China’s Revised Cybersecurity Law Strengthens Penalties and Expands Extraterritorial Reach

Feb 15, 2026
11:35 pm

Summary

This article explains China’s revised Cybersecurity Law, effective 1 January 2026, which increases personal fines for responsible individuals to up to RMB 1 million and expands the law’s extraterritorial application. The amendments strengthen enforcement powers and reinforce expectations around governance, accountability, and cross border data supervision. For financial institutions and multinational firms, proactive alignment with the revised framework is essential to mitigate regulatory and operational risk.

China’s amended Cybersecurity Law, fully effective from 1 January 2026, marks a significant escalation in regulatory expectations around network security, data governance, and operational resilience. The revised framework increases enforcement powers, raises financial penalties, and introduces greater personal accountability for responsible individuals. Among the most notable changes is the increase in personal fines of up to RMB 1 million for individuals found responsible for serious cybersecurity violations. This development reflects a clear regulatory shift toward holding senior management directly accountable for control failures, rather than limiting consequences to corporate entities alone.

The amended law also expands its extraterritorial reach, meaning organisations located outside China may fall within scope where their activities affect China’s national security, critical information infrastructure, or the rights and interests of Chinese citizens. This broadened jurisdiction aligns with global regulatory trends that assert oversight based on impact rather than geography. For multinational institutions, digital service providers, and financial firms with cross border operations, the implications extend beyond physical presence in China. Cloud services, data transfers, digital platforms, and supply chain relationships may now trigger compliance obligations under the revised framework.

Enforcement authorities have been granted enhanced investigative and corrective powers, including stronger inspection rights, remedial orders, and escalating penalties for repeat or serious violations. The law reinforces the expectation that cybersecurity is not a static requirement but a continuous governance responsibility. Organisations must demonstrate that systems are appropriately designed, implemented, monitored, and tested, rather than relying on reactive remediation after incidents occur.

For financial institutions, the revised law carries particular weight. Banks and payment providers process high volumes of sensitive data and operate systems that are critical to economic stability. Weak cybersecurity controls can expose institutions to fraud, data breaches, identity misuse, and cross border illicit financial flows. The law therefore intersects directly with AML and financial crime frameworks, reinforcing the need for integrated governance between compliance, information security, and operational risk functions.

The introduction of higher personal fines signals a broader accountability message. Cybersecurity oversight is now firmly a board and senior management issue. Leaders are expected to ensure adequate resourcing, effective internal controls, regular risk assessments, and prompt incident response mechanisms. Treating cybersecurity as purely a technical matter delegated to IT departments is no longer defensible under the revised regime.

China’s strengthened Cybersecurity Law reflects an increasingly assertive approach to digital regulation and risk management. For institutions operating within or connected to China’s digital ecosystem, proactive review of governance structures, data management practices, vendor oversight, and cross border operations is essential. The regulatory expectation is clear: cybersecurity compliance must be embedded at the highest levels of organisational decision making, with meaningful consequences for failure.