Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
For privacy and cybersecurity professionals, 2026 begins on a strong note with the implementation of several important laws and regulations in greater China.
1 Jan. marks the formal entry into force of significant amendments to China's Cybersecurity Law. For those following developments in China's data and cybersecurity landscape, the CSL will be familiar. Together with the Data Security Law and the Personal Information Protection Law, it forms the cornerstone of China's data and cybersecurity legal framework.
As China's first national law governing data and cybersecurity, issued in 2016, the CSL has played a foundational role. However, rapid technological advancements and the emergence of the digital economy have created an urgent need to modernize the law. Following several years of legislative review and extensive public and stakeholder consultation, the amended CSL was passed in October 2025.
The amendments address a wide range of critical issues, including bringing artificial intelligence governance within the scope of the CSL, strengthening supply-chain cybersecurity, enhancing compliance obligations for critical information infrastructure operators, and significantly increasing penalties for noncompliance. The maximum fine for companies has been raised to CNY50 million or 5% of the previous year's turnover, while individuals may face penalties of up to CNY1 million.
The same date also marks the commencement of Hong Kong's first comprehensive cybersecurity statute: the Protection of Critical Infrastructure (Computer Systems) Ordinance.
The ordinance applies to critical infrastructure operators across eight essential service sectors, including energy, finance, transport, health care and communications. It introduces three core compliance obligations: organizational requirements, including maintaining a local office, establishing a dedicated cybersecurity unit, and reporting changes in ownership; governance and assurance measures, such as conducting annual risk assessments and independent audits; and operational requirements, including reporting serious incidents within two hours and other incidents within 24 hours, as well as conducting staff training and incident response drills.
Noncompliance may result in fines ranging from HKD500,000 to HKD5 million, in addition to daily penalties for continuing breaches. On the same day, the Office of the Commissioner of Critical Infrastructure issued a Code of Practice, providing detailed guidance to help organizations comply with the new regime.
With these regulations now in force, regulators in both mainland China and Hong Kong are expected to take an active enforcement approach throughout 2026.
Beyond cybersecurity, the protection of minors' personal information is also expected to be a key compliance focus in 2026. On 28 Dec. 2025, the Cyberspace Administration of China issued a directive requiring companies that collect minors' personal information to complete compliance audits and submit filings to their local CAC offices by 31 Jan. 2026.
The filing must include information such as the nature, categories and volume of minors' personal information collected, an impact assessment report, a signed letter of undertaking and any additional materials required by the CAC on a case-by-case basis. Given the extremely tight deadline, companies that have not yet taken action should do so immediately.
Looking ahead, 2026 is poised to be a dynamic year for AI deployment and the continued development of China's digital economy. China is expected to maintain an agile approach to AI governance, seeking to balance technological innovation with data security, privacy protection and intellectual property rights.
In recent months, regulators have released draft rules and industry standards addressing AI security and agentic AI issues. The National Data Administration has said more than 30 new standards relating to public data, data infrastructure, AI agents, high-quality datasets, full-scale urban digital transformation, important data catalogs for telecommunications, agriculture, aviation, aerospace and more are expected to be issued in 2026.
According to the Chinese zodiac, 2026 is the Year of the Horse — a symbol of leadership, pioneering spirit and swift progress, tempered by the need to balance freedom with responsibility and to build experience over time. These qualities aptly reflect what lies ahead for China's digital economy and its evolving data and AI governance landscape.
Barbara Li, CIPP/E, is a partner at Reed Smith.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
