Cybersecurity Law of the People's Republic of China

Release Date: 2016-11-07

Effective Date: 2017-06-01

Source: https://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm

Original Title: 中华人民共和国网络安全法

Cybersecurity Law of the People's Republic of China

Chapter I General Principles

Article 1 In order to safeguard cybersecurity, maintain sovereignty over cyberspace and national security, protect the public interest, safeguard the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informationization, this law is enacted.

Article 2 This law applies to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and administration of cybersecurity.

Article 3 The state adheres to the principle of balancing cybersecurity with information development, follows the guidelines of actively utilizing, scientifically developing, legally managing, and ensuring security, promotes the construction and interconnectivity of network infrastructure, encourages innovation and application of network technology, supports the cultivation of cybersecurity talent, establishes and improves the cybersecurity assurance system, and enhances the capacity for cybersecurity protection.

Article 4 The state formulates and continuously improves its cybersecurity strategy, clarifying the basic requirements and primary objectives for safeguarding cybersecurity, and proposing policies, work tasks, and measures for key areas of cybersecurity.

Article 5 The state takes measures to monitor, defend against, and address cybersecurity risks and threats originating from within and outside the People's Republic of China, protects critical information infrastructure from attacks, intrusions, disruptions, and damages, punishes cyber crimes in accordance with the law, and maintains cybersecurity and order in cyberspace.

Article 6 The state advocates for honest, trustworthy, healthy, and civilized online behavior, promotes the dissemination of socialist core values, takes measures to enhance the cybersecurity awareness and level of the entire society, and fosters a good environment for the whole society to participate in promoting cybersecurity.

Article 7 The state actively carries out international exchanges and cooperation in areas such as cyberspace governance, network technology research and development, standard formulation, and combating cyber crimes, promotes the construction of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.

Article 8 The national cyberspace administration is responsible for coordinating cybersecurity work and related supervision and management. The telecommunications regulatory authority of the State Council, the public security department, and other relevant agencies are responsible for cybersecurity protection and supervision within their respective areas of responsibility in accordance with this law and relevant laws and administrative regulations.

The cybersecurity protection and supervision responsibilities of relevant departments of local people's governments at or above the county level shall be determined according to national regulations.

Article 9 Network operators conducting business and service activities must comply with laws and administrative regulations, respect social ethics, adhere to commercial morals, operate in good faith, fulfill cybersecurity protection obligations, accept government and social supervision, and bear social responsibility.

Article 10 The construction and operation of networks or the provision of services through networks must comply with the provisions of laws, administrative regulations, and mandatory national standards, taking technical measures and other necessary measures to ensure cybersecurity, stable operation, effectively respond to cybersecurity incidents, prevent cyber crimes, and maintain the integrity, confidentiality, and availability of network data.

Article 11 Industry organizations related to networks shall strengthen industry self-discipline according to their charters, formulate cybersecurity behavior norms, guide members to enhance cybersecurity protection, improve the level of cybersecurity protection, and promote the healthy development of the industry.

Article 12 The state protects the rights of citizens, legal persons, and other organizations to use the internet legally, promotes the widespread accessibility of internet access, enhances the level of internet services, provides safe and convenient internet services to society, and ensures the lawful, orderly, and free flow of network information.

Any individual or organization using the internet shall comply with the Constitution and laws, observe public order, respect social ethics, and must not endanger cybersecurity or use the internet to harm national security, honor, and interests, incite the subversion of state power, overthrow the socialist system, incite national division, undermine national unity, promote terrorism and extremism, incite ethnic hatred and discrimination, disseminate violence, obscenity, and pornographic information, fabricate and disseminate false information to disrupt economic and social order, or infringe upon the reputation, privacy, intellectual property rights, and other legitimate rights and interests of others.

Article 13 The state supports the research and development of network products and services that are conducive to the healthy growth of minors, punishes, according to law, activities that harm the physical and mental health of minors using the internet, and provides a safe and healthy online environment for minors.

Article 14 Any individual or organization has the right to report acts that endanger cybersecurity to the cyberspace administration, telecommunications, public security, and other departments. The departments receiving the reports shall promptly handle them in accordance with the law; if the matter does not fall within their jurisdiction, they shall promptly transfer it to the appropriate authority.

Relevant departments shall keep the informant's information confidential and protect the legitimate rights and interests of the informant.

Chapter II Support and Promotion of Cybersecurity

Article 15 The state establishes and improves the cybersecurity standard system. The standardization administrative department of the State Council and other relevant departments shall organize the formulation and timely revision of national standards and industry standards related to cybersecurity management, as well as the security of network products, services, and operations according to their respective responsibilities.

The state supports enterprises, research institutions, universities, and network-related industry organizations to participate in the formulation of national standards and industry standards for cybersecurity.

Article 16 The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall coordinate planning, increase investment, support key cybersecurity technology industries and projects, promote the research, development, and application of cybersecurity technologies, promote the use of secure and trustworthy network products and services, protect the intellectual property rights of network technologies, and support enterprises, research institutions, and universities in participating in national cybersecurity technology innovation projects.

Article 17 The state promotes the construction of a socialized cybersecurity service system, encouraging relevant enterprises and institutions to provide cybersecurity certification, testing, risk assessment, and other security services.

Article 18 The state encourages the development of technologies for the protection and utilization of network data security, promotes the opening of public data resources, and fosters technological innovation and economic and social development.

The state supports the innovation of cybersecurity management methods and the use of new network technologies to enhance the level of cybersecurity protection.

Article 19 People's governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and guide and supervise relevant units to carry out cybersecurity publicity and education work.

Mass media shall conduct targeted cybersecurity publicity and education aimed at society.

Article 20 The state supports enterprises and educational training institutions such as universities and vocational schools in conducting cybersecurity-related education and training, adopting various methods to cultivate cybersecurity talent, and promoting the exchange of cybersecurity professionals.

Chapter III Network Operation Security

Section 1 General Provisions

Article 21 The state implements a cybersecurity grading protection system. Network operators shall perform the following security protection obligations in accordance with the requirements of the cybersecurity grading protection system to ensure the network is free from interference, destruction, or unauthorized access, and to prevent network data leakage, theft, or alteration:

1. Formulate internal security management systems and operational procedures, designate a cybersecurity responsible person, and implement cybersecurity protection responsibilities;

2. Take technical measures to prevent computer viruses, network attacks, network intrusions, and other behaviors that endanger cybersecurity;

3. Implement technical measures to monitor and record the network operation status and cybersecurity incidents, and retain relevant network logs for no less than six months;

4. Implement data classification, important data backup, and encryption measures;

5. Other obligations prescribed by laws and administrative regulations.

Article 22 Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not install malicious programs; upon discovering security defects, vulnerabilities, or other risks in their network products or services, they shall take immediate remedial measures and promptly inform users and report to relevant authorities as required.

Providers of network products and services shall continuously provide security maintenance for their products and services; they shall not terminate security maintenance within the prescribed period or as agreed by the parties.

If network products and services have the function of collecting user information, their providers shall clearly inform users and obtain consent; if it involves personal information of users, they shall also comply with the provisions of this law and relevant laws and administrative regulations regarding personal information protection.

Article 23 Key network equipment and specialized cybersecurity products shall, in accordance with the mandatory requirements of relevant national standards, only be sold or provided after being certified as safe by qualified institutions or passing safety testing. The national cyberspace administration, in conjunction with relevant departments of the State Council, shall formulate and publish a catalog of key network equipment and specialized cybersecurity products and promote mutual recognition of safety certification and testing results to avoid duplicate certification and testing.

Article 24 When network operators provide network access, domain name registration services, handle procedures for fixed-line and mobile telephones, or provide users with information publishing, instant messaging, and other services, they shall require users to provide true identity information when signing agreements or confirming service provision. If users do not provide true identity information, network operators shall not provide related services.

The state implements a trusted identity strategy for the internet, supporting the research and development of secure and convenient electronic identity authentication technologies, and promoting mutual recognition among different electronic identity authentications.

Article 25 Network operators shall formulate emergency plans for cybersecurity incidents, promptly address security risks such as system vulnerabilities, computer viruses, network attacks, and intrusions; in the event of incidents that endanger cybersecurity, they shall immediately activate the emergency plan, take corresponding remedial measures, and report to relevant authorities as required.

Article 26 Activities such as cybersecurity certification, testing, risk assessment, and the publication of information regarding system vulnerabilities, computer viruses, network attacks, and intrusions must comply with national regulations.

Article 27 No individual or organization shall engage in illegal intrusion into others' networks, interfere with the normal functioning of others' networks, steal network data, or engage in other activities that endanger cybersecurity; nor shall they provide programs or tools specifically used for intruding networks, interfering with normal network functions, or stealing network data; knowing that others are engaged in activities that endanger cybersecurity, they shall not provide technical support, advertising, promotion, payment settlement, or other assistance.

Article 28 Network operators shall provide technical support and assistance to public security organs and national security organs in their lawful activities to maintain national security and investigate crimes.

Article 29 The state supports cooperation among network operators in the collection, analysis, reporting, and emergency response regarding cybersecurity information to enhance the security assurance capabilities of network operators.

Relevant industry organizations shall establish and improve cybersecurity protection norms and cooperation mechanisms for their industry, strengthen the analysis and assessment of cybersecurity risks, regularly issue risk warnings to their members, and support and assist members in responding to cybersecurity risks.

Article 30 The cyberspace administration and relevant departments may only use the information obtained in the course of performing cybersecurity protection duties to meet the needs of maintaining cybersecurity and shall not use it for other purposes.

Section 2 Security of Critical Information Infrastructure Operations

Article 31 The state implements key protection for critical information infrastructure in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that, if damaged, loses functionality, or experiences data leakage, may severely endanger national security, the economy, and public interest, based on the cybersecurity grading protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

The state encourages network operators outside critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 32 According to the division of responsibilities prescribed by the State Council, departments responsible for the security protection of critical information infrastructure shall compile and organize the implementation of security plans for critical information infrastructure in their respective industries and fields, and guide and supervise the security protection work for the operation of critical information infrastructure.

Article 33 The construction of critical information infrastructure shall ensure that it possesses the performance necessary to support stable and continuous business operations, and ensure that security technical measures are planned, constructed, and utilized simultaneously.

Article 34 In addition to the provisions of Article 21 of this law, operators of critical information infrastructure shall also fulfill the following security protection obligations:

1. Establish dedicated security management agencies and appoint security management personnel, conducting security background checks on these personnel and key positions;

2. Regularly conduct cybersecurity education, technical training, and skill assessments for employees;

3. Implement disaster recovery backups for important systems and databases;

4. Formulate emergency plans for cybersecurity incidents and conduct regular drills;

5. Other obligations prescribed by laws and administrative regulations.

Article 35 Operators of critical information infrastructure purchasing network products and services that may affect national security shall undergo national security review organized by the national cyberspace administration in conjunction with relevant departments of the State Council.

Article 36 Operators of critical information infrastructure purchasing network products and services shall sign security confidentiality agreements with providers in accordance with regulations, clarifying security and confidentiality obligations and responsibilities.

Article 37 Personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory. If it is necessary to provide such data to overseas parties due to business needs, a security assessment shall be conducted in accordance with the methods formulated by the national cyberspace administration in conjunction with relevant departments of the State Council; if otherwise stipulated by laws and administrative regulations, such provisions shall apply.

Article 38 Operators of critical information infrastructure shall, either independently or by entrusting cybersecurity service agencies, conduct security assessments of their networks at least once a year to evaluate security and potential risks, and submit the assessment results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.

Article 39 The national cyberspace administration shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure:

1. Conduct random inspections of security risks of critical information infrastructure, propose improvement measures, and may, if necessary, entrust cybersecurity service agencies to assess the security risks present in the network;

2. Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to enhance their response capabilities to cybersecurity incidents and collaborative coordination;

3. Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions and cybersecurity service agencies;

4. Provide technical support and assistance for emergency response to cybersecurity incidents and recovery of network functions.

Chapter IV Network Information Security

Article 40 Network operators shall keep the user information they collect strictly confidential and establish and improve the user information protection system.

Article 41 When collecting and using personal information, network operators shall adhere to the principles of legality, propriety, and necessity, publicly disclose the rules for collection and use, explicitly state the purpose, method, and scope of the information collected and used, and obtain the consent of the individuals from whom the information is collected.

Network operators shall not collect personal information that is irrelevant to the services they provide, nor shall they collect or use personal information in violation of laws, administrative regulations, or agreements between the parties, and they shall handle the personal information they retain in accordance with the provisions of laws and administrative regulations and agreements with users.

Article 42 Network operators shall not disclose, alter, or destroy the personal information they collect; without the consent of the individual from whom the information was collected, they shall not provide personal information to others. However, this does not apply to information that has been processed in such a way that specific individuals cannot be identified and cannot be restored.

Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect, preventing information leakage, destruction, or loss. In the event of or potential for personal information leakage, destruction, or loss, they shall take immediate remedial measures, promptly inform users, and report to relevant authorities as required.

Article 43 Individuals who discover that network operators have violated laws, administrative regulations, or agreements by collecting or using their personal information have the right to request the deletion of their personal information; if they find errors in the personal information collected and stored by network operators, they have the right to request corrections. Network operators shall take measures to delete or correct the information.

Article 44 No individual or organization shall steal or otherwise illegally obtain personal information, nor shall they illegally sell or provide personal information to others.

Article 45 Departments and their staff responsible for cybersecurity supervision and management must keep strictly confidential any personal information, privacy, and trade secrets they become aware of while performing their duties, and shall not disclose, sell, or illegally provide such information to others.

Article 46 Any individual or organization shall be responsible for their online activities and shall not establish websites or communication groups for the purpose of committing fraud, teaching criminal methods, producing or selling prohibited items or controlled goods, or engaging in other illegal activities; nor shall they use the internet to disseminate information related to committing fraud, producing or selling prohibited items, controlled goods, or other illegal activities.

Article 47 Network operators shall strengthen the management of information published by their users. Upon discovering information that is prohibited from being published or transmitted by laws or administrative regulations, they shall immediately stop transmitting that information, take measures to eliminate it, prevent its spread, preserve relevant records, and report to relevant authorities.

Article 48 Electronic information and applications provided by any individual or organization shall not contain malicious programs or include information that is prohibited from being published or transmitted by laws or administrative regulations.

Providers of electronic information sending services and application download services shall fulfill their security management obligations; if they become aware that their users are engaging in the aforementioned prohibited behaviors, they shall stop providing services, take measures to eliminate such behaviors, preserve relevant records, and report to relevant authorities.

Article 49 Network operators shall establish a complaint and reporting system for network information security, publicize information on how to make complaints and reports, and promptly handle and address complaints and reports related to network information security.

Network operators shall cooperate with the cyberspace administration and relevant departments in the supervision and inspection conducted in accordance with the law.

Article 50 The national cyberspace administration and relevant departments shall perform their cybersecurity supervision and management duties according to the law. Upon discovering information that is prohibited from being published or transmitted by laws or administrative regulations, they shall require network operators to stop transmission, take measures to eliminate it, and preserve relevant records; for information originating from outside the People's Republic of China, they shall notify relevant institutions to take technical measures and other necessary actions to block dissemination.

Chapter V Monitoring, Warning, and Emergency Response

Article 51 The state establishes a cybersecurity monitoring, warning, and information reporting system. The national cyberspace administration shall coordinate relevant departments to strengthen the collection, analysis, and reporting of cybersecurity information, and shall uniformly publish cybersecurity monitoring and warning information as required.

Article 52 Departments responsible for the security protection of critical information infrastructure shall establish and improve the cybersecurity monitoring, warning, and information reporting systems for their respective industries and fields and report cybersecurity monitoring and warning information as required.

Article 53 The national cyberspace administration shall coordinate relevant departments to establish and improve cybersecurity risk assessment and emergency response mechanisms, formulate emergency plans for cybersecurity incidents, and regularly organize drills.

Departments responsible for the security protection of critical information infrastructure shall formulate emergency plans for cybersecurity incidents in their respective industries and fields and regularly organize drills.

Emergency plans for cybersecurity incidents shall classify cybersecurity incidents according to the severity of harm, scope of impact, and other factors, and specify corresponding emergency response measures.

Article 54 When the risk of cybersecurity incidents increases, relevant departments of provincial-level or higher people's governments shall, according to prescribed authority and procedures, and based on the characteristics of cybersecurity risks and the potential harm they may cause, take the following measures:

1. Require relevant departments, institutions, and personnel to promptly collect and report relevant information, and enhance monitoring of cybersecurity risks;

2. Organize relevant departments, institutions, and professionals to analyze and assess cybersecurity risk information, predicting the likelihood of incidents occurring, their impact scope, and severity;

3. Issue cybersecurity risk warnings to the public and publish measures to avoid or mitigate harm.

Article 55 In the event of a cybersecurity incident, the emergency plan for cybersecurity incidents shall be immediately activated to investigate and assess the cybersecurity incident, requiring network operators to take technical measures and other necessary actions to eliminate security hazards, prevent further harm, and promptly issue public warnings regarding relevant information.

Article 56 Relevant departments of provincial-level or higher people's governments, while performing cybersecurity supervision and management duties, may, when discovering significant security risks in a network or the occurrence of a security incident, conduct interviews with the legal representatives or main responsible persons of the network operators according to prescribed authority and procedures. Network operators shall take measures as required to rectify and eliminate hazards.

Article 57 In the event of a cybersecurity incident leading to an emergency or production safety accident, it shall be handled in accordance with the provisions of the Law of the People's Republic of China on Emergency Response, the Law of the People's Republic of China on Production Safety, and other relevant laws and administrative regulations.

Article 58 Due to the need to maintain national security and public order, and to address major sudden social security incidents, temporary measures such as restrictions on network communications may be taken in specific areas upon the decision or approval of the State Council.

Chapter VI Legal Responsibilities

Article 59 If network operators fail to fulfill the cybersecurity protection obligations stipulated in Articles 21 and 25 of this law, the relevant supervisory authority shall order corrections and issue warnings; if they refuse to rectify or cause consequences that endanger cybersecurity, they shall be fined between 10,000 and 100,000 yuan, and the directly responsible personnel shall be fined between 5,000 and 50,000 yuan.

If operators of critical information infrastructure fail to fulfill the cybersecurity protection obligations stipulated in Articles 33, 34, 36, and 38 of this law, the relevant supervisory authority shall order corrections and issue warnings; if they refuse to rectify or cause consequences that endanger cybersecurity, they shall be fined between 100,000 and 1,000,000 yuan, and the directly responsible personnel shall be fined between 10,000 and 100,000 yuan.

Article 60 Violations of the provisions of the first and second paragraphs of Article 22 and Article 48 of this law, resulting in any of the following behaviors, shall be ordered to correct by the relevant supervisory authority and issued a warning; if they refuse to rectify or cause consequences that endanger cybersecurity, they shall be fined between 50,000 and 500,000 yuan, and the directly responsible personnel shall be fined between 10,000 and 100,000 yuan:

1. Installing malicious programs;

2. Failing to take immediate remedial measures for security defects, vulnerabilities, and risks in their products or services, or failing to promptly inform users and report to relevant authorities as required;

3. Unilaterally terminating security maintenance for their products or services.

Article 61 If network operators violate the provisions of the first paragraph of Article 24 by not requiring users to provide true identity information, or by providing relevant services to users who do not provide true identity information, the relevant supervisory authority shall order corrections; if they refuse to rectify or the situation is serious, they shall be fined between 50,000 and 500,000 yuan, and the relevant supervisory authority may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and impose fines of between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel.

Article 62 Violations of the provisions of Article 26 of this law, engaging in cybersecurity certification, testing, risk assessment, or publishing cybersecurity information regarding system vulnerabilities, computer viruses, network attacks, and intrusions, shall be ordered to correct by the relevant supervisory authority and issued a warning; if they refuse to rectify or the situation is serious, they shall be fined between 10,000 and 100,000 yuan, and the relevant supervisory authority may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and impose fines of between 5,000 and 50,000 yuan on the directly responsible personnel and other directly responsible personnel.

Article 63 Engaging in activities that endanger cybersecurity or providing programs or tools specifically used for engaging in activities that endanger cybersecurity, or providing technical support, advertising, promotion, payment settlement, and other assistance to others engaging in activities that endanger cybersecurity, without constituting a crime, shall result in the confiscation of illegal gains by the public security organs and detention for up to five days, and may also incur fines between 50,000 and 500,000 yuan; if the circumstances are serious, detention for more than five days but less than fifteen days may be imposed, with fines between 100,000 and 1,000,000 yuan.

If an entity engages in the aforementioned behavior, the public security organs shall confiscate illegal gains and impose fines between 100,000 and 1,000,000 yuan, and impose penalties on the directly responsible personnel and other directly responsible personnel according to the provisions of the previous paragraph.

Individuals who violate the provisions of Article 27 of this law and are subject to public security administrative penalties shall not engage in cybersecurity management and key positions in network operations for five years; individuals who are subject to criminal penalties shall be permanently prohibited from engaging in cybersecurity management and key positions in network operations.

Article 64 If network operators or providers of network products or services violate the provisions of the third paragraph of Article 22, Articles 41 to 43 of this law, infringing upon the rights to personal information that is legally protected, the relevant supervisory authority shall order corrections, and may impose warnings, confiscation of illegal gains, and fines of between one to ten times the illegal gains, and if there are no illegal gains, fines of up to 1,000,000 yuan, and impose fines between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel; if the circumstances are serious, they may also order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses.

Violating the provisions of Article 44 of this law by stealing or otherwise illegally obtaining, illegally selling, or illegally providing personal information to others, without constituting a crime, shall result in the confiscation of illegal gains by the public security organs and fines of between one to ten times the illegal gains, and if there are no illegal gains, fines of up to 1,000,000 yuan.

Article 65 Operators of critical information infrastructure violating the provisions of Article 35 of this law by using network products or services that have not undergone security review or have failed security review shall be ordered to stop using them by the relevant supervisory authority and fined between one to ten times the purchase amount; and impose fines between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel.

Article 66 Operators of critical information infrastructure violating the provisions of Article 37 of this law by storing network data overseas or providing network data to overseas parties shall be ordered to correct by the relevant supervisory authority, issued a warning, confiscated illegal gains, and fined between 50,000 and 500,000 yuan, and may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses; and impose fines between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel.

Article 67 Violating the provisions of Article 46 of this law by establishing websites or communication groups for the purpose of engaging in illegal activities or using the internet to disseminate information related to engaging in illegal activities, without constituting a crime, shall result in detention for up to five days by public security organs, and may also incur fines between 10,000 and 100,000 yuan; if the circumstances are serious, detention for more than five days but less than fifteen days may be imposed, with fines between 50,000 and 500,000 yuan. Websites or communication groups used for illegal activities shall be closed.

If an entity engages in the aforementioned behavior, public security organs shall impose fines between 100,000 and 500,000 yuan, and impose penalties on the directly responsible personnel and other directly responsible personnel according to the provisions of the previous paragraph.

Article 68 If network operators violate the provisions of Article 47 of this law by failing to stop the transmission of information that is prohibited from being published or transmitted by laws and administrative regulations, take measures to eliminate it, and preserve relevant records, the relevant supervisory authority shall order corrections, issue warnings, and confiscate illegal gains; if they refuse to rectify or the circumstances are serious, they shall be fined between 100,000 and 500,000 yuan, and may order the suspension of related businesses, business rectification, closure of websites, revocation of relevant business licenses, or revocation of business licenses, and impose fines between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel.

Providers of electronic information sending services and application download services that fail to fulfill the security management obligations stipulated in the second paragraph of Article 48 of this law shall be punished according to the provisions of the previous paragraph.

Article 69 If network operators violate the provisions of this law by engaging in any of the following behaviors, the relevant supervisory authority shall order corrections; if they refuse to rectify or the circumstances are serious, they shall be fined between 50,000 and 500,000 yuan, and impose fines between 10,000 and 100,000 yuan on the directly responsible personnel and other directly responsible personnel:

1. Failing to take measures to stop the transmission or eliminate information that is prohibited from being published or transmitted by laws and administrative regulations as required by relevant authorities;

2. Refusing or obstructing the lawful supervision and inspection conducted by relevant authorities;

3. Refusing to provide technical support and assistance to public security organs and national security organs as required.

Article 70 The publication or transmission of information prohibited from being published or transmitted by the second paragraph of Article 12 and other laws and administrative regulations shall be punished according to relevant laws and administrative regulations.

Article 71 Individuals or entities committing violations as stipulated in this law shall be recorded in credit files according to relevant laws and administrative regulations and made public.

Article 72 Operators of government affairs networks shall be ordered to correct any failure to fulfill the cybersecurity protection obligations stipulated in this law by their superior organs or relevant authorities; and the directly responsible personnel and other directly responsible personnel shall be punished according to law.

Article 73 If the cyberspace administration and relevant departments violate the provisions of Article 30 of this law by using information obtained in the course of performing cybersecurity protection duties for other purposes, the directly responsible personnel and other directly responsible personnel shall be punished according to law.

If staff from the cyberspace administration and relevant departments neglect their duties, abuse their power, or engage in favoritism, without constituting a crime, they shall be punished according to law.

Article 74 Violating the provisions of this law and causing damage to others shall result in civil liability according to law.

Violating the provisions of this law and constituting a violation of public security management shall result in public security administrative penalties; if it constitutes a crime, criminal responsibility shall be pursued according to law.

Article 75 Foreign institutions, organizations, or individuals engaging in activities that attack, intrude into, interfere with, or destroy critical information infrastructure of the People's Republic of China, causing serious consequences, shall be held legally accountable; the public security departments of the State Council and relevant departments may decide to impose necessary sanctions such as freezing assets against those institutions, organizations, or individuals.

Chapter VII Supplementary Provisions

Article 76 The following terms in this law shall have the meanings ascribed to them:

1. "Network" refers to a system composed of computers or other information terminals and related devices that collect, store, transmit, exchange, and process information according to specific rules and procedures.

2. "Cybersecurity" refers to the ability to maintain a stable and reliable operating state of the network by taking necessary measures to prevent attacks, intrusions, disruptions, destruction, and illegal use of the network, as well as accidental incidents, and to ensure the integrity, confidentiality, and availability of network data.

3. "Network operator" refers to the owner, manager, and service provider of the network.

4. "Network data" refers to various electronic data collected, stored, transmitted, processed, and generated through the network.

5. "Personal information" refers to various information that can identify an individual's identity, recorded electronically or otherwise, alone or in combination with other information, including but not limited to an individual's name, date of birth, identification number, biometric information, address, and telephone number.

Article 77 The operational security protection of networks involving state secrets, in addition to complying with this law, shall also comply with the provisions of confidentiality laws and administrative regulations.

Article 78 The security protection of military networks shall be regulated separately by the Central Military Commission.

Article 79 This law shall take effect on June 1, 2017.