China Data Laws in 2026: What’s Changed and What Your Business Needs to Do

China data laws in 2026 have shifted significantly, and if your company operates in or handles data from the Chinese mainland, the changes affect you directly. On 1 January 2026, the most substantial amendments to China’s Cybersecurity Law (CSL) since its adoption in 2017 came into force, alongside new certification rules for cross-border personal information transfers. Together, these updates tighten enforcement, raise penalties dramatically, and bring artificial intelligence governance into national law for the first time.

So, what does all of this actually mean for multinational compliance teams? Let’s walk through it.

How did China’s data framework work before?

China’s approach to data and cybersecurity has always rested on three core laws. The Cybersecurity Law (CSL), enacted in 2017, set out the foundational rules for network security, data handling, and the protection of critical information infrastructure (CII). The Data Security Law (DSL), effective from 2021, introduced data classification requirements, risk assessments, and rules around important data. And the Personal Information Protection Law (PIPL), also effective since 2021, gave China its comprehensive data privacy framework, broadly comparable to the EU’s GDPR.

For multinationals, navigating these three laws was already complex. Different obligations kicked in depending on whether you were classified as a critical information infrastructure operator (CIIO), the volume of personal data you processed, and whether that data crossed borders. Penalties existed, of course, but the CSL’s enforcement teeth hadn’t been sharpened since 2017. Cross-border data transfers had two established compliance routes, security assessments and standard contractual clauses, but the third pathway, certification, remained incomplete.

That’s the landscape as it stood heading into 2025. What follows is a fairly significant recalibration.

What’s actually changed?

The Standing Committee of the National People’s Congress passed the CSL amendments on 28 October 2025, with the changes taking effect on 1 January 2026. It marks the first major overhaul of the CSL since lawmakers introduced the law.

Here’s what’s new.

1. Penalties have been raised dramatically. Previously, fines for violations of cybersecurity obligations ranged up to RMB 500,000 (roughly USD 70,000). Under the amended CSL, where violations lead to serious consequences, such as large-scale data leaks or partial loss of CII functionality, fines can now reach RMB 2 million (approximately USD 280,000). Where the consequences are particularly serious, fines can climb to RMB 10 million (approximately USD 1.4 million). That’s a tenfold increase at the upper end. Individuals directly responsible for breaches, not just senior managers, can now face personal fines of up to RMB 1 million.
2. The “warning first” requirement is gone. Under the old rules, regulators had to issue a warning and a rectification order before imposing fines. The amendments remove that procedural step. Authorities can now impose fines immediately for failures to meet cybersecurity obligations. Even minor breaches carry immediate financial risk.
3. Extraterritorial reach has broadened. Previously, the CSL’s overseas enforcement applied only to activities that endangered critical information infrastructure. The amended law extends this to any activities by overseas parties that harm China’s cybersecurity. Regulators can now pursue legal liability against overseas actors and, where serious consequences result, may impose sanctions such as asset freezing.
4. AI governance enters national law. The amendments add a new Article 20, which explicitly affirms state support for foundational AI research, algorithm development, and computing infrastructure. At the same time, the law commits to strengthening AI ethics regulation, enhancing risk monitoring and safety assessments, and promoting the responsible development of artificial intelligence. While China already had regulations covering algorithms, deepfakes, and generative AI, legislators have now written AI governance directly into national legislation for the first time.
5. Supply chain obligations are tightened. Both purchasers and suppliers of key network equipment and specialised cybersecurity products now bear direct legal obligations to ensure compliance, with enhanced penalties for non-compliance.

Is there any good news on the enforcement side?

Actually, yes. The amended CSL also incorporates a leniency framework aligned with China’s Administrative Penalty Law. Regulators may reduce or waive penalties if the violator:

• Proactively eliminates or reduces the harmful consequences of their breach
• Voluntarily reports an illegal act not yet known to authorities
• Cooperates fully with investigations
• Commits a first-time, minor violation and promptly corrects it

This isn’t a free pass, but it does mean that demonstrable, well-documented compliance efforts genuinely matter. Companies that remediate rapidly and maintain clear audit trails position themselves better to benefit from reduced penalties.

Cross-border data transfers: the final piece of the puzzle

Alongside the CSL amendments, China also completed its regulatory framework for cross-border personal information transfers under the PIPL. On 17 October 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly issued the Measures for Certification of Cross-Border Personal Information Transfer, effective 1 January 2026.

This means all three compliance pathways for transferring personal data out of China are now fully operational:

1. Security Assessment — mandatory for CIIOs and for organisations that have transferred personal information of more than 1 million individuals or sensitive personal information of more than 10,000 individuals abroad within the current year.
2. Standard Contractual Clauses (SCCs) — available for non-CIIO data handlers transferring personal information of between 100,000 and 1 million individuals, or sensitive personal information of fewer than 10,000 individuals.
3. Certification — now available as an alternative to SCCs for organisations meeting the same thresholds. Third-party institutions conduct the certification, which remains valid for three years and must specify the business scenarios, data types, purposes, and overseas recipients covered.

An important nuance: transfers involving important data remain strictly limited to the security assessment pathway. And organisations transferring non-sensitive personal information of fewer than 100,000 individuals are generally exempt from all three procedures, provided they still meet their obligations under the PIPL (consent, impact assessments, notification).

For multinational companies with intra-group data flows, the certification pathway may offer a more streamlined, long-term compliance mechanism compared to managing multiple standard contracts across jurisdictions.

What should your company do right now?

The regulatory ground has shifted, and the compliance window is already open. Here’s where to focus.

• Review your cybersecurity framework against the amended CSL. Map your current obligations to the updated penalty tiers and ensure your incident response plans account for the removal of the “warning first” requirement.
• Assess your cross-border data transfers. Determine which pathway applies to your organisation, whether that’s security assessment, standard contractual clauses, or the new certification route. If you’re approaching volume thresholds, plan ahead.
• Audit your AI governance. If you deploy AI in products, services, or internal operations connected to China, begin mapping those activities against the CSL’s new AI provisions and existing regulations on algorithms, generative AI, and content labelling.
• Document everything. The leniency framework rewards demonstrated good-faith compliance. Maintain clear records of remediation efforts, risk assessments, and internal reviews.
• Evaluate your extraterritorial exposure. If you have offshore operations with any nexus to China, including handling data from Chinese users or interacting with Chinese networks, the broadened extraterritorial provisions may apply to you.
• Brief leadership. The tenfold increase in potential fines and the extension of personal liability to “other directly responsible personnel” (not just senior managers) make this a board-level concern.

What’s next?

Managing data compliance in China requires detailed planning and full legal awareness. For more insights into compliance processes in other jurisdictions, explore our article, CBAM 2026: EU Carbon Border Tax Explained.

Klea transforms entity management by offering centralised governance, automated compliance, and secure collaboration tools. For this reason, businesses looking for an efficient solution can take the following actions:

• Request a Demo – See Klea in action for your organisation.
• Start a Trial – Experience firsthand how automation reduces workload and improves efficiency.
• Talk to Our Experts – Get tailored recommendations based on your entity management needs.

Company secretarial software solutions play a crucial role in modern businesses that require structured governance, consistent compliance, and accurate legal entity management. With Klea, organisations can ensure corporate governance remains efficient, transparent, and risk-free.

Legal Disclaimer

The information provided on Klea’s website is made available “as is” for informational purposes only. Klea does not provide legal, tax, or financial advice and is not responsible for any actions taken or not taken based on the content found on this website. In no event shall Klea be liable for any loss or damages arising from reliance on the information contained herein.

For specific legal or compliance support tailored to your business needs, please contact Klea directly. Our team provides personalised guidance and expert solutions. Any reliance on general content without direct consultation does not establish any legal responsibility or liability on Klea’s part.