The Cybersecurity Law (CSL), China’s first fundamental law to comprehensively regulate cybersecurity issues, is about to undergo its first revision. A key feature of the proposed amendments is a significant increase in penalties for network operators and critical infrastructure operators that fail to comply with relevant cybersecurity protection obligations. For example, the fine range for failure to comply with relevant cybersecurity requirements-such as failure to implement MLPS 2.0-has been changed from the original “more than RMB 10,000 to less than RMB 100,000” to “if there are serious circumstances, fines of less than RMB one million” and “if there are particularly serious circumstances, fines of more than RMB one million or less than five percent of the previous year’s revenue.”
Serious penalties such as “suspension of the relevant business, closure of the website, revocation of the relevant business permit, or revocation of the business license” were added. In addition, the maximum fine for those directly responsible has been increased, and they may be banned from serving as a director, supervisor or officer of the business in question, or from holding key positions in network security and operation, for a specified period of time. Fines for critical infrastructure operators have also been significantly increased.
We expect the number of inspections to increase significantly after the draft is passed, which will have a significant impact on foreign companies operating in China. In order to avoid high fines or even the revocation of business licenses, we recommend that compliance measures such as the implementation of MLPS certification, the review of cross-border data traffic or the restructuring of IT systems in China be implemented in good time.