China’s Overhauled Cybersecurity Law: A New Compliance Burden for Foreign Firms

On 1 January 2026, the compliance picture for companies operating in China changed substantially. Amendments to China’s Cybersecurity Law — the foundational statute governing digital infrastructure and data security — entered into force, bringing obligations that are more demanding and more specific than what existed before.

The headline requirement is a two-hour incident reporting window. Companies must notify Chinese authorities within two hours of detecting a serious cybersecurity incident. The EU’s equivalent under NIS2 is 24 hours for initial notification. Two hours demands pre-built response protocols, designated reporting contacts, and real-time decision-making at a standard most organisations have not been built to meet.

The changes go further. Organisations running critical network infrastructure must maintain a physical local office in China, conduct annual independent security audits, set up dedicated internal cybersecurity units, and run continuous risk monitoring. Maximum fines have risen sharply: up to CNY 50 million or 5 percent of the previous year’s annual turnover, whichever is larger. Individual executives face personal fines of up to CNY 1 million.

On the same day, Hong Kong enacted its first comprehensive cybersecurity statute. The Protection of Critical Infrastructure (Computer Systems) Ordinance covers operators across eight essential service sectors — energy, finance, transport, healthcare, and communications among them — and introduces its own incident reporting and security management requirements.

The combined effect across Greater China is a step-change in compliance complexity. The requirements are structural, not administrative. A company managing China cybersecurity through a regional operations centre in Singapore or Tokyo will need to rethink that model. The two-hour reporting window alone requires on-the-ground capability that cannot be run remotely.

There is also a data layer. The Cybersecurity Law amendments interact with China’s Data Security Law and Personal Information Protection Law — three statutes that together govern what data can leave China, how it must be classified, and what security standards apply. The January amendments tightened one part of an already demanding system, and enforcement attention is expected to intensify.

China’s updated Cybersecurity Law, in force since January 2026, requires companies to report serious incidents within two hours, maintain local offices, run annual independent audits, and face penalties of up to 5 percent of annual turnover. Hong Kong enacted parallel legislation the same day. For multinationals with operations in Greater China, this requires a genuine structural review of security operations — not just updated documentation.