Presidential Order of the People's Republic of China

No. 53



The "Cybersecurity Law of the People's Republic of China" has been adopted by the 24th session of the Standing Committee of the 12th National People's Congress of the People's Republic of China on2016Year11Month7Day, and is hereby promulgated, effective from2017Year6Month1Day.

President of the People's Republic of China   Xi Jinping


2016Year11Month7Day



Cybersecurity Law of the People's Republic of China

(2016Year11Month7Adopted at the 24th session of the Standing Committee of the 12th National People's Congress on Day)

Table of Contents  
Chapter One   General Principles
Chapter Two   Support and Promotion of Cybersecurity
Chapter Three   Security of Network Operations
Section One   General Provisions
Section Two   Operational Security of Critical Information Infrastructure
Chapter Four   Cyber Information Security
Chapter Five   Monitoring, Early Warning, and Emergency Response
Chapter Six   Legal Responsibilities
Chapter Seven   Supplementary Provisions
Chapter One   General Principles
Article 1   In order to ensure cybersecurity, maintain sovereignty in cyberspace and national security, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization, this law is formulated.
Article 2   This law applies to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and management of cybersecurity.
Article 3   The state adheres to the principle of balancing cybersecurity and informatization development, follows the guidelines of actively utilizing, scientifically developing, legally managing, and ensuring safety, promotes the construction and interconnection of network infrastructure, encourages innovation and application of network technology, supports the cultivation of cybersecurity talents, establishes and improves the cybersecurity guarantee system, and enhances cybersecurity protection capabilities.
Article 4   The state formulates and continuously improves cybersecurity strategies, clarifies the basic requirements and main objectives for ensuring cybersecurity, and proposes cybersecurity policies, work tasks, and measures for key areas.
Article 5   The state takes measures to monitor, defend against, and address cybersecurity risks and threats originating from within and outside the People's Republic of China, protects critical information infrastructure from attacks, intrusions, interference, and destruction, punishes cyber illegal and criminal activities according to law, and maintains security and order in cyberspace.
Article 6   The state advocates honest and trustworthy, healthy and civilized online behavior, promotes the dissemination of socialist core values, takes measures to raise the awareness and level of cybersecurity in society, and creates a good environment for the whole society to participate in promoting cybersecurity.
Article 7   The state actively carries out international exchanges and cooperation in areas such as cyberspace governance, network technology research and development, standard formulation, and combating cyber illegal and criminal activities, promotes the construction of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.
Article 8   The national internet information department is responsible for coordinating cybersecurity work and related supervision and management work. The State Council's telecommunications authorities, public security departments, and other relevant agencies shall, in accordance with this law and relevant laws and administrative regulations, be responsible for cybersecurity protection and supervision and management within their respective responsibilities.
The cybersecurity protection and supervision and management responsibilities of relevant departments of local people's governments at or above the county level shall be determined according to national regulations.
Article 9   Network operators must comply with laws and administrative regulations, respect social ethics, abide by business ethics, act in good faith, fulfill cybersecurity protection obligations, accept government and social supervision, and assume social responsibilities when conducting business and service activities.
Article 10   The construction and operation of networks or the provision of services through networks shall comply with the provisions of laws, administrative regulations, and the mandatory requirements of national standards, take technical measures and other necessary measures to ensure network security, stable operation, effectively respond to cybersecurity incidents, prevent cyber illegal and criminal activities, and maintain the integrity, confidentiality, and availability of network data.
Article 11   Industry organizations related to networks shall strengthen industry self-discipline according to their charters, formulate cybersecurity behavior norms, guide members to strengthen cybersecurity protection, improve cybersecurity protection levels, and promote healthy industry development.
Article 12   The state protects the rights of citizens, legal persons, and other organizations to use the internet in accordance with the law, promotes the popularization of internet access, improves the level of internet services, provides safe and convenient internet services for society, and ensures the lawful and orderly free flow of internet information.
Any individual or organization using the internet shall abide by the Constitution and laws, respect public order, respect social ethics, shall not endanger cybersecurity, shall not use the internet to engage in activities that endanger national security, honor, and interests, incite the subversion of state power, overthrow the socialist system, incite the division of the country, undermine national unity, promote terrorism, extremism, promote ethnic hatred, ethnic discrimination, disseminate violence, obscene and pornographic information, fabricate and disseminate false information to disrupt economic order and social order, and infringe upon the reputation, privacy, intellectual property rights, and other legitimate rights and interests of others.
Article 13   The state supports the research and development of network products and services that are beneficial to the healthy growth of minors, punishes activities that harm the physical and mental health of minors using the internet according to law, and provides a safe and healthy online environment for minors.
Article 14   Any individual or organization has the right to report behaviors that endanger cybersecurity to internet information, telecommunications, public security, and other departments. The departments receiving the report shall promptly handle it according to law; if it does not fall within the responsibilities of the department, it shall be promptly transferred to the competent department.
Relevant departments shall keep the relevant information of the whistleblower confidential and protect the legitimate rights and interests of the whistleblower.
Chapter Two   Support and Promotion of Cybersecurity
Article 15   The state establishes and improves the cybersecurity standard system. The State Council's standardization administrative department and other relevant departments of the State Council shall organize the formulation and timely revision of national standards and industry standards related to cybersecurity management, as well as the security of network products, services, and operations according to their respective responsibilities.
The state supports enterprises, research institutions, universities, and industry organizations related to networks to participate in the formulation of national cybersecurity standards and industry standards.
Article 16   The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the central government shall plan comprehensively, increase investment, support key cybersecurity technology industries and projects, support the research, development, and application of cybersecurity technology, promote safe and reliable network products and services, protect the intellectual property rights of network technology, and support enterprises, research institutions, and universities to participate in national cybersecurity technology innovation projects.
Article 17   The state promotes the construction of a socialized cybersecurity service system, encouraging relevant enterprises and institutions to carry out cybersecurity certification, testing, and risk assessment and other security services.
Article 18  The state encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and drives technological innovation and economic and social development.
The state supports innovative network security management methods, utilizing new network technologies to enhance the level of network security protection.
Article 19  People's governments at all levels and their relevant departments shall organize regular network security publicity and education, and guide and supervise relevant units to carry out network security publicity and education work.
Mass media should conduct targeted network security publicity and education for society.
Article 20  The state supports enterprises and higher education institutions, vocational schools, and other educational training institutions to carry out education and training related to network security, adopting various methods to cultivate network security talents and promote the exchange of network security talents.
Chapter Three   Security of Network Operations
Section One   General Provisions
Article 21  The state implements a network security level protection system. Network operators shall fulfill the following security protection obligations in accordance with the requirements of the network security level protection system, ensuring that the network is protected from interference, destruction, or unauthorized access, and preventing network data from being leaked, stolen, or tampered with:
(1) Establish internal security management systems and operating procedures, determine the person responsible for network security, and implement network security protection responsibilities;
(2) Take technical measures to prevent computer viruses, network attacks, network intrusions, and other harmful behaviors to network security;
(3) Take technical measures to monitor and record the network operation status and network security incidents, and retain relevant network logs for no less than six months as required;
(4) Take measures such as data classification, important data backup, and encryption;
(5) Other obligations stipulated by laws and administrative regulations.
Article 22  Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; when they discover that their network products and services have security defects, vulnerabilities, and other risks, they shall immediately take remedial measures, timely inform users as required, and report to the relevant competent authorities.
Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not terminate the provision of security maintenance within the specified period or as agreed by the parties.
If network products and services have the function of collecting user information, their providers shall clearly inform users and obtain consent; if it involves users' personal information, they shall also comply with this law and relevant laws and administrative regulations regarding personal information protection.
Article 23  Network critical equipment and network security special products shall be sold or provided only after being certified as safe by qualified institutions or passing safety testing in accordance with the mandatory requirements of relevant national standards. The national internet information department, in conjunction with relevant departments of the State Council, shall formulate and publish a catalog of network critical equipment and network security special products, and promote mutual recognition of safety certification and safety testing results to avoid repeated certification and testing.
Article 24  When network operators handle network access, domain name registration services, fixed-line telephone, mobile phone, and other network access procedures, or provide users with information publishing, instant messaging, and other services, they shall require users to provide true identity information when signing agreements or confirming the provision of services. If users do not provide true identity information, network operators shall not provide them with relevant services.
The state implements a trusted identity strategy for the network, supports the research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identity authentications.
Article 25  Network operators shall formulate emergency plans for network security incidents, promptly address security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; in the event of incidents that harm network security, they shall immediately activate emergency plans, take corresponding remedial measures, and report to the relevant competent authorities as required.
Article 26  Engaging in network security certification, testing, risk assessment, and other activities, and publishing information on system vulnerabilities, computer viruses, network attacks, network intrusions, etc., shall comply with national regulations.
Article 27  No individual or organization shall engage in illegal activities such as unauthorized intrusion into others' networks, interfering with the normal functions of others' networks, stealing network data, and other activities that harm network security; they shall not provide programs or tools specifically used for engaging in activities that harm network security, such as intruding into networks, interfering with normal network functions, and stealing network data; knowing that others are engaged in activities that harm network security, they shall not provide technical support, advertising promotion, payment settlement, and other assistance.
Article 28  Network operators shall provide technical support and assistance to public security organs and national security organs in accordance with the law to maintain national security and investigate crimes.
Article 29  The state supports cooperation among network operators in the collection, analysis, reporting, and emergency response of network security information to enhance the security assurance capabilities of network operators.
Relevant industry organizations shall establish and improve network security protection norms and cooperation mechanisms in their industry, strengthen the analysis and assessment of network security risks, regularly issue risk warnings to members, and support and assist members in responding to network security risks.
Article 30  The information obtained by the internet information department and relevant departments in the performance of network security protection duties may only be used for the needs of maintaining network security and shall not be used for other Applications.
Section Two   Operational Security of Critical Information Infrastructure
Article 31  The state implements key protection for critical information infrastructure in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that, if damaged, loses functionality, or leaks data, may seriously endanger national security, the economy, people's livelihood, and public interests, based on the network security level protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.
The state encourages network operators outside of critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.
Article 32  According to the division of responsibilities stipulated by the State Council, the departments responsible for the security protection of critical information infrastructure shall prepare and organize the implementation of security plans for critical information infrastructure in their industry and field, and guide and supervise the safe operation protection work of critical information infrastructure.
Article 33  The construction of critical information infrastructure shall ensure that it has the performance to support stable and continuous business operations, and ensure that security technical measures are planned, constructed, and used simultaneously.
Article 34  In addition to the provisions of Article 21 of this law, operators of critical information infrastructure shall also fulfill the following security protection obligations:
(1) Establish dedicated security management institutions and security management personnel, and conduct security background checks on that personnel and key positions;
(2) Regularly conduct network security education, technical training, and skill assessments for employees;
(3) Conduct disaster recovery backups for important systems and databases;
(4) Formulate emergency plans for network security incidents and conduct regular drills;
(5) Other obligations stipulated by laws and administrative regulations.
Article 35  Operators of critical information infrastructure purchasing network products and services that may affect national security shall undergo national security review organized by the national internet information department in conjunction with relevant departments of the State Council.
Article 36  The operators of critical information infrastructure shall procure network products and services in accordance with regulations and sign confidentiality agreements with providers to clarify security and confidentiality obligations and responsibilities.
Article 37  The personal information and important data collected and generated by the operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory. If it is necessary to provide it overseas due to business needs, a security assessment shall be conducted in accordance with the methods formulated by the national internet information department in conjunction with relevant departments of the State Council; if there are other provisions in laws and administrative regulations, those provisions shall be followed.
Article 38  The operators of critical information infrastructure shall conduct security assessments of their networks at least once a year, either by themselves or by entrusting cybersecurity service agencies, and shall report the assessment results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.
Article 39  The national internet information department shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure:
(1) Conduct random inspections of the security risks of critical information infrastructure, propose improvement measures, and if necessary, entrust cybersecurity service agencies to assess the security risks present in the network;
(2) Regularly organize emergency drills for the operators of critical information infrastructure to improve their ability to respond to cybersecurity incidents and coordinate effectively;
(3) Promote information sharing on cybersecurity among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service agencies;
(4) Provide technical support and assistance for emergency response to cybersecurity incidents and the recovery of network functions.
Chapter Four   Cyber Information Security
Article 40  Network operators shall keep the user information they collect strictly confidential and establish and improve the user information protection system.
Article 41  When network operators collect and use personal information, they shall follow the principles of legality, legitimacy, and necessity, publicly disclose the rules for collection and use, clearly state the purpose, method, and scope of information collection and use, and obtain the consent of the individuals from whom the information is collected.
Network operators shall not collect personal information unrelated to the services they provide, shall not collect or use personal information in violation of laws, administrative regulations, and agreements between both parties, and shall handle the personal information they retain in accordance with laws, administrative regulations, and agreements with users.
Article 42  Network operators shall not disclose, tamper with, or destroy the personal information they collect; without the consent of the individuals from whom the information is collected, they shall not provide personal information to others. However, this does not apply to information that has been processed in such a way that specific individuals cannot be identified and cannot be restored.
Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect, preventing information leakage, damage, and loss. In the event of or potential for personal information leakage, damage, or loss, they shall immediately take remedial measures, promptly inform users as required, and report to the relevant supervisory authorities.
Article 43  Individuals who find that network operators have violated laws, administrative regulations, or agreements between both parties in collecting or using their personal information have the right to request the deletion of their personal information; if they find that the personal information collected and stored by network operators is incorrect, they have the right to request correction. Network operators shall take measures to delete or correct the information.
Article 44  No individual or organization shall steal or otherwise illegally obtain personal information, nor shall they illegally sell or provide personal information to others.
Article 45  Departments and their staff that are legally responsible for cybersecurity supervision and management must keep strictly confidential the personal information, privacy, and trade secrets they become aware of while performing their duties, and shall not disclose, sell, or illegally provide them to others.
Article 46  Any individual or organization shall be responsible for their use of the internet, and shall not establish websites or communication groups for the purpose of committing fraud, teaching criminal methods, producing or selling prohibited items, controlled items, or engaging in other illegal activities, nor shall they use the internet to publish information related to committing fraud, producing or selling prohibited items, controlled items, and other illegal activities.
Article 47  Network operators shall strengthen the management of the information published by their users, and if they discover information that is prohibited from being published or transmitted by laws or administrative regulations, they shall immediately stop transmitting that information, take measures to eliminate it, prevent information dissemination, keep relevant records, and report to the relevant supervisory authorities.
Article 48  Electronic information sent by any individual or organization, and application software provided, shall not contain malicious programs, nor shall they contain information that is prohibited from being published or transmitted by laws or administrative regulations.
Electronic information sending service providers and application software download service providers shall fulfill their security management obligations, and if they know that their users are engaging in the behaviors specified in the previous paragraph, they shall stop providing services, take measures to eliminate the issues, keep relevant records, and report to the relevant supervisory authorities.
Article 49  Network operators shall establish a complaint and reporting system for network information security, publish information on complaint and reporting methods, and promptly handle and address complaints and reports related to network information security.
Network operators shall cooperate with the supervision and inspection carried out by the internet information department and relevant departments in accordance with the law.
Article 50  The national internet information department and relevant departments shall perform their duties of cybersecurity supervision and management in accordance with the law, and if they discover information that is prohibited from being published or transmitted by laws or administrative regulations, they shall require network operators to stop transmission, take measures to eliminate the issues, and keep relevant records; for information originating from outside the People's Republic of China, they shall notify relevant agencies to take technical measures and other necessary measures to block dissemination.
Chapter Five   Monitoring, Early Warning, and Emergency Response
Article 51  The state shall establish a network security monitoring, early warning, and information reporting system. The national internet information department shall coordinate relevant departments to strengthen the collection, analysis, and reporting of cybersecurity information, and shall uniformly publish cybersecurity monitoring and early warning information as required.
Article 52  Departments responsible for the security protection of critical information infrastructure shall establish and improve the network security monitoring, early warning, and information reporting system in their industry and field, and shall report network security monitoring and early warning information as required.
Article 53  The national internet information department shall coordinate relevant departments to establish and improve the network security risk assessment and emergency work mechanism, formulate emergency plans for cybersecurity incidents, and regularly organize drills.
Departments responsible for the security protection of critical information infrastructure shall formulate emergency plans for cybersecurity incidents in their industry and field, and regularly organize drills.
Emergency plans for cybersecurity incidents shall classify cybersecurity incidents based on the degree of harm, scope of impact, and other factors after the occurrence of the incident, and specify corresponding emergency response measures.
Article 54  When the risk of cybersecurity incidents increases, relevant departments of the people's government at or above the provincial level shall take the following measures in accordance with their prescribed authority and procedures, and based on the characteristics of cybersecurity risks and the potential harm they may cause:
(1) Require relevant departments, agencies, and personnel to promptly collect and report relevant information, and strengthen monitoring of cybersecurity risks;
(2) Organize relevant departments, institutions, and professionals to analyze and assess cybersecurity risk information, predicting the likelihood of incidents, the scope of impact, and the degree of harm;
(3) Release cybersecurity risk warnings to the public, announcing measures to avoid or mitigate harm.
Article 55   In the event of a cybersecurity incident, an emergency response plan for cybersecurity incidents should be immediately activated to investigate and assess the incident, requiring network operators to take technical measures and other necessary actions to eliminate security risks, prevent the expansion of harm, and promptly release warning information related to the public.
Article 56   If relevant departments of the provincial government or above discover significant security risks in the network or experience security incidents while performing cybersecurity supervision and management duties, they may conduct interviews with the legal representatives or main responsible persons of the network operators according to prescribed authority and procedures. Network operators shall take measures as required to rectify and eliminate hidden dangers.
Article 57   In the event of a sudden incident or production safety accident due to a cybersecurity incident, it shall be handled in accordance with the provisions of the "Emergency Response Law of the People's Republic of China," the "Production Safety Law of the People's Republic of China," and other relevant laws and administrative regulations.
Article 58   In order to maintain national security and social public order, if necessary to handle major sudden social security incidents, temporary measures such as restrictions on network communication may be taken in specific areas as decided or approved by the State Council.
Chapter Six   Legal Responsibilities
Article 59   If network operators fail to fulfill the cybersecurity protection obligations stipulated in Articles 21 and 25 of this law, they shall be ordered to correct by the relevant competent department and given a warning; if they refuse to correct or cause consequences that harm network security, they shall be fined between 10,000 and 100,000 yuan, and the directly responsible supervisors shall be fined between 5,000 and 50,000 yuan.
If the operators of critical information infrastructure fail to fulfill the cybersecurity protection obligations stipulated in Articles 33, 34, 36, and 38 of this law, they shall be ordered to correct by the relevant competent department and given a warning; if they refuse to correct or cause consequences that harm network security, they shall be fined between 100,000 and 1,000,000 yuan, and the directly responsible supervisors shall be fined between 10,000 and 100,000 yuan.
Article 60   Those who violate the provisions of the first and second paragraphs of Article 22 and the first paragraph of Article 48, and engage in any of the following behaviors, shall be ordered to correct by the relevant competent department and given a warning; if they refuse to correct or cause consequences that harm network security, they shall be fined between 50,000 and 500,000 yuan, and the directly responsible supervisors shall be fined between 10,000 and 100,000 yuan:
(1) Setting up malicious programs;
(2) Failing to take immediate remedial measures for security defects, vulnerabilities, and other risks in their products and services, or failing to inform users in a timely manner and report to the relevant competent department as required;
(3) Unilaterally terminating security maintenance for their products and services.
Article 61   If network operators violate the provisions of the first paragraph of Article 24 by not requiring users to provide real identity information, or providing services to users who do not provide real identity information, they shall be ordered to correct by the relevant competent department; if they refuse to correct or the circumstances are serious, they shall be fined between 50,000 and 500,000 yuan, and the relevant competent department may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and impose fines of between 10,000 and 100,000 yuan on the directly responsible supervisors and other directly responsible personnel.
Article 62   Those who violate the provisions of Article 26 of this law by engaging in activities such as cybersecurity certification, testing, risk assessment, or releasing information related to system vulnerabilities, computer viruses, network attacks, and network intrusions to the public shall be ordered to correct by the relevant competent department and given a warning; if they refuse to correct or the circumstances are serious, they shall be fined between 10,000 and 100,000 yuan, and the relevant competent department may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and impose fines of between 5,000 and 50,000 yuan on the directly responsible supervisors and other directly responsible personnel.
Article 63   Those who violate the provisions of Article 27 of this law by engaging in activities that harm network security, or providing programs or tools specifically used for activities that harm network security, or providing technical support, advertising promotion, payment settlement, and other assistance for others engaging in activities that harm network security, and do not constitute a crime, shall have their illegal gains confiscated by the public security organs, and may be detained for up to five days, and fined between 50,000 and 500,000 yuan; if the circumstances are more serious, they may be detained for more than five days and less than fifteen days, and fined between 100,000 and 1,000,000 yuan.
If an entity engages in the above-mentioned behavior, the public security organs shall confiscate the illegal gains, impose a fine between 100,000 and 1,000,000 yuan, and punish the directly responsible supervisors and other directly responsible personnel according to the provisions of the previous paragraph.
Those who violate the provisions of Article 27 of this law and are subject to public security management penalties shall not engage in cybersecurity management and key positions in network operation for five years; those who are subject to criminal penalties shall not engage in cybersecurity management and key positions in network operation for life.
Article 64   If network operators or providers of network products or services violate the provisions of the third paragraph of Article 22, Articles 41 to 43, and infringe upon the rights of individuals to have their personal information protected by law, they shall be ordered to correct by the relevant competent department, and may be warned, have illegal gains confiscated, and fined between one to ten times the illegal gains; if there are no illegal gains, they shall be fined up to 1,000,000 yuan, and the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan; if the circumstances are serious, they may be ordered to suspend related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses.
Those who violate the provisions of Article 44 of this law by stealing or otherwise illegally obtaining, illegally selling, or illegally providing personal information to others, and do not constitute a crime, shall have their illegal gains confiscated by the public security organs, and fined between one to ten times the illegal gains; if there are no illegal gains, they shall be fined up to 1,000,000 yuan.
Article 65   If the operators of critical information infrastructure violate the provisions of Article 35 of this law by using network products or services that have not undergone security review or have failed security review, they shall be ordered by the relevant competent department to stop using them and fined between one to ten times the procurement amount; the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.
Article 66   If the operators of critical information infrastructure violate the provisions of Article 37 of this law by storing network data abroad or providing network data to foreign entities, they shall be ordered to correct by the relevant competent department, given a warning, have illegal gains confiscated, and fined between 50,000 and 500,000 yuan, and may be ordered to suspend related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses; the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.
Article 67   Those who violate the provisions of Article 46 of this law by establishing websites or communication groups for illegal activities, or using the internet to publish information related to illegal activities, and do not constitute a crime, shall be detained for up to five days by the public security organs, and may be fined between 10,000 and 100,000 yuan; if the circumstances are more serious, they may be detained for more than five days and less than fifteen days, and fined between 50,000 and 500,000 yuan. Close websites or communication groups used for illegal activities.
If the unit has the behavior mentioned in the previous paragraph, the public security organ shall impose a fine of not less than 100,000 yuan and not more than 500,000 yuan, and punish the directly responsible supervisors and other directly responsible personnel according to the provisions of the previous paragraph.
Article 68   If network operators violate the provisions of Article 47 of this law and fail to stop the transmission, take removal and other disposal measures, or preserve relevant records for information that is prohibited from being published or transmitted by laws and administrative regulations, the relevant competent department shall order correction, give a warning, and confiscate illegal gains; if they refuse to correct or the circumstances are serious, they shall be fined not less than 100,000 yuan and not more than 500,000 yuan, and may be ordered to suspend relevant business, conduct business rectification, close the website, revoke relevant business licenses or revoke the business license, and impose a fine of not less than 10,000 yuan and not more than 100,000 yuan on the directly responsible supervisors and other directly responsible personnel.
Electronic information sending service providers and application software download service providers that do not fulfill the security management obligations stipulated in the second paragraph of Article 48 of this law shall be punished according to the provisions of the previous paragraph.
Article 69   If network operators violate the provisions of this law and have any of the following behaviors, the relevant competent department shall order correction; if they refuse to correct or the circumstances are serious, they shall be fined not less than 50,000 yuan and not more than 500,000 yuan, and impose a fine of not less than 10,000 yuan and not more than 100,000 yuan on the directly responsible supervisors and other directly responsible personnel:
(1) Failing to take measures to stop transmission, eliminate, and other disposal measures for information that is prohibited from being published or transmitted by laws and administrative regulations as required by relevant departments;
(2) Refusing or obstructing the supervision and inspection carried out by relevant departments in accordance with the law;
(3) Refusing to provide technical support and assistance to public security organs and national security organs.
Article 70   Publishing or transmitting information prohibited from being published or transmitted by the second paragraph of Article 12 of this law and other laws and administrative regulations shall be punished according to the relevant laws and administrative regulations.
Article 71   Those who have illegal acts as stipulated in this law shall be recorded in the credit file according to the relevant laws and administrative regulations and made public.
Article 72   If the operator of the government affairs network of state organs fails to fulfill the network security protection obligations stipulated in this law, their superior organ or relevant organ shall order correction; and the directly responsible supervisors and other directly responsible personnel shall be punished according to law.
Article 73   If the Cyberspace Administration and relevant departments violate the provisions of Article 30 of this law and use the information obtained in the performance of network security protection duties for other Applications, the directly responsible supervisors and other directly responsible personnel shall be punished according to law.
If the staff of the Cyberspace Administration and relevant departments neglect their duties, abuse their powers, or engage in favoritism and corruption, and it does not constitute a crime, they shall be punished according to law.
Article 74   Those who violate the provisions of this law and cause damage to others shall bear civil liability according to law.
Those who violate the provisions of this law and constitute violations of public security management shall be punished according to public security management laws; those who constitute crimes shall be investigated for criminal responsibility according to law.
Article 75   Foreign institutions, organizations, and individuals engaged in activities that attack, invade, interfere with, or destroy critical information infrastructure of the People's Republic of China, causing serious consequences, shall be held legally responsible; the public security department of the State Council and relevant departments may also decide to freeze the property of such institutions, organizations, and individuals or take other necessary sanctions.
Chapter Seven   Supplementary Provisions
Article 76   The meanings of the following terms in this law are as follows:
(1) Network refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures.
(2) Network security refers to the ability to maintain the stability and reliability of the network through necessary measures to prevent attacks, invasions, interference, destruction, and illegal use of the network, as well as accidents, and to ensure the integrity, confidentiality, and availability of network data.
(3) Network operator refers to the owner, manager, and service provider of the network.
(4) Network data refers to various electronic data collected, stored, transmitted, processed, and generated through the network.
(5) Personal information refers to various information that can identify the personal identity of a natural person, recorded in electronic or other forms, including but not limited to the natural person's name, date of birth, identification document number, personal biometric information, address, Tel, etc.
Article 77   The operation security protection of networks involving state secret information shall comply with the provisions of confidentiality laws and administrative regulations in addition to this law.
Article 78   The security protection of military networks shall be separately provided by the Central Military Commission.
Article 79   This law shall take effect from2017Year6Month1Day.