β οΈ
In force now β 1 January 2026. The amended Cybersecurity Law is live. Maximum fines have increased from RMB 500,000 to RMB 10,000,000 for severe violations. The leniency window for minor, first-time breaches applies only to entities that can demonstrate documented, good-faith compliance efforts. If you have operations, suppliers, or data flows touching China, your risk exposure has materially changed.
01 β Framework
China’s Three-Law Data Architecture
Unlike the EU’s single GDPR, China applies three cumulative laws to any organisation that operates in China or processes data of individuals located there. These laws do not replace each other β they stack, and obligations under each must be met simultaneously. The 2025β2026 enforcement cycle tightened all three in parallel.
In force since 2017 Β· Amended 2026
π
CSL
Cybersecurity Law
Network security, critical infrastructure protection, data localisation for CIIOs, product certification. Now with dramatically higher penalties and extraterritorial reach.
In force since 2021
ποΈ
DSL
Data Security Law
Data classification, important data identification, data security management obligations, and rules on providing data to foreign judicial or law enforcement bodies.
In force since 2021
π€
PIPL
Personal Information Protection Law
China’s GDPR equivalent. Consent, purpose limitation, data minimisation, individual rights, DPIA-equivalent requirements, DPO-equivalent designation, and cross-border transfer mechanisms.
The 2025β2026 period saw a deliberate integration push: the CSL amendments now explicitly require network operators to comply with the PIPL when processing personal data β closing a long-standing ambiguity between the two laws and reinforcing their cumulative application.
02 β CSL Amendment
What the January 2026 CSL Amendment Changes
Passed on 28 October 2025 and effective 1 January 2026, this is the first major overhaul of the Cybersecurity Law since its adoption in 2017. The amendments were described by China’s legislative authorities as a “small-incision” reform β but the impact on compliance risk is anything but small.
2017
Original CSL enters force. Penalties capped at RMB 500,000 for most violations. Extraterritorial scope limited to attacks on critical information infrastructure (CII).
2021
DSL and PIPL enacted. China’s three-law framework takes shape β but CSL and PIPL remain imperfectly aligned on personal data obligations.
March 2025
Draft CSL amendments published by CAC for consultation. Industry raises concerns about penalty escalation and extraterritorial scope.
28 October 2025
Amendments adopted by the Standing Committee of the National People’s Congress (NPC). Four key changes confirmed: penalties, AI governance, extraterritorial reach, PIPL alignment.
1 January 2026 β In Force
Amended CSL effective. PIP Certification Measures also enter force on the same date. National standard GB/T 46068β2025 follows on 1 March 2026.
πΆ New Penalty Structure β CSL Amended Article 61
General Violations
RMB 1M
Maximum fine for network operators and CIIOs for general cybersecurity obligation failures. Previously capped at RMB 100,000β500,000.
Individual directly responsible: up to RMB 100,000
Severe Violations
RMB 10M
New category: applies where violations cause “serious” or “particularly serious” consequences β including non-compliant cross-border transfers or emergency response failures.
Individual directly responsible: up to RMB 1,000,000
β‘ Context: Maximum PIPL fines reach RMB 50M or 5% of annual revenue. The CSL amendments were designed to align enforcement pressure across all three laws.
π Extraterritorial Reach β Expanded
The original CSL only covered overseas activities that attacked or harmed Chinese critical information infrastructure. The amended CSL extends this to any overseas activity that “endangers China’s cybersecurity” broadly. In serious cases, authorities may impose asset freezes and other sanctions on foreign entities.
For multinationals with offshore operations that have any China nexus β cloud infrastructure, HR systems, customer data flows β this expansion requires a reassessment of cross-border exposure, even where the organisation does not maintain a physical China presence.
NEW β FIRST TIME IN LAW
π€ Artificial Intelligence Governance Enters the CSL
For the first time, the CSL explicitly affirms state support for AI innovation and establishes a legal basis for AI security governance. Organisations deploying AI in products, services, or internal operations in China must now map their AI activities against the CSL’s policy framework.
Practical obligations: implement technical safeguards proportionate to AI use cases, maintain AI ethics and risk assessment processes, and ensure that AI systems deployed in network products meet existing security certification requirements. This intersects with China’s existing AI-specific regulations (Algorithm Recommendation Measures, Deep Synthesis Rules, Generative AI Measures).
π‘
Leniency framework β use it strategically. The amended CSL incorporates China’s Administrative Penalty Law leniency provisions. Penalties may be reduced or waived where the violator: proactively eliminates harmful consequences, voluntarily self-reports before authorities discover the issue, cooperates with investigations, or demonstrates first-time / minor breach status with prompt correction. This makes documented compliance efforts β audit trails, incident logs, remediation records β a tangible financial risk management tool, not just a formality.
03 β Cross-Border Transfers
Three Pathways β Now All Operational
The PIPL established three mechanisms for transferring personal information out of China. As of 1 January 2026, all three pathways are fully operational following the entry into force of the PIP Certification Measures. The correct pathway depends on the volume and sensitivity of data transferred.
πΊοΈ Which Transfer Mechanism Applies?
Based on CAC Security Assessment thresholds and PIP Certification Measures (effective 1 January 2026)
CAC Security Assessment
CIIO status Β· OR Β· >1M individuals’ PI Β· OR Β· >10,000 sensitive PI Β· OR Β· Important data
β
MANDATORY
Regulator-led review. Required before transfer begins. CIIOs cannot use any other mechanism. No exemptions for high-risk transfers.
Standard Contractual Clauses (SCC Filing)
100Kβ1M individuals Β· OR Β· <10,000 sensitive PI Β· AND not CIIO
β
AVAILABLE
Execute CAC-approved SCCs with overseas recipient, then file with local CAC. Legally binding documents must cover: responsibility allocation, storage arrangements, security measures, individual rights, and remedies.
PIP Certification
Intra-group transfers Β· All volumes (below CAC threshold) Β· AND not CIIO
β
NEW β JAN 2026
Third-party certification by CAC-approved body. Operationalised by PIP Certification Measures (Oct 2025). Useful for multinational intra-group data flows as a long-term compliance mechanism. Standard GB/T 46068β2025 enters force 1 March 2026.
β
Exemption: Organisations transferring non-sensitive personal information of fewer than 100,000 individuals are generally exempt from all three mechanisms β provided they meet base PIPL obligations (consent, DPIA-equivalent, notification).
04 β PIPL Audits
Mandatory PIPL Compliance Audit Cycles
The CAC’s Measures for the Administration of Compliance Audits on Personal Information Protection, effective 1 May 2025, introduced mandatory audit cycles for large-scale data processors. This is a significant operational obligation β particularly for international companies with large China user bases.
π Audit Thresholds & Cycles
Under the PIPL Audit Measures, effective 1 May 2025
Threshold β Annual Audit
10M+
Processors handling personal information of 10 million or more individuals in China must conduct a compliance audit at least once per year.
Threshold β Biennial Audit
1Mβ10M
Processors handling personal information of 1 million to 10 million individuals must conduct a compliance audit at least once every two years.
-
ποΈ
Scope of audit: Processing activities, legal basis documentation, consent records, cross-border transfer mechanisms, PIPO (Personal Information Protection Officer) designation, individual rights handling, and security measures.
-
π
Triggered audits: Separate from the scheduled cycle, the CAC may order an ad hoc compliance audit in response to a complaint, incident, or suspected violation. These can be self-conducted or required to be performed by an independent third party.
-
π
Evidence readiness: Audit reports must be produced on request and retained. National standard GB/T 45574β2025 provides the framework for conducting these audits and is the primary reference regulators will apply.
-
π€
PIPO designation: Large-scale processors must designate a Personal Information Protection Officer (PIPO). Unlike the GDPR DPO, the PIPO must be a senior individual accountable to management β with direct reporting to the highest level of the organisation.
05 β Action Plan
Compliance Checklist β China Data 2026
βοΈ What To Assess Now
Structured around the three priority areas: cross-border transfers, PIPL audit readiness, and CSL cybersecurity obligations
Cross-Border Transfers π
Map all personal data flows out of China β by volume, data category, and recipient country
Include intra-group transfers, SaaS tools, cloud providers, and HR systems
Determine which transfer mechanism applies to each flow
CAC Security Assessment Β· SCC Filing Β· PIP Certification Β· or exemption below 100K
Execute and file SCCs where required β or initiate certification process
Ensure contracts include: responsibility allocation, storage terms, security measures, individual rights, remedies (GB/T 46068β2025 from 1 March 2026)
Verify CIIO status β if applicable, CAC Security Assessment is the only permitted pathway
Data localisation obligation also applies to CIIOs
PIPL Audit Readiness π
Count your China personal information subjects β determine annual vs biennial audit obligation
10M+ = annual Β· 1Mβ10M = biennial Β· Below 1M = no scheduled audit obligation
Plan your first audit cycle against GB/T 45574β2025 standard
Decide: self-conducted vs independent third-party audit
Designate a PIPO (Personal Information Protection Officer) if required
Must be a senior individual with direct access to highest management
CSL Cybersecurity Obligations π
Update cybersecurity framework against amended penalty tiers
Remove assumption of RMB 500K cap β severe violations now reach RMB 10M
Review incident response plan β remove “warning first” assumption
Emergency response failures now trigger direct penalties without prior warning
Assess extraterritorial exposure for offshore operations with China nexus
Includes cloud infra, offshore processing, and intra-group data hubs outside China
Map AI deployments against CSL AI governance provisions
Apply technical safeguards, ethics controls, and security assessments for AI-enabled products
Build documented compliance audit trails to position for leniency
Remediation records, training logs, and incident reports reduce penalty exposure under the Administrative Penalty Law
π‘οΈ
Operating in China or Transferring Data From China?
DPO Advisors’ international compliance specialists can map your exposure under the CSL, PIPL, and DSL, identify the correct transfer pathway for each data flow, and help you build an audit-ready compliance programme.
Talk to our experts β
π‘οΈ
DPO Advisors
Published January 2026 Β· dpoadvisors.com Β· contact@dpoadvisors.com
