Council and other relevant authorities under the State Council shall, in accordance with their respective responsibilities, organize the formulation of relevant national and industrial standards for cybersecurity administration and the security of network products, services and operations and make revisions at appropriate times.
The State shall support enterprises, research institutions, institutions of higher education, and network-related industrial organizations in participating in the formulation of national and industrial standards on cybersecurity.
Article 17 The State Council and the people's governments of all provinces, autonomous regions and municipalities directly under the Central Government shall conduct the overall planning, increase the input, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, promote safe and reliable network products and services, and protect the intellectual property rights of network technologies and support enterprises, research institutes, institutions of higher education to participate in national innovation projects related to cybersecurity technologies.
Article 18 The State shall boost the development of a socialized service system for cybersecurity, and encourage the relevant enterprises and institutions to provide such security services as the cybersecurity certification, detection and risk assessment.
Article 19 The State shall encourage the development of technologies for protecting and using network data, promote the availability of public data resources and propel technological innovation and social and economic development.
Article 20 The State shall support fundamental research on artificial intelligence (AI) and research and development of key technologies such as algorithms, promote the development of infrastructure including training data resources and computing power, improve ethical norms for AI, strengthen risk monitoring, assessment, and security regulation, and promote AI application and sound development.
The State shall support the innovation of cybersecurity management approaches, and make use of AI and other new technologies to enhance the level of cybersecurity protection.
Article 21 People's governments at all levels and the relevant authorities thereof shall organize and provide regular publicity and education on cybersecurity, and guide, supervise and urge relevant entities to provide such publicity and education on cybersecurity in an effective way.
The mass media shall provide publicity and education on cybersecurity targeted at the public specifically.
Article 22 The State shall support enterprises, institutions of higher education, vocational schools and other education training institutions to carry out cybersecurity-related education and training, adopt various methods to cultivate talents for cybersecurity and promote the exchange of talents for cybersecurity.
Chapter III Network Operation Security
Section 1 General Provisions
Article 23 The State shall implement a system of graded protection for cybersecurity.
......