Cybersecurity Law of the People's Republic of China

（ (Adopted at the 24th Meeting of the Standing Committee of the Twelfth National People's Congress on November 7, 2016)

　Table of Contents

　　Chapter 1 General Provisions

　　Chapter 2 Support and Promotion of Cybersecurity

　　Chapter 3 Network Operational Security

         Section 1 General Provisions

         Section 2 Operational Security of Critical Information Infrastructure

　　Chapter 4 Network Information Security

　　Chapter 5 Monitoring, Early Warning and Emergency Response

　　Chapter 6 Legal Liabilities

　　Chapter 7 Supplementary Provisions

 

Chapter 1 General Provisions

　　Article 1 This Law is formulated to safeguard cybersecurity, uphold cyberspace sovereignty and national security, and social public interests, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization.

　Article 2 　This Law applies to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and administration of cybersecurity.

Article 3 　The state adheres to the principle of giving equal importance to cybersecurity and informatization development, following the principles of active utilization, scientific development, management according to law, and ensuring security; promoting the construction and interconnection of network infrastructure; encouraging network technology innovation and application; supporting the cultivation of cybersecurity personnel; establishing and improving a cybersecurity guarantee system; and enhancing cybersecurity protection capabilities.

　Article 4 　The state formulates and continuously improves the cybersecurity strategy, clarifying the basic requirements and main objectives for ensuring cybersecurity, and proposing cybersecurity policies, tasks, and measures for key areas.

Article 5 　The state takes measures to monitor, defend against, and handle cybersecurity risks and threats originating from both inside and outside the People's Republic of China, protecting critical information infrastructure from attacks, intrusions, interference, and destruction; punishing cybercrime in accordance with the law; and maintaining cybersecurity and order in cyberspace.

　　Article 6 　The state advocates honest and trustworthy, healthy and civilized online behavior, promoting the dissemination of socialist core values, and taking measures to improve the cybersecurity awareness and level of the whole society, to create a good environment where the whole society participates in promoting cybersecurity.

Article 7 　The state actively carries out international exchanges and cooperation in cyberspace governance, network technology research and development, standard setting, and combating cybercrime, promoting the construction of a peaceful, secure, open, and cooperative cyberspace and establishing a multilateral, democratic, and transparent cyberspace governance system.

Article 8 　The state cyberspace administration department is responsible for the overall coordination of cybersecurity work and related supervision and management. The State Council's telecommunications authority, public security department, and other relevant organs are responsible for cybersecurity protection and supervision and management within their respective duties in accordance with this Law and relevant laws and administrative regulations.

　　The responsibilities of the relevant departments of the people's governments at or above the county level for cybersecurity protection and supervision and management shall be determined in accordance with relevant national regulations.

　Article 9 　Network operators must abide by laws, administrative regulations, respect social morality, abide by business ethics, be honest and trustworthy, fulfill their cybersecurity protection obligations, accept government and social supervision, and assume social responsibilities when carrying out business and service activities.

　Article 10 　The construction and operation of networks or the provision of services through networks shall, in accordance with the provisions of laws, administrative regulations, and the mandatory requirements of national standards, adopt technical measures and other necessary measures to ensure network security and stable operation, effectively respond to network security incidents, prevent network illegal and criminal activities, and maintain the integrity, confidentiality, and availability of network data.

Article 11 　Network-related industry organizations shall, in accordance with their articles of association, strengthen industry self-discipline, formulate network security behavior standards, guide members to strengthen network security protection, improve the level of network security protection, and promote the healthy development of the industry.

　　Article 12 　The state protects the rights of citizens, legal persons, and other organizations to use networks in accordance with the law, promotes the popularization of network access, improves the level of network services, provides safe and convenient network services for society, and guarantees the lawful, orderly, and free flow of network information.

　　Any individual or organization using the network shall abide by the Constitution and laws, maintain public order, respect social morality, and shall not endanger network security, and shall not use the network to engage in activities that endanger national security, honor and interests; incite the subversion of state power or the overthrow of the socialist system; incite separatism or undermine national unity; promote terrorism or extremism; promote ethnic hatred or ethnic discrimination; disseminate violent or pornographic information; fabricate or spread false information to disrupt economic order and social order; and infringe upon the reputation, privacy, intellectual property rights, and other legitimate rights and interests of others.

Article 13 The state supports the research and development of network products and services conducive to the healthy growth of minors, punishes activities that use networks to harm the physical and mental health of minors in accordance with the law, and provides a safe and healthy network environment for minors.

Article 14 　Any individual or organization has the right to report acts that endanger network security to the cyberspace administration, telecommunications, and public security departments. Departments receiving such reports shall promptly handle them in accordance with the law; those that are not within the jurisdiction of the department shall be promptly transferred to the department with the authority to handle them.

　　Relevant departments shall keep confidential the relevant information of the informant and protect the legitimate rights and interests of the informant.

          Chapter 2 Support and Promotion of Cybersecurity

　Article 15 　The state establishes and improves the cybersecurity standards system. The State Council's standardization administrative department and other relevant departments of the State Council, in accordance with their respective responsibilities, organize the formulation and timely revision of national standards and industry standards concerning cybersecurity management and the security of network products, services, and operations.

　　The state supports enterprises, research institutions, universities, and network-related industry organizations in participating in the formulation of national and industry standards for cybersecurity.

　Article 16 The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall make overall plans, increase investment, support key cybersecurity technology industries and projects, support the research and development and application of cybersecurity technology, promote safe and reliable network products and services, protect network technology intellectual property rights, and support enterprises, research institutions, and universities in participating in national cybersecurity technology innovation projects.

Article 17 　The state promotes the construction of a socialized cybersecurity service system and encourages relevant enterprises and institutions to conduct cybersecurity certification, detection, and risk assessment and other security services.

Article 18 　The state encourages the development of technologies for the protection and utilization of network data security, promotes the opening up of public data resources, and drives technological innovation and socio-economic development.

　　The state supports innovative methods of network security management, utilizes new network technologies, and improves the level of network security protection.

Article 19 　All levels of people's governments and their relevant departments should organize and carry out regular network security publicity and education, and guide and supervise relevant units to do a good job in network security publicity and education.

　　Mass media should carry out targeted network security publicity and education to the public.

Article 20 　The state supports enterprises and educational and training institutions such as universities and vocational schools in carrying out network security-related education and training, adopts various methods to cultivate network security talents, and promotes the exchange of network security talents.

Chapter 3 Network Operation Security

Section 1 General Provisions

Article 21 The state implements a network security graded protection system. Network operators should, in accordance with the requirements of the network security graded protection system, fulfill the following security protection obligations, ensuring that the network is free from interference, destruction, or unauthorized access, and preventing network data leakage or theft and tampering:

(1) Formulate internal security management systems and operating procedures, determine the person in charge of network security, and implement network security protection responsibilities;

(2) Adopt technical measures to prevent computer viruses and network attacks, network intrusions, and other behaviors that endanger network security;

(3) Adopt technical measures to monitor and record the network operating status and network security events, and retain relevant network logs for no less than six months as stipulated;

(4) Adopt measures such as data classification, backup of important data, and encryption;

(5) Other obligations as prescribed by laws and administrative regulations.

Article 22 Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; when they find that their network products and services have security defects, vulnerabilities, or other risks, they shall immediately take remedial measures, inform users in a timely manner as stipulated, and report to the relevant competent departments.

Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not terminate the provision of security maintenance within the stipulated period or the period agreed upon by the parties.

If network products and services have the function of collecting user information, their providers shall explicitly inform users and obtain their consent; if they involve users' personal information, they shall also comply with the provisions of this law and relevant laws and administrative regulations on personal information protection.

Article 23 Network key equipment and network security-specific products shall meet the mandatory requirements of relevant national standards and be certified by qualified institutions or their safety testing shall meet the requirements before they can be sold or provided. The State Cyberspace Administration, in conjunction with relevant departments of the State Council, shall formulate and publish a catalog of network key equipment and network security-specific products, and promote mutual recognition of safety certification and safety testing results to avoid repeated certification and testing.

Article 24 When network operators handle network access and domain name registration services for users, handle the network access procedures for fixed-line telephones, mobile phones, etc., or provide users with information publishing, instant messaging, and other services, they shall request users to provide real identity information when signing agreements with users or confirming the provision of services. If users do not provide real identity information, network operators shall not provide them with relevant services.

The state implements a network trustworthy identity strategy, supports research and development of safe and convenient electronic identity authentication technologies, and promotes mutual recognition among different electronic identity authentications.

Article 25 Network operators shall formulate contingency plans for network security incidents, promptly deal with system vulnerabilities, computer viruses, network attacks, network intrusions, and other security risks; in the event of incidents that endanger network security, they shall immediately initiate contingency plans, take corresponding remedial measures, and report to the relevant competent departments as stipulated.

Article 26 The activities of conducting network security certification, detection, risk assessment, and publishing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public shall comply with relevant national regulations.

Article 27 No individual or organization shall engage in illegal activities that endanger network security, such as illegally intruding into others' networks, disrupting the normal functions of others' networks, and stealing network data; they shall not provide programs and tools specifically used for engaging in activities that endanger network security, such as intruding into networks, disrupting the normal functions of networks and protective measures, and stealing network data; those who knowingly assist others in engaging in activities that endanger network security shall not provide them with technical support, advertising promotion, payment settlement, and other assistance.

Article 28 Network operators shall provide technical support and assistance to public security organs and state security organs in their lawful activities to maintain national security and investigate crimes.

Article 29 The state supports cooperation among network operators in the collection, analysis, reporting, and emergency handling of network security information to improve the security protection capabilities of network operators.

Relevant industry organizations shall establish and improve network security protection standards and cooperation mechanisms within their industries, strengthen the analysis and assessment of network security risks, regularly issue risk warnings to members, and support and assist members in responding to network security risks.

Article 30 Information obtained by the cyberspace administration department and relevant departments in performing their network security protection duties shall only be used for the needs of maintaining network security and shall not be used for other purposes.

Section 2 Operational Security of Critical Information Infrastructure

Article 31 The state, on the basis of the network security graded protection system, implements key protection for important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructures that, once destroyed, lose their functions, or have data leakage, may seriously endanger national security, national economy and people's livelihood, and public interests. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

The state encourages network operators outside of critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 32 According to the division of responsibilities stipulated by the State Council, the departments responsible for the safety protection of critical information infrastructure shall respectively compile and organize the implementation of the safety plans for critical information infrastructure in their respective industries and fields, guide and supervise the operational safety protection work of critical information infrastructure.

Article 33 The construction of critical information infrastructure should ensure that it has the performance to support stable and continuous operation of the business, and guarantee that security technical measures are planned, constructed, and used synchronously.

Article 34 In addition to the provisions of Article 21 of this Law, operators of critical information infrastructure shall also fulfill the following security protection obligations:

(1) Establish a specialized security management institution and a security management person in charge, and conduct security background checks on the person in charge and personnel in key positions;

(2) Regularly conduct cybersecurity education, technical training, and skills assessments for employees;

(3) Perform disaster recovery backups of important systems and databases;

(4) Develop contingency plans for cybersecurity incidents and conduct regular drills;

(5) Other obligations as prescribed by laws and administrative regulations.

Article 35 Operators of critical information infrastructure who procure network products and services that may affect national security shall undergo national security review organized by the national cyberspace administration department in conjunction with the relevant departments of the State Council.

Article 36 Operators of critical information infrastructure shall, in accordance with regulations, sign security and confidentiality agreements with providers of network products and services, clearly defining security and confidentiality obligations and responsibilities.

Article 37 Personal information and important data collected and generated by operators of critical information infrastructure during operation within the People's Republic of China shall be stored within the country. If it is necessary to provide such data to foreign countries due to business needs, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration department in conjunction with the relevant departments of the State Council; where other provisions are stipulated by laws and administrative regulations, such provisions shall prevail.

Article 38 Operators of critical information infrastructure shall, by themselves or by entrusting network security service institutions, conduct at least one annual detection and assessment of the security and potential risks of their networks, and submit the detection and assessment results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.

Article 39 The national cyberspace administration department shall coordinate with relevant departments to take the following measures for the security protection of critical information infrastructure:

(1) Conduct random checks and inspections of the security risks of critical information infrastructure, propose improvement measures, and, if necessary, entrust network security service institutions to conduct detection and assessment of existing security risks;

(2) Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve their ability to respond to cybersecurity incidents and their ability to coordinate and cooperate;

(3) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and network security service institutions;

(4) Provide technical support and assistance for emergency handling of cybersecurity incidents and restoration of network functions.

Chapter 4 Network Information Security

Article 40 Network operators shall strictly protect the confidentiality of user information they collect and establish and improve a system for the protection of user information.

Article 41 Network operators shall collect and use personal information in accordance with the principles of legality, legitimacy, and necessity, publicly disclosing the rules for collecting and using information, explicitly stating the purpose, methods, and scope of collecting and using information, and obtaining the consent of the collected person.

Network operators shall not collect personal information unrelated to the services they provide, nor shall they collect or use personal information in violation of laws, administrative regulations, and agreements between the parties; they shall process the personal information they hold in accordance with the provisions of laws and administrative regulations and agreements with users.

Article 42 Network operators shall not leak, tamper with, or damage the personal information they collect; they shall not provide personal information to others without the consent of the collected person. However, this does not apply to information that has been processed to the point that it cannot identify specific individuals and cannot be restored.

Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect, preventing information leakage, damage, and loss. In the event of or the potential for personal information leakage, damage, or loss, they shall immediately take remedial measures, promptly inform users in accordance with regulations, and report to the relevant competent authorities.

Article 43 If an individual finds that a network operator has collected or used their personal information in violation of laws, administrative regulations, or agreements between the parties, they have the right to require the network operator to delete their personal information; if they find that the personal information collected and stored by the network operator is incorrect, they have the right to require the network operator to correct it. Network operators shall take measures to delete or correct such information.

Article 44 No individual or organization shall steal or otherwise illegally obtain personal information, or illegally sell or provide personal information to others.

Article 45 Departments and their personnel legally responsible for the supervision and management of network security must strictly protect the confidentiality of personal information, privacy, and trade secrets they learn in the performance of their duties and shall not leak, sell, or illegally provide such information to others.

Article 46 Any individual or organization shall be responsible for its conduct in using the network and shall not establish websites or communication groups for engaging in fraudulent activities, teaching criminal methods, producing or selling contraband or controlled items, or other illegal or criminal activities; nor shall they use the network to publish information involving fraudulent activities, the production or sale of contraband or controlled items, or other illegal or criminal activities.

Article 47 Network operators shall strengthen the management of information published by their users; upon discovering information prohibited from being published or transmitted by laws and administrative regulations, they shall immediately stop transmitting such information, take measures such as removal, prevent the spread of information, keep relevant records, and report to the relevant competent authorities.

Article 48 No individual or organization shall set malicious programs in electronic information they send or in application software they provide, nor shall such information contain information prohibited from being published or transmitted by laws and administrative regulations.

Providers of electronic information sending services and application software download services shall fulfill their security management obligations; if they know that their users have engaged in the acts stipulated in the preceding paragraph, they shall cease providing services, take measures such as removal, keep relevant records, and report to the relevant competent authorities.

Article 49 Network operators shall establish a system for complaints and reports on network information security, publicly disclosing information such as complaint and report methods, and promptly accepting and handling complaints and reports concerning network information security.

Network operators shall cooperate with the supervision and inspection lawfully conducted by the cyberspace administration department and relevant departments.

Article 50 The national cyberspace administration department and relevant departments shall, in accordance with the law, perform their duties of supervising and administering network information security. If they find information that is prohibited from being published or transmitted by laws and administrative regulations, they shall require the network operator to stop transmitting it, take measures such as removal, and keep relevant records; for such information originating from outside the People's Republic of China, they shall notify relevant agencies to take technical measures and other necessary measures to block its dissemination.

Chapter 5 Monitoring, Early Warning and Emergency Response

Article 51 The state shall establish a network security monitoring, early warning and information reporting system. The national cyberspace administration department shall coordinate relevant departments to strengthen the collection, analysis and reporting of network security information, and shall uniformly release network security monitoring and early warning information in accordance with regulations.

Article 52 Departments responsible for the protection of critical information infrastructure security shall establish and improve the network security monitoring, early warning and information reporting system in their respective industries and fields, and submit network security monitoring and early warning information in accordance with regulations.

Article 53 The national cyberspace administration department shall coordinate with relevant departments to establish and improve a mechanism for network security risk assessment and emergency response, formulate emergency plans for network security incidents, and organize drills regularly.

Departments responsible for the protection of critical information infrastructure security shall formulate emergency plans for network security incidents in their respective industries and fields, and organize drills regularly.

Emergency plans for network security incidents shall classify network security incidents according to the severity of the harm and the scope of the impact after the incident occurs, and stipulate corresponding emergency response measures.

Article 54 When the risk of a network security incident increases, relevant departments of the people's governments at or above the provincial level shall, in accordance with the prescribed authority and procedures, and based on the characteristics of network security risks and the potential harm, take the following measures:

(1) Require relevant departments, institutions and personnel to promptly collect and report relevant information, and strengthen the monitoring of network security risks;

(2) Organize relevant departments, institutions and professionals to analyze and assess network security risk information, and predict the possibility, scope of impact and severity of the incident;

(3) Issue network security risk warnings to the public and publish measures to avoid and mitigate harm.

Article 55 In the event of a network security incident, the network security incident emergency plan shall be immediately activated to investigate and assess the network security incident, require network operators to take technical measures and other necessary measures to eliminate safety hazards and prevent the expansion of harm, and promptly release warning information relevant to the public.

Article 56 Relevant departments of the people's governments at or above the provincial level, in performing their duties of supervising and administering network security, may, in accordance with the prescribed authority and procedures, interview the legal representative or main person in charge of the operator of the network if they find that the network has major security risks or a security incident has occurred. Network operators shall take measures as required to rectify and eliminate hidden dangers.

Article 57 In the event of a sudden incident or a production safety accident due to a network security incident, it shall be handled in accordance with the provisions of the People's Republic of China's Emergency Response Law, the People's Republic of China's Safety Production Law and other relevant laws and administrative regulations.

Article 58   In order to maintain national security and social public order, and to deal with major sudden social security incidents, temporary measures such as restrictions on network communication may be taken in specific areas upon the decision or approval of the State Council.

Chapter 6 Legal Liability

Article 59 If a network operator fails to fulfill the network security protection obligations stipulated in Articles 21 and 25 of this Law, the relevant competent authority shall order it to make corrections and give it a warning; if it refuses to make corrections or causes consequences such as endangering network security, it shall be fined between 10,000 and 100,000 yuan, and the person directly responsible shall be fined between 5,000 and 50,000 yuan.

If the operator of critical information infrastructure fails to fulfill the network security protection obligations stipulated in Articles 33, 34, 36 and 38 of this Law, the relevant competent authority shall order it to make corrections and give it a warning; if it refuses to make corrections or causes consequences such as endangering network security, it shall be fined between 100,000 and 1 million yuan, and the person directly responsible shall be fined between 10,000 and 100,000 yuan.

Article 60 If any of the following acts are committed in violation of the provisions of Paragraphs 1 and 2 of Article 22 and Paragraph 1 of Article 48 of this Law, the relevant competent authority shall order it to make corrections and give it a warning; if it refuses to make corrections or causes consequences such as endangering network security, it shall be fined between 50,000 and 500,000 yuan, and the person directly responsible shall be fined between 10,000 and 100,000 yuan:

(1) Setting up malicious programs;

(2) Failing to take immediate remedial measures for security defects, vulnerabilities and other risks existing in its products and services, or failing to inform users in a timely manner in accordance with regulations and report to the relevant competent authority;

(3) Arbitrarily terminating the provision of security maintenance for its products and services.

Article 61 If a network operator violates the provisions of Paragraph 1 of Article 24 of this Law by failing to require users to provide real identity information, or by providing relevant services to users who do not provide real identity information, the relevant competent authority shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, it shall be fined between 50,000 and 500,000 yuan, and the relevant competent authority may order it to suspend relevant businesses, suspend operations for rectification, close the website, revoke relevant business licenses or revoke business licenses, and the person directly responsible and other persons directly responsible shall be fined between 10,000 and 100,000 yuan.

Article 62 If, in violation of the provisions of Article 26 of this Law, network security certification, detection, risk assessment and other activities are carried out, or network security information such as system vulnerabilities, computer viruses, network attacks and network intrusions is published to the public, the relevant competent authority shall order it to make corrections and give it a warning; if it refuses to make corrections or the circumstances are serious, it shall be fined between 10,000 and 100,000 yuan, and the relevant competent authority may order it to suspend relevant businesses, suspend operations for rectification, close the website, revoke relevant business licenses or revoke business licenses, and the person directly responsible and other persons directly responsible shall be fined between 5,000 and 50,000 yuan.

Article 63 Violation of Article 27 of this Law by engaging in activities that endanger network security, or providing programs or tools specifically used for such activities, or providing technical support, advertising, payment settlement, or other assistance to others engaged in such activities, without constituting a crime, shall be subject to confiscation of illegal gains by the public security organs, and detention for less than five days, with a possible fine of more than 50,000 yuan but less than 500,000 yuan; for more serious cases, detention for more than five days but less than fifteen days, with a possible fine of more than 100,000 yuan but less than 1,000,000 yuan.

For units that have the behavior described in the preceding paragraph, the public security organs shall confiscate illegal gains and impose a fine of more than 100,000 yuan but less than 1,000,000 yuan, and shall punish the directly responsible person in charge and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

Personnel who have received administrative punishment for violating Article 27 of this Law shall not engage in network security management or work in key positions in network operations for five years; personnel who have received criminal punishment shall never engage in network security management or work in key positions in network operations.

Article 64 Network operators and providers of network products or services that violate the provisions of Article 22, Paragraph 3, and Articles 41 to 43 of this Law, infringing on the legally protected rights of personal information, shall be ordered by the relevant competent authorities to rectify; a warning may be given alone or in conjunction with the confiscation of illegal gains, a fine of one to ten times the illegal gains, or, if there are no illegal gains, a fine of up to 1,000,000 yuan, and a fine of 10,000 yuan to 100,000 yuan on directly responsible supervisors and other directly responsible personnel. In serious cases, it may also be ordered to suspend relevant operations, suspend operations for rectification, close websites, revoke relevant business licenses, or revoke business licenses.

Violation of Article 44 of this Law by stealing or obtaining personal information through other illegal means, or illegally selling or providing such information to others without constituting a crime, shall be subject to confiscation of illegal gains by the public security organs, and a fine of one to ten times the illegal gains, or a fine of up to 1,000,000 yuan if there are no illegal gains.

Article 65 Operators of critical information infrastructure that violate Article 35 of this Law by using network products or services that have not undergone security review or have failed security review, shall be ordered by the relevant competent authorities to stop using them, and be fined one to ten times the procurement amount; directly responsible supervisors and other directly responsible personnel shall be fined 10,000 to 100,000 yuan.

Article 66 Operators of critical information infrastructure that violate Article 37 of this Law by storing network data abroad or providing network data to foreign countries, shall be ordered by the relevant competent authorities to rectify, given a warning, have illegal gains confiscated, and be fined 50,000 to 500,000 yuan, and may be ordered to suspend relevant operations, suspend operations for rectification, close websites, revoke relevant business licenses, or revoke business licenses; directly responsible supervisors and other directly responsible personnel shall be fined 10,000 to 100,000 yuan.

Article 67 Violation of Article 46 of this Law by establishing websites or communication groups for illegal and criminal activities, or using the network to publish information related to illegal and criminal activities without constituting a crime, shall be subject to detention for less than five days by the public security organs, with a possible fine of 10,000 to 100,000 yuan; for more serious cases, detention for more than five days but less than fifteen days, with a possible fine of 50,000 to 500,000 yuan. Close down the websites or communication groups used for illegal and criminal activities.

For units that have the behavior described in the preceding paragraph, the public security organs shall impose a fine of 100,000 to 500,000 yuan, and shall punish the directly responsible person in charge and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

Article 68 Network operators who violate Article 47 of this Law by failing to stop transmission, take removal measures, or keep relevant records of information prohibited from being published or transmitted by laws and administrative regulations shall be ordered to rectify by the relevant competent authorities, given a warning, and have illegal gains confiscated. If they refuse to rectify or the circumstances are serious, they shall be fined 100,000 to 500,000 yuan, and may be ordered to suspend relevant operations, suspend operations for rectification, close websites, revoke relevant business licenses, or revoke business licenses, and directly responsible supervisors and other directly responsible personnel shall be fined 10,000 to 100,000 yuan.

Electronic information sending service providers and application software download service providers who fail to fulfill the safety management obligations stipulated in Article 48, Paragraph 2 of this Law shall be punished in accordance with the provisions of the preceding paragraph.

Article 69 Network operators who violate the provisions of this Law and commit any of the following acts shall be ordered to rectify by the relevant competent authorities; those who refuse to rectify or whose circumstances are serious shall be fined 50,000 to 500,000 yuan, and the directly responsible supervisors and other directly responsible personnel shall be fined 10,000 to 100,000 yuan:

(1) Failure to take measures such as stopping transmission and removal of information prohibited from being published or transmitted by laws and administrative regulations in accordance with the requirements of relevant departments;

(2) Refusal to or obstruction of the supervision and inspection lawfully conducted by relevant departments;

(3) Refusal to provide technical support and assistance to public security organs and national security organs.

Article 70 The publication or transmission of information prohibited by Article 12, Paragraph 2 and other laws and administrative regulations shall be punished in accordance with the provisions of the relevant laws and administrative regulations.

Article 71 For illegal acts stipulated in this Law, relevant laws and administrative regulations shall be recorded in credit files and publicized.

Article 72 Operators of state organ government networks who fail to fulfill the network security protection obligations stipulated in this Law shall be ordered to rectify by their superior authorities or relevant authorities; directly responsible supervisors and other directly responsible personnel shall be given disciplinary action in accordance with the law.

Article 73 If the cyberspace administration department and relevant departments violate the provisions of Article 30 of this Law and use the information obtained in the performance of their network security protection duties for other purposes, the directly responsible supervisors and other directly responsible personnel shall be given disciplinary action in accordance with the law.

If the staff of the cyberspace administration department and relevant departments neglect their duties, abuse their power, or engage in malfeasance in office without constituting a crime, they shall be given disciplinary action in accordance with the law.

Article 74 If violation of the provisions of this Law causes damage to others, civil liability shall be borne in accordance with the law.

Violation of the provisions of this Law which constitutes a violation of public security management shall be punished in accordance with the law; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Article 75 If foreign institutions, organizations, or individuals engage in activities that endanger the critical information infrastructure of the People's Republic of China, such as attack, intrusion, interference, or destruction, resulting in serious consequences, they shall be held legally responsible in accordance with the law; the Ministry of Public Security and relevant departments of the State Council may also decide to take measures such as freezing assets or other necessary sanctions against these institutions, organizations, or individuals.

Chapter 7 Appendix

Article 76 The meanings of the following terms used in this Law are as follows:

(1) Network refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures.

(2) Network security refers to the ability to maintain a stable and reliable operation of the network and to ensure the integrity, confidentiality, and availability of network data by taking necessary measures to prevent attacks, intrusion, interference, destruction, and illegal use of the network, as well as accidental incidents.

(3) Network operator refers to the owner, manager, and network service provider of the network.

(4) Network data refers to various electronic data collected, stored, transmitted, processed, and generated through the network.

(5) Personal information refers to various information recorded in electronic or other forms that can identify the identity of a natural person individually or in combination with other information, including but not limited to the natural person's name, date of birth, identity document number, personal biometric information, address, telephone number, etc.

Article 77 The operational security protection of networks that store and process information involving state secrets shall, in addition to complying with this Law, also comply with the provisions of secrecy laws and administrative regulations.

Article 78 The security protection of military networks shall be separately stipulated by the Central Military Commission.

Article 79 This Law shall come into force on June 1, 2017.