Cybersecurity Law of the People's Republic of China

Basic Information

Document Number: Presidential Order No. 53 of the People's Republic of China

Legal Level: Law

Validity: Currently Effective

Date of Publication: 2016-11-07

Date of Implementation: 2017-06-01

Issuing Authority: Standing Committee of the National People's Congress

Legal Revision

Adopted at the 24th Session of the Standing Committee of the 12th National People's Congress on November 7, 2016

Text

Chapter One: General Principles

Article 1

In order to ensure cybersecurity, maintain sovereignty in cyberspace and national security, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization, this law is formulated.

Article 2

This law applies to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and management of cybersecurity.

Article 3

The state adheres to the principle of balancing cybersecurity and informatization development, follows the guidelines of actively utilizing, scientifically developing, managing according to law, and ensuring safety, promotes the construction and interconnection of network infrastructure, encourages innovation and application of network technology, supports the cultivation of cybersecurity talents, establishes and improves the cybersecurity assurance system, and enhances the capability of cybersecurity protection.

Article 4

The state formulates and continuously improves cybersecurity strategies, clarifies the basic requirements and main objectives for ensuring cybersecurity, and proposes cybersecurity policies, work tasks, and measures for key areas.

Article 5

The state takes measures to monitor, defend against, and address cybersecurity risks and threats originating from both within and outside the People's Republic of China, protects critical information infrastructure from attacks, intrusions, disruptions, and damages, punishes cyber illegal and criminal activities according to law, and maintains security and order in cyberspace.

Article 6

The state advocates honest and trustworthy, healthy and civilized online behavior, promotes the dissemination of socialist core values, takes measures to raise the awareness and level of cybersecurity across society, and forms a good environment for the whole society to participate in promoting cybersecurity.

Article 7

The state actively carries out international exchanges and cooperation in areas such as cyberspace governance, network technology research and development, and combating cyber illegal and criminal activities, promotes the construction of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.

Article 8

The national internet information department is responsible for coordinating cybersecurity work and related supervision and management work. The telecommunications regulatory department of the State Council, public security departments, and other relevant agencies are responsible for cybersecurity protection and supervision and management work within their respective responsibilities according to this law and relevant laws and administrative regulations. The cybersecurity protection and supervision and management responsibilities of relevant departments of local people's governments at or above the county level are determined according to national regulations.

Article 9

Network operators must comply with laws and administrative regulations, respect social ethics, adhere to business ethics, act in good faith, fulfill cybersecurity protection obligations, accept government and social supervision, and bear social responsibilities when carrying out business and service activities.

Article 10

When constructing and operating networks or providing services through networks, necessary technical measures and other measures must be taken in accordance with laws, administrative regulations, and mandatory national standards to ensure network security, stable operation, effectively respond to cybersecurity incidents, prevent cyber illegal and criminal activities, and maintain the integrity, confidentiality, and availability of network data.

Article 11

Industry organizations related to networks should strengthen industry self-discipline according to their charters, formulate cybersecurity behavior norms, guide members to enhance cybersecurity protection, improve the level of cybersecurity protection, and promote healthy industry development.

Article 12

The state protects the rights of citizens, legal persons, and other organizations to use the internet in accordance with the law, promotes the popularization of internet access, improves the level of internet services, provides safe and convenient internet services for society, and ensures the lawful and orderly free flow of internet information. Any individual or organization using the internet must comply with the Constitution and laws, observe public order, respect social ethics, must not endanger cybersecurity, and must not use the internet to engage in activities that harm national security, honor, and interests, incite the subversion of state power, overthrow the socialist system, incite the division of the country, undermine national unity, promote terrorism, extremism, ethnic hatred, ethnic discrimination, disseminate violence, obscene and pornographic information, fabricate and spread false information to disrupt economic order and social order, and infringe upon the reputation, privacy, intellectual property rights, and other legitimate rights and interests of others.

Article 13

The state supports the research and development of internet products and services that are beneficial to the healthy growth of minors, punishes activities that harm the physical and mental health of minors using the internet according to law, and provides a safe and healthy online environment for minors.

Article 14

Any individual or organization has the right to report behaviors that endanger cybersecurity to internet information, telecommunications, public security, and other departments. The departments receiving the reports should handle them promptly according to law; if they do not fall within the responsibilities of the department, they should be promptly transferred to the competent department. Relevant departments should keep the relevant information of the whistleblower confidential and protect the legitimate rights and interests of the whistleblower.

Chapter Two: Support and Promotion of Cybersecurity

Article 15

The state establishes and improves the cybersecurity standard system. The standardization administrative department of the State Council and other relevant departments of the State Council organize the formulation and timely revision of national standards and industry standards related to cybersecurity management, as well as the safety of network products, services, and operations according to their respective responsibilities. The state supports enterprises, research institutions, universities, and network-related industry organizations to participate in the formulation of national and industry cybersecurity standards.

Article 16

The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the central government should plan comprehensively, increase investment, support key cybersecurity technology industries and projects, support the research and development and application of cybersecurity technology, promote safe and trustworthy network products and services, protect the intellectual property rights of network technology, and support enterprises, research institutions, and universities to participate in national cybersecurity technology innovation projects.

Article 17

The state promotes the construction of a socialized cybersecurity service system, encouraging relevant enterprises and institutions to carry out cybersecurity certification, testing, and risk assessment and other security services.

Article 18

The state encourages the development of technologies for the protection and utilization of network data security, promotes the opening of public data resources, and drives technological innovation and economic and social development. The state supports innovative cybersecurity management methods, using new network technologies to enhance the level of cybersecurity protection.

Article 19

All levels of people's governments and their relevant departments should organize regular cybersecurity publicity and education, and guide and supervise relevant units to carry out cybersecurity publicity and education work. Mass media should conduct targeted cybersecurity publicity and education for society.

Article 20

The state supports enterprises and educational training institutions such as higher education institutions and vocational schools to carry out education and training related to cybersecurity, adopting various methods to cultivate cybersecurity talents and promote the exchange of cybersecurity talents.

Chapter 3 Network Operation Security

Article 21

The state implements a cybersecurity grading protection system. Network operators shall fulfill the following security protection obligations in accordance with the requirements of the cybersecurity grading protection system to ensure that the network is protected from interference, damage, or unauthorized access, and to prevent network data from being leaked, stolen, or tampered with: (1) Formulate internal security management systems and operating procedures, designate a person responsible for network security, and implement network security protection responsibilities; (2) Take technical measures to prevent computer viruses, network attacks, network intrusions, and other harmful behaviors to network security; (3) Take technical measures to monitor and record the network operation status and network security incidents, and retain relevant network logs for no less than six months as required; (4) Take measures such as data classification, important data backup, and encryption; (5) Other obligations stipulated by laws and administrative regulations.

Article 22

Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; when discovering security defects, vulnerabilities, and other risks in their network products and services, they shall immediately take remedial measures, timely inform users as required, and report to the relevant authorities. Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not terminate the provision of security maintenance within the stipulated or agreed period. If network products and services have the function of collecting user information, their providers shall clearly inform users and obtain consent; if it involves users' personal information, they shall also comply with the provisions of this law and relevant laws and administrative regulations regarding personal information protection.

Article 23

Key network devices and dedicated cybersecurity products shall be sold or provided only after being certified as safe by qualified institutions or passing safety inspections in accordance with the mandatory requirements of relevant national standards. The national internet information department, in conjunction with relevant departments of the State Council, shall formulate and publish a catalog of key network devices and dedicated cybersecurity products, and promote mutual recognition of safety certification and safety inspection results to avoid repeated certification and inspection.

Article 24

When network operators handle network access, domain name registration services, fixed-line phone, mobile phone, and other network access procedures for users, or provide users with information publishing, instant messaging, and other services, they shall require users to provide true identity information when signing agreements or confirming service provision. If users do not provide true identity information, network operators shall not provide relevant services. The state implements a trusted online identity strategy, supports the research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identity authentications.

Article 25

Network operators shall formulate emergency plans for cybersecurity incidents, promptly address security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; in the event of incidents that harm network security, they shall immediately activate the emergency plan, take corresponding remedial measures, and report to the relevant authorities as required.

Article 26

Activities such as cybersecurity certification, testing, and risk assessment, and the release of information on system vulnerabilities, computer viruses, network attacks, and network intrusions to the public shall comply with national regulations.

Article 27

No individual or organization shall engage in illegal activities that intrude into others' networks, interfere with the normal functions of others' networks, steal network data, or otherwise harm network security; nor shall they provide programs or tools specifically used for intruding into networks, interfering with normal network functions, protective measures, or stealing network data; knowing that others are engaged in activities that harm network security, they shall not provide technical support, advertising promotion, payment settlement, or other assistance.

Article 28

Network operators shall provide technical support and assistance to public security organs and national security organs in accordance with the law to maintain national security and investigate crimes.

Article 29

The state supports cooperation among network operators in the collection, analysis, reporting, and emergency response of cybersecurity information to enhance the security assurance capabilities of network operators. Relevant industry organizations shall establish and improve cybersecurity protection norms and cooperation mechanisms in their industries, strengthen the analysis and assessment of cybersecurity risks, regularly issue risk warnings to members, and support and assist members in responding to cybersecurity risks.

Article 30

The information obtained by the internet information department and relevant departments in the performance of cybersecurity protection duties can only be used for the needs of maintaining network security and shall not be used for other purposes.

Article 31

The state implements key protection for critical information infrastructure in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that, if damaged, loses functionality, or leaks data, may seriously endanger national security, the economy, and public interest, based on the cybersecurity grading protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council. The state encourages network operators outside critical information infrastructure to voluntarily participate in the protection system for critical information infrastructure.

Article 32

According to the division of responsibilities stipulated by the State Council, the departments responsible for the security protection of critical information infrastructure shall prepare and organize the implementation of security plans for critical information infrastructure in their respective industries and fields, and guide and supervise the security protection work of critical information infrastructure.

Article 33

The construction of critical information infrastructure shall ensure that it has the performance to support stable and continuous business operations, and ensure that security technical measures are planned, constructed, and used simultaneously.

Article 34

In addition to the provisions of Article 21 of this law, operators of critical information infrastructure shall also fulfill the following security protection obligations: (1) Establish a dedicated security management organization and a security management person in charge, and conduct security background checks on that person in charge and personnel in key positions; (2) Regularly provide cybersecurity education, technical training, and skill assessments for employees; (3) Conduct disaster recovery backups for important systems and databases; (4) Formulate emergency plans for cybersecurity incidents and conduct regular drills; (5) Other obligations stipulated by laws and administrative regulations.

Article 35

Operators of critical information infrastructure purchasing network products and services that may affect national security shall undergo national security review organized by the national internet information department in conjunction with relevant departments of the State Council.

Article 36

Operators of critical information infrastructure purchasing network products and services shall sign security confidentiality agreements with providers as required, clarifying security and confidentiality obligations and responsibilities.

Article 37

Operators of critical information infrastructure that collect and generate personal information and important data while operating within the territory of the People's Republic of China shall store such information within the territory. If it is necessary to provide this information overseas due to business needs, a security assessment must be conducted in accordance with the methods formulated by the national internet information department in conjunction with relevant departments of the State Council; if there are other provisions in laws or administrative regulations, those provisions shall apply.

Article 38

Operators of critical information infrastructure shall conduct security assessments of their networks at least once a year, either by themselves or by entrusting cybersecurity service agencies, and shall report the assessment results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.

Article 39

The national internet information department shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure: (1) Conduct random inspections of the security risks of critical information infrastructure, propose improvement measures, and may entrust cybersecurity service agencies to assess the security risks of the network if necessary; (2) Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve their ability to respond to cybersecurity incidents and cooperate with each other; (3) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service agencies; (4) Provide technical support and assistance for emergency handling of cybersecurity incidents and recovery of network functions.

Chapter 4 Network Information Security

Article 40

Network operators shall keep the user information they collect strictly confidential and establish and improve the user information protection system.

Article 41

When collecting and using personal information, network operators shall adhere to the principles of legality, legitimacy, and necessity, publicly disclose the rules for collection and use, clearly state the purpose, method, and scope of information collection and use, and obtain the consent of the individuals from whom the information is collected. Network operators shall not collect personal information that is unrelated to the services they provide, nor shall they collect or use personal information in violation of laws, administrative regulations, or agreements between the parties, and shall handle the personal information they retain in accordance with laws, administrative regulations, and agreements with users.

Article 42

Network operators shall not disclose, tamper with, or destroy the personal information they collect; without the consent of the individuals from whom the information is collected, they shall not provide personal information to others. However, this does not apply to information that has been processed in such a way that specific individuals cannot be identified and cannot be restored. Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect, preventing information leakage, damage, or loss. In the event of or potential for personal information leakage, damage, or loss, they shall immediately take remedial measures, promptly inform users as required, and report to the relevant supervisory authorities.

Article 43

Individuals who discover that network operators have violated laws, administrative regulations, or agreements between the parties in collecting or using their personal information have the right to request the deletion of their personal information; if they find that the personal information collected and stored by network operators is incorrect, they have the right to request correction. Network operators shall take measures to delete or correct the information.

Article 44

No individual or organization shall steal or otherwise illegally obtain personal information, nor shall they illegally sell or provide personal information to others.

Article 45

Departments and their staff responsible for cybersecurity supervision and management must keep strictly confidential any personal information, privacy, and commercial secrets they become aware of while performing their duties, and shall not disclose, sell, or illegally provide such information to others.

Article 46

Any individual or organization shall be responsible for their online behavior and shall not establish websites or communication groups for the purpose of committing fraud, teaching criminal methods, producing or selling prohibited items, controlled items, or engaging in other illegal activities. They shall not use the internet to publish information related to committing fraud, producing or selling prohibited items, controlled items, or other illegal activities.

Article 47

Network operators shall strengthen the management of the information published by their users. If they discover information that is prohibited from being published or transmitted by laws or administrative regulations, they shall immediately stop transmitting such information, take measures to eliminate it, prevent its spread, keep relevant records, and report to the relevant supervisory authorities.

Article 48

No electronic information or application software provided by any individual or organization shall contain malicious programs or include information that is prohibited from being published or transmitted by laws or administrative regulations. Electronic information sending service providers and application software download service providers shall fulfill their security management obligations, and if they are aware that their users are engaging in the aforementioned prohibited behaviors, they shall stop providing services, take measures to eliminate such behaviors, keep relevant records, and report to the relevant supervisory authorities.

Article 49

Network operators shall establish a complaint and reporting system for network information security, publish information on how to complain and report, and promptly handle and address complaints and reports related to network information security. Network operators shall cooperate with the supervision and inspection carried out by the internet information departments and relevant departments in accordance with the law.

Article 50

The national internet information department and relevant departments shall perform their duties of cybersecurity supervision and management in accordance with the law. If they discover information that is prohibited from being published or transmitted by laws or administrative regulations, they shall require network operators to stop transmission, take measures to eliminate such information, and keep relevant records; for information originating from outside the territory of the People's Republic of China, they shall notify relevant agencies to take technical measures and other necessary measures to block its dissemination.

Chapter 5 Monitoring, Early Warning, and Emergency Response

Article 51

The state shall establish a cybersecurity monitoring, early warning, and information reporting system. The national internet information department shall coordinate relevant departments to strengthen the collection, analysis, and reporting of cybersecurity information, and shall uniformly publish cybersecurity monitoring and early warning information as required.

Article 52

Departments responsible for the security protection of critical information infrastructure shall establish and improve the cybersecurity monitoring, early warning, and information reporting system in their respective industries and fields, and shall report cybersecurity monitoring and early warning information as required.

Article 53

The national internet information department shall coordinate relevant departments to establish and improve the cybersecurity risk assessment and emergency work mechanism, formulate emergency plans for cybersecurity incidents, and regularly organize drills. Departments responsible for the security protection of critical information infrastructure shall formulate emergency plans for cybersecurity incidents in their respective industries and fields and regularly organize drills. Emergency plans for cybersecurity incidents shall classify incidents based on the degree of harm, scope of impact, and other factors, and specify corresponding emergency response measures.

Article 54

When the risk of cybersecurity incidents increases, relevant departments of the people's government at or above the provincial level shall take the following measures in accordance with prescribed authority and procedures, and based on the characteristics of cybersecurity risks and the potential harm they may cause: (1) Require relevant departments, institutions, and personnel to promptly collect and report relevant information, and strengthen monitoring of cybersecurity risks; (2) Organize relevant departments, institutions, and professionals to analyze and assess cybersecurity risk information, predicting the likelihood, impact scope, and severity of incidents; (3) Issue cybersecurity risk warnings to the public and publish measures to avoid or mitigate harm.

Article 55

In the event of a cybersecurity incident, the emergency response plan for cybersecurity incidents shall be immediately activated to investigate and assess the incident, requiring network operators to take technical measures and other necessary actions to eliminate security risks, prevent the expansion of harm, and promptly issue warning information relevant to the public.

Article 56

When relevant departments of the people's government at or above the provincial level discover significant security risks in the network or incidents occurring during the performance of cybersecurity supervision and management duties, they may, in accordance with prescribed authority and procedures, conduct interviews with the legal representatives or main responsible persons of the network operators. Network operators shall take measures as required to rectify and eliminate risks.

Article 57

In the event of a sudden incident or production safety accident due to a cybersecurity incident, it shall be handled in accordance with the provisions of the Emergency Response Law of the People's Republic of China, the Production Safety Law of the People's Republic of China, and other relevant laws and administrative regulations.

Article 58

In order to maintain national security and social public order, if necessary to handle major sudden social security incidents, temporary measures such as restrictions on network communication may be taken in specific areas as decided or approved by the State Council.

Chapter 6 Legal Responsibilities

Article 59

If network operators fail to fulfill the cybersecurity protection obligations stipulated in Articles 21 and 25 of this law, the relevant competent department shall order corrections and issue warnings; if they refuse to correct or cause consequences that harm network security, they shall be fined between 10,000 and 100,000 yuan, and the directly responsible supervisors shall be fined between 5,000 and 50,000 yuan. If operators of critical information infrastructure fail to fulfill the cybersecurity protection obligations stipulated in Articles 33, 34, 36, and 38 of this law, the relevant competent department shall order corrections and issue warnings; if they refuse to correct or cause consequences that harm network security, they shall be fined between 100,000 and 1,000,000 yuan, and the directly responsible supervisors shall be fined between 10,000 and 100,000 yuan.

Article 60

Violating the provisions of the first and second paragraphs of Article 22 and the first paragraph of Article 48 of this law, if any of the following behaviors occur, the relevant competent department shall order corrections and issue warnings; if they refuse to correct or cause consequences that harm network security, they shall be fined between 50,000 and 500,000 yuan, and the directly responsible supervisors shall be fined between 10,000 and 100,000 yuan: (1) Setting malicious programs; (2) Failing to take immediate remedial measures for security defects, vulnerabilities, and other risks in their products and services, or failing to timely inform users and report to relevant competent departments as required; (3) Unilaterally terminating security maintenance for their products and services.

Article 61

If network operators violate the provisions of the first paragraph of Article 24 of this law by not requiring users to provide true identity information, or providing relevant services to users who do not provide true identity information, the relevant competent department shall order corrections; if they refuse to correct or the circumstances are serious, they shall be fined between 50,000 and 500,000 yuan, and the relevant competent department may order the suspension of related business, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

Article 62

Violating the provisions of Article 26 of this law by engaging in cybersecurity certification, testing, risk assessment activities, or publishing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, the relevant competent department shall order corrections and issue warnings; if they refuse to correct or the circumstances are serious, they shall be fined between 10,000 and 100,000 yuan, and the relevant competent department may order the suspension of related business, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and the directly responsible supervisors and other directly responsible personnel shall be fined between 5,000 and 50,000 yuan.

Article 63

Violating the provisions of Article 27 of this law by engaging in activities that harm network security, or providing programs or tools specifically used for activities that harm network security, or providing technical support, advertising promotion, payment settlement, and other assistance for others engaging in activities that harm network security, and not constituting a crime, the public security organs shall confiscate illegal gains and impose detention of less than five days, and may impose fines between 50,000 and 500,000 yuan; if the circumstances are more serious, they shall be detained for more than five days and less than fifteen days, and may impose fines between 100,000 and 1,000,000 yuan. If an entity engages in the aforementioned behavior, the public security organs shall confiscate illegal gains and impose fines between 100,000 and 1,000,000 yuan, and punish the directly responsible supervisors and other directly responsible personnel according to the previous provisions. Individuals who have been administratively punished for violating the provisions of Article 27 of this law shall not engage in cybersecurity management and key positions in network operations for five years; individuals who have been criminally punished shall not engage in cybersecurity management and key positions in network operations for life.

Article 64

If network operators, providers of network products or services violate the provisions of the third paragraph of Article 22, and Articles 41 to 43 of this law, infringing upon the rights of personal information that are protected by law, the relevant competent department shall order corrections, and may impose warnings, confiscation of illegal gains, and fines between one to ten times the illegal gains based on the circumstances; if there are no illegal gains, a fine of less than one million yuan shall be imposed, and the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan; if the circumstances are serious, they may also order the suspension of related business, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses. Violating the provisions of Article 44 of this law by stealing or otherwise illegally obtaining, illegally selling, or illegally providing personal information to others, and not constituting a crime, the public security organs shall confiscate illegal gains and impose fines between one to ten times the illegal gains; if there are no illegal gains, a fine of less than one million yuan shall be imposed.

Article 65

If operators of critical information infrastructure violate the provisions of Article 35 of this law by using network products or services that have not undergone security review or have failed security review, the relevant competent department shall order them to stop using them and impose fines between one to ten times the procurement amount; the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

Article 66

If operators of critical information infrastructure violate the provisions of Article 37 of this law by storing network data abroad or providing network data to foreign entities, the relevant competent department shall order corrections, issue warnings, confiscate illegal gains, and impose fines between 50,000 and 500,000 yuan, and may order the suspension of related business, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses; the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

Article 67

Violating the provisions of Article 46 of this law by establishing websites or communication groups for illegal activities, or using the internet to publish information related to illegal activities, which does not constitute a crime, shall be detained for up to five days by the public security organs, and may also be fined between 10,000 and 100,000 yuan; if the circumstances are more serious, detention shall be for more than five days and up to fifteen days, and may also be fined between 50,000 and 500,000 yuan. Websites and communication groups used for illegal activities shall be closed. If an entity commits the aforementioned acts, it shall be fined between 100,000 and 500,000 yuan by the public security organs, and the directly responsible supervisors and other directly responsible personnel shall be punished according to the previous provisions.

Article 68

If network operators violate the provisions of Article 47 of this law by failing to stop the transmission, removal, or other disposal measures for information prohibited from being published or transmitted by laws and administrative regulations, and failing to keep relevant records, the relevant competent department shall order corrections, issue warnings, and confiscate illegal gains; if they refuse to correct or the circumstances are serious, they shall be fined between 100,000 and 500,000 yuan, and may be ordered to suspend relevant business, cease operations for rectification, close websites, revoke relevant business licenses, or revoke business licenses, and the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan. Electronic information sending service providers and application download service providers that do not fulfill the security management obligations stipulated in the second paragraph of Article 48 of this law shall be punished according to the previous provisions.

Article 69

If network operators violate the provisions of this law and have any of the following behaviors, the relevant competent department shall order corrections; if they refuse to correct or the circumstances are serious, they shall be fined between 50,000 and 500,000 yuan, and the directly responsible supervisors and other directly responsible personnel shall be fined between 10,000 and 100,000 yuan: (1) Failing to take measures to stop transmission or eliminate information prohibited from being published or transmitted by laws and administrative regulations as required by relevant departments; (2) Refusing or obstructing the supervision and inspection carried out by relevant departments according to law; (3) Refusing to provide technical support and assistance to public security organs and national security organs.

Article 70

Publishing or transmitting information prohibited from being published or transmitted by the second paragraph of Article 12 of this law and other laws and administrative regulations shall be punished according to the relevant laws and administrative regulations.

Article 71

For illegal acts stipulated in this law, they shall be recorded in the credit file according to relevant laws and administrative regulations and made public.

Article 72

If the operators of government affairs networks of state organs fail to fulfill the network security protection obligations stipulated in this law, their superior organs or relevant organs shall order corrections; the directly responsible supervisors and other directly responsible personnel shall be punished according to law.

Article 73

If the internet information department and relevant departments violate the provisions of Article 30 of this law by using information obtained in the performance of network security protection duties for other purposes, the directly responsible supervisors and other directly responsible personnel shall be punished according to law. If the staff of the internet information department and relevant departments neglect their duties, abuse their powers, or engage in favoritism and corruption, which does not constitute a crime, they shall be punished according to law.

Article 74

If violations of this law cause damage to others, civil liability shall be borne according to law. If violations of this law constitute a violation of public security management, public security management penalties shall be imposed according to law; if they constitute a crime, criminal responsibility shall be pursued according to law.

Article 75

If foreign institutions, organizations, or individuals engage in activities that attack, invade, interfere with, or destroy the critical information infrastructure of the People's Republic of China, causing serious consequences, they shall be held legally responsible; the public security department of the State Council and relevant departments may also decide to take measures such as freezing assets or other necessary sanctions against such institutions, organizations, or individuals.

Chapter 7 Supplementary Provisions

Article 76

The meanings of the following terms in this law are: (1) Network refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information according to certain rules and procedures. (2) Network security refers to the ability to maintain the stability and reliability of the network and ensure the integrity, confidentiality, and availability of network data by taking necessary measures to prevent attacks, invasions, interference, destruction, illegal use, and accidents. (3) Network operators refer to the owners, managers, and service providers of the network. (4) Network data refers to various electronic data collected, stored, transmitted, processed, and generated through the network. (5) Personal information refers to various information that can identify a natural person's identity, recorded in electronic or other forms, including but not limited to a natural person's name, date of birth, identification document number, personal biometric information, address, phone number, etc.

Article 77

The operation security protection of networks that store and process information involving state secrets shall comply with the provisions of confidentiality laws and administrative regulations in addition to this law.

Article 78

The security protection of military networks shall be separately provided by the Central Military Commission.

Article 79

This law shall come into effect on June 1, 2017.