Chinese lawmakers are this week considering a draft amendment to the country’s Cybersecurity Law that will introduce certification requirements for technology products, alongside more severe penalties for security shortcomings affecting critical sectors and sensitive data.

The update appears to mirror Western cybersecurity concerns that Beijing could exploit Chinese products during a time of conflict or crisis. The government would be able to restrict the use of untrusted products within what China calls critical information infrastructure (CII), the computer systems used in sectors such as transport, energy and finance.

A draft of the amendment was published for consultation earlier this year by the Cyberspace Administration of China — the regulator responsible for a wide range of internet controls including data privacy, cybersecurity and policing content-based offenses. It was officially submitted to the Standing Committee of the National People's Congress on Monday, with the session to continue until Friday.

If passed, the proposal would increase organizational fines for the most severe security incidents, for instance those affecting very sensitive data or leading to the disruption of critical infrastructure, to a maximum of ¥10 million ($1.4 million). Directly responsible supervisors will face personal fines of up to ¥100,00 ($14,000).

The amendment also introduces harsher penalties for using services that store critical information on cloud servers based internationally, as well as on the use of uncertified products, particularly in critical sectors.

Companies and individuals caught selling uncertified cybersecurity products could be ordered to fix their products, have their profits confiscated and be fined up to three times the amount of the illegal gains. CII operators can be fined 10 times the procurement cost for using products that haven't been certified.

Article 19, the British-based human rights organization, described the amendment as reinforcing duties to facilitate the government's censorship and surveillance activities, saying it “doubles down on China's repressive norms and poses a global threat in normalizing China's authoritarian model of digital governance.”

Eugenio Benincasa, a senior cyberdefense researcher at the Center for Security Studies at ETH Zurich who has detailed the role of the private sector in China’s offensive cyber campaigns, told Recorded Future News: “Overall, the draft significantly raises the stakes for companies in China’s cyber ecosystem, increasing fines and personal liability for executives while also tightening rules on data transfers and illegal content.

“Unlike in the West, where cybersecurity laws focus primarily on technical issues such as data protection, China’s model blends network defense with strict information control, making companies accountable for both,” added Benincasa.

Tim Stevens, the head of the cybersecurity research group at King's College London, said: “China is pushing various standards internationally that might not align with democratic norms, but align with the interests of the Chinese Communist Party. China is looking to embed its values in the standards that we employ in technologies that are used globally. It’s much easier to do that if you control either the standards or the technologies. 

“China will bake in particular requirements and components into network products that it wishes to export. If that means you’re sending data back to Chinese datacenters that are then accessible by Chinese state intelligence and others, then so be it.

Stevens said the amendment aligned with two of Beijing’s efforts in recent years, the first being to assert its sovereignty over the internet. “So ‘we’ have, as the Chinese government, or the Party, we have total control and authority over traffic that both originates in China or passes over Chinese networks, wherever they may be.

“The second is that it’s seeking to challenge historical US dominance over the principles and standards of how the internet and other information systems operate. And China has been doing that very, very effectively. This law seems to be another piece of that essentially saying that if you want to do business in or with China, you need to be subject to either our domestic laws or to the standards that we wish to promote internationally around those technologies.”