Since January 1, 2026, stricter requirements have been in force in China under the Cybersecurity Law (CSL). The changes significantly expand the regulatory framework and increase compliance pressure in the areas of cybersecurity, data protection, and AI governance, particularly for foreign companies with ties to China.
The key point is the expanded extraterritorial application. While the law previously applied primarily to foreign actors who directly threaten China’s critical information infrastructure, in the future it can be applied to almost any action by foreign organizations or individuals if it is deemed detrimental to national cybersecurity. This significantly extends the scope of the regulations beyond traditional infrastructure and attack scenarios.
At the same time, the penalties are being noticeably increased. Serious violations are punishable by fines of between two and ten million RMB. In addition, authorities can deactivate apps or revoke business licenses. In addition to financial risks, this also poses immediate operational risks for affected business models.
Another focus is on greater integration and control of artificial intelligence. On the one hand, government funding for AI research and development is being expanded, while on the other hand, oversight of AI risks is being tightened. Companies working on AI systems, algorithms, or related infrastructure must expect more detailed requirements regarding ethics, risk control, and system security.
Enforcement will be made more flexible. Minor or quickly corrected violations may be met with greater leniency, while new sanctioning instruments will allow for more targeted interventions. Preventive controls, clear documentation, and rapid correction processes will thus become more important.
The changes are particularly relevant for companies with ERP, cloud, R&D, or shared service structures in China, as well as for organizations that integrate Chinese data into global systems. They should review and update their internal data protection and security procedures, including technical standards, data localization requirements, and approvals for cross-border data transfers. In view of the increasing regulatory complexity, it is also advisable to expand compliance within the organization: clear responsibilities, binding security protocols, and regular training on cybersecurity and data protection.
Further clarification from the relevant authorities is expected in 2026, as are industry-specific guidelines – particularly for manufacturing, supply chain SaaS, ERP systems, and the automotive, healthcare, and financial sectors. At the same time, more frequent spot checks and expanded security audits of cloud services, data platforms, and AI training data sets are to be expected.
China Intellectual Property Blog 