Cybersecurity Law of the People's Republic of China

Cybersecurity Law of the People's Republic of China

(Adopted at the 24th Meeting of the Standing Committee of the 12th National People's Congress on November 7, 2016)

　　The Cybersecurity Law of the People's Republic of China, adopted at the 24th Meeting of the Standing Committee of the 12th National People's Congress of the People's Republic of China on November 7, 2016, is hereby promulgated and will come into force as of June 1, 2017。

目录

　　Chapter I General rules

　　The second chapter is network security support and promotion

　　Chapter Three network operation security

　　Section I General provisions

　　Section 2 Operation security of critical information infrastructure

　　Chapter IV network information security

　　Chapter V monitoring, early warning and emergency handling

　　Chapter VI Legal liability

　　Chapter VII Supplementary Provisions

Chapter I General rules

　　Article 1 This Law is formulated with a view to ensuring cyber security, safeguarding sovereignty and national security in cyberspace, and public interests, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization。

　　Article 2 This Law shall apply to the construction, operation, maintenance and use of networks within the territory of the People's Republic of China, as well as the supervision and administration of network security。

　　Article 3 The State attaches equal importance to cybersecurity and informatization development，Follow the policy of active utilization, scientific development, legal management and ensuring safety，We will promote network infrastructure development and connectivity，We will encourage innovation and application of network technologies，Support the training of cybersecurity talents，Establish and improve the network security system，Improve network security protection capabilities。

　　Article 4 The State formulates and constantly improves the cybersecurity strategy, defines the basic requirements and main objectives for ensuring cybersecurity, and puts forward cybersecurity policies, work tasks and measures in key areas。

　　Article 5 The State shall take measures to monitor, defend against and deal with cybersecurity risks and threats originating within and outside the territory of the People's Republic of China, protect critical information infrastructure from attack, intrusion, interference and destruction, punish illegal and criminal cyber activities according to law, and maintain security and order in cyberspace。

　　Article 6 The State advocates honest and trustworthy, healthy and civilized cyber behavior, promotes the dissemination of socialist core values, takes measures to raise the awareness and level of cyber security of the whole society, and forms a good environment for the whole society to participate in promoting cyber security。

　　Article 7 The State actively carries out international exchanges and cooperation in cyberspace governance, research and development of cyber technologies and formulation of standards, and combating cyber crimes, promotes the building of a peaceful, secure, open and cooperative cyberspace, and establishes a multilateral, democratic and transparent cyber governance system。

　　Article 8 The national cyberspace administration shall be responsible for overall planning and coordination of network security work and related supervision and administration。The competent telecommunications department under The State Council, the public security department and other relevant organs shall, in accordance with the provisions of this Law, relevant laws and administrative regulations, be responsible for the protection, supervision and administration of network security within the scope of their respective functions and duties。

　　The cybersecurity protection, supervision and administration responsibilities of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant state regulations。

　　Article 9 In carrying out business and service activities, network operators must abide by laws and administrative regulations, respect social ethics, observe business ethics, be honest and trustworthy, fulfill the obligations of network security protection, accept the supervision of the government and society, and assume social responsibilities。

　　Article 10 Construction and operation of networks or provision of services through networks，It shall comply with the mandatory requirements of laws, administrative regulations and national standards，Take technical measures and other necessary measures，Ensure network security and stable operation，Effectively respond to cyber security incidents，Guard against illegal and criminal activities on the Internet，Maintain the integrity, confidentiality and availability of network data。

　　Article 11 Network related industry organizations, in accordance with the articles of association, strengthen industry self-discipline, formulate network security codes of conduct, guide members to strengthen network security protection, improve the level of network security protection, and promote the healthy development of the industry。

　　Article 12 The State protects the rights of citizens, legal persons and other organizations to use the Internet according to law, promotes the popularization of Internet access, improves the level of Internet services, provides safe and convenient Internet services to the society, and ensures the orderly and free flow of Internet information according to law。

　　Any individual or organization using the Internet shall abide by the Constitution and laws，Observe public order，Respect social morality，It must not jeopardize network security，The Internet shall not be used to endanger national security, honor or interests，煽动颠覆国家政权、推翻社会主义制度，Incitement to split the country and undermine national unity，Promoting terrorism and extremism，Propagating ethnic hatred and discrimination，Spreading violent, obscene and pornographic information，Fabricating and spreading false information to disrupt economic and social order，And infringe upon others' reputation, privacy, intellectual property rights and other legitimate rights and interests。

　　Article 13 The State supports the research and development of Internet products and services conducive to the healthy growth of minors, punishes according to law the use of the Internet to engage in activities that endanger the physical and mental health of minors, and provides a safe and healthy Internet environment for minors。

　　Article 14 Any individual or organization shall have the right to report any act endangering network security to cyberspace, telecommunications, public security and other departments。The department receiving the report shall promptly handle it according to law;If it does not fall within the responsibilities of its own department, it shall be promptly transferred to the department that has the authority to handle it。

　　The relevant departments shall keep confidential the relevant information of the informants and protect the legitimate rights and interests of the informants。

The second chapter is network security support and promotion

　　Article 15 The State establishes and improves a network security standard system。The competent department of Standardization Administration under The State Council and other relevant departments under The State Council shall, in accordance with their respective functions and responsibilities, organize the formulation and timely revision of national and industry standards on network security management and network products, services and operation security。

　　The state supports enterprises, research institutions, institutes of higher learning, and network-related industry organizations to participate in the formulation of national and industry standards for cybersecurity。

　　Article 16 The State Council and the people's governments of provinces, autonomous regions and municipalities directly under the Central Government shall make overall plans，Increase investment，Support key cybersecurity technology industries and projects，Support the research, development and application of network security technology，Promote secure and trusted network products and services，Protecting intellectual property rights in network technology，We will support enterprises, research institutions and institutions of higher learning in participating in national cybersecurity technology innovation projects。

　　Article 17 The State promotes the construction of a network security social service system, and encourages relevant enterprises and institutions to carry out network security certification, testing and risk assessment and other security services。

　　Article 18 The State encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and promotes technological innovation and economic and social development。

　　The state supports innovation in network security management methods, the use of new network technologies, and the enhancement of network security protection。

　　Article 19 People's governments at all levels and their relevant departments shall organize and carry out regular network security publicity and education, and guide and urge relevant units to do a good job of network security publicity and education。

　　The mass media should conduct network security publicity and education targeted at the society。

　　Article 20 The State supports enterprises, institutions of higher learning, vocational colleges and other education and training institutions to carry out cybersecurity related education and training, adopt various ways to train cybersecurity talents, and promote the exchange of cybersecurity talents。

Chapter Three network operation security

　　Section I General provisions

　　Article 21 The State applies a system of graded network security protection。Network operators shall fulfill the following security protection obligations in accordance with the requirements of the network security level protection system, protect the network from interference, damage or unauthorized access, and prevent network data from being leaked, stolen or tampered with:

　　(1) Formulate internal security management systems and operating procedures, determine the person in charge of network security, and implement the responsibility for network security protection;

　　(2) Take technical measures to prevent computer viruses, network attacks, network intrusion and other acts that endanger network security;

　　(3) Take technical measures to monitor and record network operation status and network security events, and keep relevant network logs for not less than six months in accordance with regulations;

　　(4) Take measures such as data classification, backup and encryption of important data;

　　(5) Other obligations stipulated by laws and administrative regulations。

　　Article 22 Network products and services shall meet the mandatory requirements of relevant national standards。Providers of network products and services shall not install malicious programs;When it is found that its network products and services have security defects, vulnerabilities and other risks, it shall immediately take remedial measures, inform users in a timely manner and report to the relevant competent authorities in accordance with regulations。

　　The providers of network products and services shall continue to provide security maintenance for their products and services;The provision of security maintenance shall not be terminated within the time limit prescribed or agreed upon by the parties。

　　Where network products and services have the function of collecting user information, their providers shall express it to users and obtain their consent;Where personal information of users is involved, the provisions of this Law and relevant laws and administrative regulations on the protection of personal information shall also be observed。

　　Article 23 Key network equipment and special network security products shall, in accordance with the mandatory requirements of relevant national standards, be sold or provided only after security certification by qualified organizations or security tests meet the requirements。The national cyberspace administration, together with relevant departments under The State Council, shall formulate and publish catalogues of key network equipment and special cybersecurity products, and promote mutual recognition of security certification and security testing results to avoid duplicate certification and testing。

　　Article 24 A network operator shall require users to provide real identity information when signing an agreement with users or confirming the provision of services when handling network access and domain name registration services for users, handling network access procedures such as fixed-line telephones and mobile telephones, or providing users with services such as information release and instant messaging。If the user does not provide real identity information, the network operator shall not provide relevant services for him。

　　The state implements the online trusted identity strategy, supports the research and development of secure and convenient electronic identity authentication technologies, and promotes the mutual recognition of different electronic identities。

　　Article 25 Network operators shall formulate emergency plans for network security incidents，Timely handling of system vulnerabilities, computer viruses, network attacks, network intrusion and other security risks;In the event of an incident that jeopardizes network security，Activate emergency plans immediately，Take remedial measures accordingly，And report to the relevant competent authorities in accordance with the provisions。

　　Article 26 In carrying out activities such as network security authentication, testing and risk assessment, and releasing network security information such as system vulnerabilities, computer viruses, network attacks and network intrusions to the public, relevant State regulations shall be observed。

　　Article 27 No individual or organization may engage in activities that endanger network security, such as illegally intruding into others' networks, interfering with the normal functions of others' networks, or stealing network data;It shall not provide programs and tools specifically used to engage in activities endangering network security such as intruding into the network, interfering with the normal functions and protective measures of the network, and stealing network data;Knowingly engaging in activities that endanger network security，It is not allowed to provide technical support, advertising promotion, payment and settlement assistance。

　　Article 28 Network operators shall provide technical support and assistance for the activities of public security organs and state security organs to safeguard national security and investigate crimes in accordance with law。

　　Article 29 The State supports cooperation among network operators in the collection, analysis, notification and emergency response of network security information, so as to improve the security guarantee capabilities of network operators。

　　Relevant industry organizations shall establish and improve their own cybersecurity protection norms and cooperation mechanisms, strengthen the analysis and evaluation of cybersecurity risks, regularly warn members of risks, and support and assist members in coping with cybersecurity risks。

　　Article 30 The information obtained by Internet and information technology departments and relevant departments in the performance of network security protection duties can only be used for the maintenance of network security needs, and may not be used for other purposes。

　　Section 2 Operation security of critical information infrastructure

　　Article 31 The State controls important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services and e-government，And others in the event of a breach, loss of functionality, or data breach，Critical information infrastructure that may seriously endanger national security, national economy and people's livelihood, and public interests，On the basis of network security level protection system，Implement key protection。The specific scope of critical information infrastructure and measures for its security protection shall be formulated by The State Council。

　　The State encourages network operators outside critical information infrastructure to voluntarily participate in the critical information infrastructure protection system。

　　Article 32 In accordance with the division of responsibilities prescribed by The State Council, the departments responsible for the security protection of critical information infrastructure shall formulate and organize the implementation of the security plans of critical information infrastructure in their own industries and fields, and guide and supervise the security protection of the operation of critical information infrastructure。

　　Article 33 The construction of critical information infrastructure shall ensure that it has the performance of supporting the stable and continuous operation of the business, and ensure the synchronous planning, construction and use of security technical measures。

　　Article 34 In addition to the provisions of Article 21 of this Law, the operators of critical information infrastructure shall also perform the following security protection obligations:

　　(a) set up a special safety management agency and safety management person in charge, and conduct security background checks on the person in charge and personnel in key positions;

　　(2) Regularly conduct network security education, technical training and skill assessment for employees;

　　(3) Carry out disaster recovery backup for important systems and databases;

　　(4) Formulate emergency plans for network security incidents and conduct regular drills;

　　(5) Other obligations stipulated by laws and administrative regulations。

　　35th critical information infrastructure operators procurement of network products and services, which may affect national security, should be through the national security review organized by the national network information department in conjunction with the relevant departments of The State Council。

　　Article 36 Operators of critical information infrastructure purchasing network products and services shall, in accordance with regulations, sign a security and confidentiality agreement with the provider to clarify security and confidentiality obligations and responsibilities。

　　Article 37 Personal information and important data collected and generated by operators of critical information infrastructure in operation within the territory of the People's Republic of China shall be stored within the territory。Due to business needs, it is really necessary to provide overseas, should be in accordance with the State network information department in conjunction with the relevant departments of The State Council security assessment;Where laws or administrative regulations provide otherwise, such provisions shall prevail。

　　Article 38 The operators of critical information infrastructure shall, by themselves or by entrusting network security service agencies, conduct at least one annual inspection and evaluation of the security and possible risks of their networks, and submit the inspection and evaluation and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure。

　　Article 39 The national network information department shall coordinate the relevant departments to take the following measures for the security protection of critical information infrastructure:

　　(a) to carry out spot checks and tests on the security risks of critical information infrastructure, propose improvement measures, and, if necessary, entrust network security service agencies to carry out tests and assessments on the security risks existing in the network;

　　(2) Regularly organize operators of critical information infrastructure to conduct cyber security emergency drills to improve the level of response to cyber security incidents and the ability to cooperate;

　　(c) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, relevant research institutions, and cybersecurity service organizations;

　　(4) Provide technical support and assistance for emergency response of network security incidents and restoration of network functions。

Chapter IV network information security

　　Article 40 Network operators shall keep strictly confidential the user information they collect, and establish and improve the user information protection system。

　　Article 41 In collecting and using personal information, network operators shall follow the principles of legality, legitimacy and necessity, make public the collection and use rules, specify the purpose, method and scope of the collection and use of information, and obtain the consent of the collected person。

　　Network operators shall not collect personal information unrelated to the services they provide, shall not collect and use personal information in violation of the provisions of laws, administrative regulations and the agreement between the two parties, and shall handle the personal information they keep in accordance with the provisions of laws, administrative regulations and the agreement with users。

　　Article 42 Network operators shall not disclose, tamper with, or destroy the personal information they have collected;Personal information shall not be provided to others without the consent of the person collected。However, it is not possible to identify a specific individual after processing and cannot be restored。

　　Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect and prevent information disclosure, damage or loss。In the event of or possible disclosure, damage or loss of personal information, it shall immediately take remedial measures, inform users in a timely manner and report to the relevant competent authorities in accordance with regulations。

　　Article 43 Where an individual discovers that a network operator has collected or used his or her personal information in violation of laws, administrative regulations or mutual agreements, he or she shall have the right to request the network operator to delete his or her personal information;If it is found that the personal information collected and stored by the network operator is wrong, it has the right to request the network operator to correct it。Network operators shall take measures to delete or correct。

　　Article 44 No individual or organization may steal or obtain personal information by other illegal means, and may not illegally sell or illegally provide personal information to others。

　　Article 45 Departments and their staff that are legally responsible for the supervision and administration of cyber security must keep strictly confidential the personal information, privacy and business secrets they come to know in the course of performing their duties, and must not disclose, sell or illegally provide to others。

　　Article 46 Any individual or organization shall be responsible for its use of the Internet，Shall not be established to commit fraud，Imparting methods of crime，Websites and communication groups that produce or sell illegal and criminal activities such as prohibited and controlled goods，Shall not use the Internet to publish involving the commission of fraud，Information about the production or sale of prohibited items, controlled items and other criminal activities。

　　Article 47 Network operators shall strengthen the management of the information released by their users, and if they find that the release or transmission of information is prohibited by laws and administrative regulations, they shall immediately stop the transmission of the information, take disposal measures such as elimination, prevent the spread of information, keep relevant records, and report to the relevant competent authorities。

　　Article 48 The electronic information sent by any individual or organization or the application software provided by it shall not contain malicious programs, and shall not contain information whose publication or transmission is prohibited by laws and administrative regulations。

　　Electronic information transmission service providers and application software download service providers shall perform the obligations of safety management, knowing that their users have the acts prescribed in the preceding paragraph, shall stop providing services, take elimination and other disposal measures, keep relevant records, and report to the relevant competent authorities。

　　Article 49 Network operators shall establish a network information security complaint and reporting system, publish information such as complaints and reporting methods, and promptly accept and handle complaints and reports related to network information security。

　　Network operators shall cooperate with the supervision and inspection carried out by network and information technology departments and relevant departments according to law。

　　Article 50 The national cyberspace administration and relevant departments shall perform the duties of supervision and administration of network information security according to law，Discovering information whose publication or transmission is prohibited by laws or administrative regulations，Network operators should be required to stop transmission，Take disposal measures such as elimination，Keep relevant records;The above information comes from outside the People's Republic of China，The relevant authorities shall be notified to take technical and other necessary measures to interrupt transmission。

Chapter V monitoring, early warning and emergency handling

　　Article 51 The State establishes a network security monitoring, early warning and information notification system。The national network information department shall coordinate the relevant departments to strengthen the collection, analysis and notification of network security information, and uniformly release network security monitoring and early warning information in accordance with regulations。

　　Article 52 Departments responsible for the security protection of critical information infrastructure shall establish and improve network security monitoring and early warning and information notification systems in their own industries and fields, and submit network security monitoring and early warning information in accordance with regulations。

　　Article 53 The national cyberspace administration shall coordinate relevant departments to establish and improve the working mechanism for cybersecurity risk assessment and emergency response, formulate emergency plans for cybersecurity incidents, and organize regular exercises。

　　Departments responsible for the security protection of critical information infrastructure shall formulate emergency plans for network security incidents in their own industries and fields, and organize regular exercises。

　　The emergency plan for network security incidents shall classify network security incidents according to factors such as the degree of harm and scope of influence after the occurrence of the incident, and provide corresponding emergency disposal measures。

　　Article 54 When the risk of network security incidents increases, the relevant departments of the people's governments at or above the provincial level shall take the following measures in accordance with the prescribed authority and procedures, and according to the characteristics of network security risks and the possible harm caused:

　　(1) Require relevant departments, institutions and personnel to collect and report relevant information in a timely manner and strengthen monitoring of cybersecurity risks;

　　(2) Organize relevant departments, institutions and professionals to analyze and evaluate network security risk information and predict the possibility, scope of impact and degree of harm of incidents;

　　(3) Issuing early warnings of cybersecurity risks to the society and issuing measures to avoid and mitigate the harm。

　　Article 55 In the event of a network security incident, the emergency plan for a network security incident shall be immediately launched, the network security incident shall be investigated and evaluated, and the network operator shall be required to take technical measures and other necessary measures to eliminate potential security risks, prevent the expansion of hazards, and timely release warning information related to the public to the society。

　　Article 56 Where the relevant departments of the people's governments at or above the provincial level, while performing their duties in the supervision and administration of network security, find that there is a large security risk or a security incident occurs in the network, they may interview the legal representative or the principal person in charge of the network operator according to the prescribed authority and procedures。Network operators shall take measures as required to rectify and eliminate hidden dangers。

　　Article 57 Emergencies or production safety accidents due to network security incidents shall be dealt with in accordance with the provisions of the Emergency Response Law of the People's Republic of China, the Production Safety Law of the People's Republic of China and other relevant laws and administrative regulations。

　　Article 58 In order to maintain national security and social and public order and deal with major social security emergencies, temporary measures such as restrictions on network communications may be taken in specific areas upon decision or approval by The State Council。

Chapter VI Legal liability

　　Article 59 Network operators fail to perform the obligations of network security protection provided for in Articles 21 and 25 of this Law，The competent department shall order it to make corrections，Give a warning;Refusing to correct or causing harm to network security and other consequences，Be fined not less than 10,000 yuan but not more than 100,000 yuan，The person in charge who is directly responsible shall be fined not less than 5,000 yuan but not more than 50,000 yuan。

　　The operators of critical information infrastructure fail to fulfill the obligations of network security protection provided for in Articles 33, 34, 36 and 38 of this Law，The competent department shall order it to make corrections，Give a warning;Refusing to correct or causing harm to network security and other consequences，Be fined not less than 100,000 yuan but not more than one million yuan，The person in charge who is directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan。

　　Article 60 Violation of the provisions of the first and second paragraphs of Article 22 and the first paragraph of Article 48 of this Law，Committing any of the following acts，The competent department shall order it to make corrections，Give a warning;Refusing to correct or causing harm to network security and other consequences，Be fined not less than 50,000 yuan but not more than 500,000 yuan，The person in charge who is directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan:

　　(1) Setting malicious programs;

　　(2) failing to take immediate remedial measures for the security defects, loopholes and other risks existing in its products and services, or failing to inform users in a timely manner and report to the relevant competent authorities in accordance with regulations;

　　(3) Unauthorized termination of security maintenance for its products and services。

　　Article 61 Network operators violate the provisions of paragraph 1 of Article 24 of this Law，Users are not required to provide real identity information，Or providing related services to users who do not provide real identity information，The competent department shall order it to make corrections;Refusing to correct or the circumstances are serious，Be fined not less than 50,000 yuan but not more than 500,000 yuan，It may also be ordered by the relevant competent department to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license，The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan。

　　Article 62 Violation of Article 26 of this Law，Carry out activities such as cybersecurity authentication, testing, and risk assessment，Or releasing system vulnerabilities, computer viruses, network attacks, network intrusion and other network security information to the public，The competent department shall order it to make corrections，Give a warning;Refusing to correct or the circumstances are serious，Be fined not less than 10,000 yuan but not more than 100,000 yuan，It may also be ordered by the relevant competent department to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license，The persons directly in charge and other persons directly responsible shall be fined not less than 5,000 yuan but not more than 50,000 yuan。

　　Article 63 Violation of Article 27 of this Law，Engage in activities that compromise network security，Or provide programs and tools specifically used to engage in activities that endanger network security，Or provide technical support, advertising promotion, payment and settlement assistance for others engaged in activities that endanger network security，Not yet constituted a crime，The illegal gains shall be confiscated by the public security organ，Shall be detained for not more than five days，May also impose a fine of not less than 50,000 yuan but not more than 500,000 yuan;More serious circumstances，Shall be detained for not less than five days but not more than 15 days，May also impose a fine of not less than 100,000 yuan but not more than one million yuan。

　　Where a unit commits the acts mentioned in the preceding paragraph, the public security organ shall confiscate the illegal gains, impose a fine of not less than 100,000 yuan but not more than one million yuan, and punish the persons directly in charge and other persons directly responsible in accordance with the provisions of the preceding paragraph。

　　A person who violates the provisions of Article 27 of this Law and is punished for the administration of public security shall not be allowed to engage in key positions of network security management and network operation within five years;Those who receive criminal punishment shall not be allowed to work in key positions of network security management and network operation for life。

　　Article 64 Network operators or providers of network products or services violate the provisions of Article 22, paragraph 3, and Articles 41 to 43 of this Law，Infringe upon the right to protection of personal information according to law，The competent department shall order it to make corrections，They may, in the light of the individual circumstances, be punished or given a combined warning, confiscate their illegal gains, or be fined not less than one time but not more than ten times their illegal gains，No illegal gains，Fined not more than $1 million，The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan;serious，And may be ordered to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license。

　　If anyone, in violation of the provisions of Article 44 of this Law, steals or obtains, sells or provides personal information to others by other illegal means, and if the case does not constitute a crime, the illegal gains shall be confiscated by the public security organ and concurrently imposed a fine of not less than one time but not more than ten times the illegal gains; if there are no illegal gains, a fine of not more than one million yuan shall be imposed。

　　Article 65 Operators of critical information infrastructure violate the provisions of Article 35 of this Law，Using network products or services that have not been reviewed or have not passed the security review，The competent department shall order it to cease its use，Impose a fine of not less than twice but not more than ten times the amount of purchase;The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan。

　　Article 66 Operators of critical information infrastructure violate the provisions of Article 37 of this Law，Storing network data overseas，Or providing network data overseas，The competent department shall order it to make corrections，Give a warning，Confiscation of illegal gains，Be fined not less than 50,000 yuan but not more than 500,000 yuan，And may order the suspension of relevant business, business rectification, closure of websites, revocation of relevant business licenses or revocation of business licenses;The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan。

　　Article 67 Violation of the provisions of Article 46 of this Law，To set up websites and communication groups for carrying out illegal and criminal activities，Or use the Internet to publish information involving the implementation of illegal and criminal activities，Not yet constituted a crime，He shall be detained by a public security organ for not more than five days，May concurrently impose a fine of not less than 10,000 yuan but not more than 100,000 yuan;More serious circumstances，Shall be detained for not less than five days but not more than 15 days，A fine of not less than 50,000 yuan but not more than 500,000 yuan may be imposed。Shut down websites and communication groups used to carry out illegal and criminal activities。

　　Where a unit has defaulted, the public security organ shall impose a fine of not less than 100,000 yuan but not more than 500,000 yuan, and the persons directly in charge and other persons directly responsible shall be punished in accordance with the provisions of the preceding paragraph。

　　Article 68 Network operators violate the provisions of Article 47 of this Law，Failing to stop the transmission of information whose publication or transmission is prohibited by laws or administrative regulations, taking disposal measures such as elimination, and keeping relevant records，The competent department shall order it to make corrections，Give a warning，Confiscation of illegal gains;Refusing to correct or the circumstances are serious，Be fined not less than 100,000 yuan but not more than 500,000 yuan，And may be ordered to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license or revoke the business license，The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan。

　　Any electronic information transmission service provider or application software download service provider who fails to perform the security management obligations prescribed in the second paragraph of Article 48 of this Law shall be punished in accordance with the provisions of the preceding paragraph。

　　Article 69 Where a network operator commits any of the following acts in violation of the provisions of this Law, the competent department concerned shall order it to make corrections;Those who refuse to make corrections or whose circumstances are serious shall be fined not less than 50,000 yuan but not more than 500,000 yuan, and the persons directly in charge and other persons directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan:

　　(1) failing, as required by the relevant department, to take measures such as stopping transmission or eliminating transmission of information prohibited by laws or administrative regulations;

　　(2) refusing or obstructing the supervision and inspection carried out by relevant departments according to law;

　　(3) refusing to provide technical support and assistance to public security organs and state security organs。

　　Article 70 Whoever publishes or transmits information whose publication or transmission is prohibited by the second paragraph of Article 12 of this Law and other laws and administrative regulations shall be punished in accordance with the provisions of relevant laws and administrative regulations。

　　Article 71 Any illegal act as provided for in this Law shall be recorded in the credit file in accordance with the provisions of relevant laws and administrative regulations and shall be publicized。

　　Article 72 Where the operator of the government network of a State organ fails to fulfill the obligations of network security protection provided for in this Law, the organ at a higher level or the relevant organ shall order it to make corrections;The persons directly in charge and other persons directly responsible shall be given sanctions according to law。

　　Article 73 Where the cyberspace administration and relevant departments violate the provisions of Article 30 of this Law by using the information obtained in the performance of their cybersecurity protection duties for other purposes, the persons directly in charge and other persons directly responsible shall be punished according to law。

　　Staff members of cyberspace and relevant departments who neglect their duties, abuse their power, practice favoritism and engage in malpractices, if no crime is constituted, shall be punished according to law。

　　Article 74 Whoever, in violation of the provisions of this Law, causes damage to another person shall bear civil liability according to law。

　　Whoever violates the provisions of this Law and constitutes an act violating the administration of public security shall be punished for the administration of public security according to law;If the case constitutes a crime, criminal responsibility shall be investigated according to law。

　　Article 75 Overseas institutions, organizations and individuals engage in activities that attack, invade, interfere with or destroy the critical information infrastructure of the People's Republic of China，Causing serious consequences，Investigate legal responsibility according to law;The public security department and other relevant departments under The State Council may also decide to freeze assets or take other necessary sanctions against such institutions, organizations or individuals。

Chapter VII Supplementary Provisions

　　Article 76 The meanings of the following terms in this Law:

　　(1) Network means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures。

　　(2) Network security refers to the ability to ensure the stable and reliable operation of the network by taking necessary measures to prevent attacks, intrusion, interference, destruction, illegal use of the network and accidents, and to ensure the integrity, confidentiality and availability of network data。

　　(3) Network operators refer to the owners, managers and network service providers of networks。

　　(4) Network data refers to all kinds of electronic data collected, stored, transmitted, processed and generated through the network。

　　(5) Personal information refers to all kinds of information recorded by electronic or other means that can identify a natural person individually or in combination with other information, including but not limited to the natural person's name, date of birth, ID card number, personal biometric information, address, telephone number, etc。

　　Article 77 The security protection of the operation of networks that store and process state secret information shall, in addition to this Law, be governed by the provisions of the security laws and administrative regulations。

　　Article 78 The security protection of military networks shall be formulated separately by the Central Military Commission。

　　Article 79 This Law shall come into force as of June 1, 2017。