China: Legislature review of draft cybersecurity law has global consequences

This week, the Standing Committee of China's top legislative body, the National People's Congress (NPC), convenesfrom 8 to 12 September. It is set to consider16 legislative bills, among other business, including a draft amendment to the 2017 Cybersecurity Law proposed by the Cyberspace Administration of China. ARTICLE 19 has previously warnedthat the draft amendment doubles down on China's repressive norms and poses a global threat in normalisingChina's authoritarian model of digital governance. The international community mustpay close attention to China's evolving norms in cybersecurity to betterprevent the risk ofnormalisingits repressive model.

The Cyberspace Administration of China (CAC)isChina's super-powerful digital regulator, playing a coreleadership role, alongside other institutions like the Ministry of Industry and Information Technology and Ministry of Public Security, over censorship, surveillance, and propaganda activities. It has played a major rolein developing China's digital authoritarian governance norms, including an embrace of cybersecurity governance as a vehicle for China's global norms-setting.

In ARTICLE 19's March 2025 report Cybersecurity with Chinese Characteristics: Digital governance in the Indo-Pacific and the Taiwanese alternative, we highlighted how the 2017 Cybersecurity Law has been foundational to much of China's digital governance model and has influenced similarly repressive laws in other countries. The law has influenced a range a measures in China that increasingly strip away the freedom of expression and right to privacy, including a controversial national internet ID measure, which came into effect on 15 July 2025. As our analysiswith Chinese Human Rights Defenders (CHRD) argues, this measure not only drives repression in China, it risks spawning similarly repressive measures in other countries that partner with China along the Digital Silk Road.

The 2017 Cybersecurity Law establishes provisions on real-name identity verification, data localisation, network monitoring amounting to surveillance, strict, overbroad censorship, and network shutdowns, while simultaneously weakening cybersecurity. The CAC has published two versions of its draft amendment to the 2017 law, in 2022and again earlier this year.

The amendment, argues NPC Observer, an affiliate institution at Yale Law School, is likelyto pass after two reviews, potentially later this year. With that in mind, it is important to unpack its potential adverse impact.

Supercharging censorship and surveillance

In June 2025 ARTICLE 19 published a brief analysisof the draft amendment. The most concerning changes involve significant aggravated punishments, including financial penalties and greater liability for responsible personnel, and the reinforcement of censorship and surveillance as core elements of cybersecurity governance.

For example, in cases of unspecified 'serious' circumstances, the fine increases to 2 million yuan (280,392 USD), and those who fail to block 'prohibited' content that leads to further unspecified 'particularly serious' consequences will be subjected to a maximum fine of 10 million yuan (1,401,960 USD). Penalties also apply to providing software, other technical support, or expenses for prohibited activities, such as VPNs, and for providing critical network equipment that has not received certification from the authorities.

Beyond specific provisions that supercharge penalties for non-compliance with censorship and surveillance in China, the normative underpinnings for China's approach to leading in cybersecurity digital governance raise concerns for internet freedom everywhere.

Assault on global norms

In its explanatory noteto the March 2025 draft, the CAC also reiterates that the Cybersecurity Law provides the legal foundation for cyber sovereignty - one of China's core authoritarian digital governance norms. It also stresses leader Xi Jinping's imperative for the country to become a cyber superpower - code for leading in global digital norms-setting.

Cyber sovereignty, as argued in our March 2025 report, fundamentally conflicts with international human rights law, which is universal, indivisible, and interdependent regardless of frontiers. It raises concerns about freedoms of expression, information, and privacy. Despite China's Position on Global Digital Governancereleased in 2023 by the Ministry of Foreign Affairs to oppose internet fragmentation, its embrace of cyber sovereignty encourages national regulations that risk precipitating a fragmented digital landscape.

We have seen how cyber sovereignty and lessons from China's cybersecurity governance norms have fuelled rising digital repression.

This includes Vietnam's 2018 Cybersecurity Law, which closely resemblesChina's. Vietnam is likewise poised in October 2025 to debate and likely adopt its own Cybersecurity Law amendment. Vietnam's Cybersecurity Law and related decreeshave been used to justify a range of increasing censorship and other digital repression in the country - at odds with Vietnam's international human rights obligations.

Nepal, in August 2023, enactedits National Cybersecurity Policy, which calls for the establishment of a government-owned intranet and national internet gateway, reminiscent of China's Great Firewall. Recently, in early September 2025, Nepal ordered internet service providers in the country to block access to foreign social media platforms, including Facebook, YouTube, and X, again an apparent move towards adopting China's cybersecurity governance model. Following widespread protest, and at least 19 dead, Nepal later reversed the directive.

In Iran, the Supreme Council of Cyberspace, which resembles the CAC, has also promoted cyber sovereignty and cybersecurity to justify its own version of the Great Firewall, the National Information Network, which ARTICLE 19 has analysed as a serious threat to internet freedom in our Tightening the Net series.

The threats to rights-based digital governance represented by China's global norms-setting in the promotion of its model of cybersecurity governance are not speculative. As we have shown, emulation of the China model has supported the normalisation of digital repression. The CAC acknowledges cybersecurity norms-setting is core to China's vision of becoming a global cyber superpower. While the draft amendment, if enacted, will have an immediate adverse impact on the freedom of expression in China, as the country continues to strive for cyber superpower status its model for cybersecurity governance will continue to be a vehicle through which it pursues its digital authoritarian norms-setting. It must be resisted.