Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Analysis

China writes AI into its Cybersecurity Law: a third model of AI regulation

Adopted 2026-06-13 · ≈ 3 min read · Dirk Baaijen

On 1 January 2026 China's amended Cybersecurity Law took effect, adding an article that lifts AI into foundational legislation. But the new AI clause is promotional — China's binding AI rules stay sectoral, a third model beside the EU's and Korea's horizontal laws.

China is, by most measures, one of the two largest AI powers in the world, yet until now it had no horizontal AI statute and barely figured on the map European compliance teams draw when they think about cross-border AI rules. That gap narrowed on 1 January 2026, when the amended Cybersecurity Law took effect and, for the first time, wrote artificial intelligence into one of China's foundational digital laws. The change matters less for what it commands than for what it signals — and for how sharply it differs from the EU and South Korean models it sits beside.

What changed, and when

The Cybersecurity Law has anchored China's digital governance since it took effect in 2017. The Standing Committee of the National People's Congress adopted its first substantive overhaul on 28 October 2025, and the revised law entered into force on 1 January 2026. The amendment adds four new articles, modifies thirteen, and aligns the law's penalty and referral provisions with the two statutes that grew up beside it — the Data Security Law and the Personal Information Protection Law (PIPL).

The headline addition is a dedicated AI provision, Article 20. It commits the state to support fundamental research on AI theory and key technologies such as algorithms; to promote the build-out of infrastructure including training-data resources and computing power; to enhance ethical standards for AI; and to strengthen risk monitoring, assessment and safety supervision so as to foster the "healthy development and application" of AI.

A promotional clause, not a duty

Read closely, Article 20 is the opposite of the EU AI Act's operative core. It imposes no risk classification, no conformity assessment, no obligations on named "operators," and — crucially — no penalty of its own. It is an aspirational, policy-setting article: the state will support, will promote, will strengthen. The teeth elsewhere in the amended law are real — fines rise steeply, reaching up to RMB 10 million (roughly €1.2 million) for the gravest violations, with personal fines for responsible individuals — but they attach to the law's operational obligations on network and critical-infrastructure security, not to the AI clause.

The effect is symbolic and structural rather than regulatory in the European sense. China has elevated AI governance from scattered departmental rules to the level of primary legislation, planting a horizontal anchor — but the anchor sets direction, it does not yet bind conduct.

The binding rules stay sectoral

That is because China's enforceable AI rules already exist, and they live one layer down, in vertical instruments aimed at specific technologies. Measures governing generative-AI services have been in force since 2023; rules requiring the labelling of AI-generated synthetic content took effect in September 2025, obliging providers to mark synthetic text, images, audio and video. Where the EU is building one comprehensive product law and Korea has enacted a single horizontal statute, China governs AI through a growing stack of targeted measures, now crowned by a promotional clause in its cybersecurity framework.

This is a genuinely different architecture — a third model. The EU regulates AI horizontally and bindingly through the AI Act. Korea has copied that horizontal shape but front-loaded promotion and deferred penalties. China keeps its binding rules vertical and technology-specific, and uses foundational legislation to declare intent rather than to impose duties. Notably, China's content-labelling rules and the EU's Article 50 transparency duties converge on the same problem — making synthetic media recognisable — from opposite regulatory philosophies.

Why it matters beyond China

For organisations operating across jurisdictions, the lesson is not that a new compliance burden has landed on 1 January — Article 20 imposes none directly. It is that the structural map of global AI regulation now has three distinct shapes, not one being copied everywhere. An organisation that has internalised the EU's risk-based grammar cannot assume China's framework will mirror it; the binding obligations are scattered across sectoral measures and must be read on their own terms, with the official Chinese texts — not Western summaries — as the authority. The wider pattern traced in our analysis of international AI governance and the Asia-Pacific comparison holds: jurisdictions are reaching for the same targets — safety, transparency, accountability — through institutions and instruments shaped by very different legal traditions.

Sources

  1. https://npcobserver.com/legislation/cybersecurity-law/
    NPC Observer legislative record: CSL amendment adopted by the NPC Standing Committee 28 Oct 2025, in force 1 Jan 2026; links the authoritative text.
  2. https://intellectual-property-helpdesk.ec.europa.eu/news-events/news/regulating-ai-and-strengthening-legal-liability-chinas-cybersecurity-law-revision-completed-2025-11-28_en
    EU IP Helpdesk: the revision adds an article promoting AI development, ethics and safety supervision, and raises liability and penalties.
  3. https://www.china-briefing.com/news/china-cybersecurity-law-amendment/
    China Briefing (Dezan Shira): new Article 20 on AI — research, infrastructure, ethics, risk and safety oversight — and penalties up to RMB 10 million.

Share on LinkedIn

Read next

A

India chooses guidelines over a statute — a principle-based AI governance framework

On 15 February 2026 India's MeitY released its AI Governance Guidelines — a principle-based framework on seven 'sutras'. The defining choice is what it declines: not a new horizontal AI law, but a bet on existing statutes, new institutions and an innovation-first posture.

A

Vietnam becomes the first Southeast Asian state to adopt a standalone AI law

On 1 March 2026 Vietnam's Law on Artificial Intelligence (134/2025/QH15) took effect — the first standalone, horizontal AI law in Southeast Asia. It borrows the EU's risk-based structure but binds from day one, while keeping an innovation-promotion layer of its own.

A

South Korea's AI Basic Act: Asia's first comprehensive AI law takes effect

On 22 January 2026 South Korea's AI Basic Act took effect — the world's second comprehensive AI law after the EU's, and the first in Asia. It regulates high-impact and generative AI with transparency and human-oversight duties, and reaches foreign providers above set thresholds.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.