Chapter 1 General Provisions

Article 1: In order to ensure network security, safeguard the sovereignty of cyberspace, national security, and public interests, protect the legitimate rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization, this Law is formulated.

Article 2: This Law applies to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and management of network security.

Article 3: The state adheres to the equal importance of network security and information technology development, follows the principles of active utilization, scientific development, legal management, and ensuring security, promotes the construction and interconnection of network infrastructure, encourages innovation and application of network technology, supports the cultivation of network security talents, establishes a sound network security guarantee system, and enhances the ability to protect network security.

Article 4: The state shall formulate and continuously improve a cybersecurity strategy, clarify the basic requirements and main objectives for safeguarding cybersecurity, and propose cybersecurity policies, work tasks, and measures in key areas.

Article 5: The state shall take measures to monitor, defend against, and dispose of cybersecurity risks and threats originating from within and outside the territory of the People's Republic of China, protect critical information infrastructure from attacks, intrusions, interference, and destruction, punish illegal and criminal activities on the internet in accordance with the law, and maintain cybersecurity and order.

Article 6: The state advocates honest and trustworthy, healthy and civilized online behavior, promotes the dissemination of socialist core values, takes measures to improve the awareness and level of network security in the whole society, and forms a good environment for the whole society to participate in promoting network security.

Article 7: The state actively engages in international exchanges and cooperation in cyberspace governance, research and development of network technology and standard setting, and combating cybercrime, promoting the construction of a peaceful, secure, open, and cooperative cyberspace, and establishing a multilateral, democratic, and transparent network governance system.

Article 8: The national cyberspace administration department is responsible for coordinating and coordinating network security work and related supervision and management work. The telecommunications regulatory department, public security department, and other relevant authorities of the State Council shall be responsible for network security protection and supervision and management within their respective areas of responsibility in accordance with the provisions of this Law and relevant laws and administrative regulations.

The responsibilities for network security protection and supervision management of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant national regulations.

Article 9: Network operators conducting business and service activities must comply with laws and administrative regulations, respect social ethics, abide by business ethics, be honest and trustworthy, fulfill their obligations to protect network security, accept supervision from the government and society, and assume social responsibilities.

Article 10: The construction and operation of networks or the provision of services through networks shall be carried out in accordance with the provisions of laws, administrative regulations, and mandatory requirements of national standards. Technical and other necessary measures shall be taken to ensure network security and stable operation, effectively respond to network security incidents, prevent illegal and criminal activities on the network, and maintain the integrity, confidentiality, and availability of network data.

Article 11 Network related industry organizations shall strengthen industry self-discipline, formulate network security behavior norms, guide members to strengthen network security protection, improve the level of network security protection, and promote the healthy development of the industry in accordance with their articles of association.

Article 12: The state protects the rights of citizens, legal persons, and other organizations to use the internet in accordance with the law, promotes the popularization of internet access, improves the level of internet services, provides safe and convenient internet services to society, and guarantees the orderly and free flow of internet information in accordance with the law.

Any individual or organization using the internet shall comply with the Constitution and laws, abide by public order, respect social morality, and shall not endanger network security. They shall not use the internet to engage in activities that endanger national security, honor, and interests, incite subversion of state power, overthrow the socialist system, incite division of the country, undermine national unity, promote terrorism and extremism, promote ethnic hatred and discrimination, spread violent and obscene information, fabricate and spread false information to disrupt economic and social order, and infringe on the reputation, privacy, intellectual property rights, and other legitimate rights and interests of others.

Article 13: The state supports the research and development of network products and services that are conducive to the healthy growth of minors, punishes activities that harm the physical and mental health of minors using the internet in accordance with the law, and provides a safe and healthy network environment for minors.

Article 14: Any individual or organization has the right to report any behavior that endangers network security to departments such as cyberspace, telecommunications, and public security. The department receiving the report shall promptly handle it in accordance with the law; If it does not fall within the responsibilities of this department, it should be promptly transferred to the department with the authority to handle it.

The relevant departments shall keep confidential the relevant information of the informant and protect the legitimate rights and interests of the informant.

Chapter 2 Network Security Support and Promotion

Article 15: The state shall establish and improve a network security standard system. The standardization administrative department of the State Council and other relevant departments of the State Council shall, in accordance with their respective responsibilities, organize the formulation and timely revision of national and industry standards related to network security management, as well as network products, services, and operational security.

The state supports enterprises, research institutions, universities, and network related industry organizations to participate in the formulation of national and industry standards for cybersecurity.

Article 16: The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall coordinate planning, increase investment, support key network security technology industries and projects, support research, development, and application of network security technology, promote secure and trustworthy network products and services, protect network technology intellectual property rights, and support enterprises, research institutions, and universities to participate in national network security technology innovation projects.

Article 17: The state promotes the construction of a socialized network security service system and encourages relevant enterprises and institutions to provide security services such as network security certification, testing, and risk assessment.

Article 18: The state encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and drives technological innovation and economic and social development.

The state supports innovative ways of network security management, utilizes new network technologies, and enhances the level of network security protection.

Article 19: People's governments at all levels and their relevant departments shall organize regular network security propaganda and education, and guide and supervise relevant units to do a good job in network security propaganda and education.

Mass media should carry out targeted network security propaganda and education to the society.

Article 20: The state supports enterprises, higher education institutions, vocational schools, and other educational and training institutions to carry out cybersecurity related education and training, adopt various methods to cultivate cybersecurity talents, and promote the exchange of cybersecurity talents.

Chapter 3 Network Operation Security

Section 1 General Provisions

Article 21: The state implements a network security level protection system. Network operators shall fulfill the following security protection obligations in accordance with the requirements of the network security level protection system, to safeguard the network from interference, destruction, or unauthorized access, and to prevent network data leakage or theft or tampering:

（1） Develop internal security management systems and operating procedures, determine the person in charge of network security, and implement network security protection responsibilities;

（2） Take technical measures to prevent computer viruses, network attacks, network intrusions, and other harmful behaviors that endanger network security;

（3） Take technical measures to monitor and record network operation status and network security incidents, and retain relevant network logs for no less than six months in accordance with regulations;

（4） Take measures such as data classification, important data backup, and encryption;

（5） Other obligations stipulated by laws and administrative regulations.

Article 22: Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; When security defects, vulnerabilities, and other risks are discovered in its network products and services, remedial measures should be taken immediately, and users should be informed in a timely manner according to regulations and reported to relevant regulatory authorities.

Providers of network products and services should continuously provide security maintenance for their products and services; Within the prescribed or agreed upon period, the provision of security maintenance shall not be terminated.

If network products and services have the function of collecting user information, their providers should clearly indicate and obtain consent from users; If it involves personal information of users, it shall also comply with the provisions of this Law and relevant laws and administrative regulations on personal information protection.

Article 23: Key network equipment and specialized network security products shall be sold or provided in accordance with the mandatory requirements of relevant national standards, and only after being certified as qualified by qualified institutions or meeting the requirements of security testing. The national cyberspace administration, in conjunction with relevant departments of the State Council, shall formulate and publish a catalog of key network equipment and specialized network security products, and promote mutual recognition of security certification and security testing results to avoid duplicate certification and testing.

Article 24: Network operators shall provide users with network access and domain name registration services, handle network access procedures for fixed and mobile phones, or provide users with information publishing, instant messaging, and other services. When signing agreements or confirming the provision of services with users, they shall require users to provide their true identity information. If users do not provide their real identity information, network operators shall not provide relevant services for them.

The country implements a network trusted identity strategy, supports research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identity verifications.

Article 25: Network operators shall develop emergency plans for network security incidents and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; In the event of an incident that endangers network security, immediately activate the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with regulations.

Article 26: When conducting activities such as network security certification, testing, and risk assessment, and releasing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, relevant national regulations shall be followed.

Article 27: No individual or organization shall engage in activities that endanger network security, such as illegal intrusion into others' networks, interference with the normal functions of others' networks, or theft of network data; Do not provide programs or tools specifically designed for activities that endanger network security, such as invading networks, interfering with normal network functions and protective measures, stealing network data, etc; Those who knowingly engage in activities that endanger network security shall not be provided with technical support, advertising promotion, payment settlement, or other assistance.

Article 28: Network operators shall provide technical support and assistance to public security organs and national security organs for activities related to safeguarding national security and investigating crimes in accordance with the law.

Article 29: The state supports cooperation among network operators in the collection, analysis, reporting, and emergency response of network security information, in order to enhance the security protection capabilities of network operators.

Industry organizations should establish and improve their own network security protection standards and cooperation mechanisms, strengthen the analysis and evaluation of network security risks, regularly issue risk warnings to members, and support and assist members in dealing with network security risks.

Article 30: The information obtained by the cyberspace administration and relevant departments in fulfilling their responsibilities for network security protection shall only be used for the purpose of maintaining network security and shall not be used for other purposes.

Section 2: Operational Security of Key Information Infrastructure

Article 31: The state shall implement key protection for important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, as well as other critical information infrastructure that may seriously endanger national security, national economy and people's livelihood, and public interests in the event of damage, loss of function, or data leakage, on the basis of the network security level protection system. The specific scope and security protection measures of critical information infrastructure shall be formulated by the State Council.

The state encourages network operators outside of critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 32: In accordance with the division of responsibilities stipulated by the State Council, the departments responsible for the security protection of key information infrastructure shall formulate and organize the implementation of key information infrastructure security plans for their respective industries and fields, and guide and supervise the operation and security protection of key information infrastructure.

Article 33: The construction of critical information infrastructure shall ensure its performance in supporting business stability and continuous operation, and ensure the synchronous planning, construction, and use of security technology measures.

Article 34: In addition to the provisions of Article 21 of this Law, operators of critical information infrastructure shall also fulfill the following security protection obligations:

（1） Establish a specialized safety management organization and a safety management manager, and conduct safety background checks on the manager and personnel in key positions;

（2） Regularly provide cybersecurity education, technical training, and skill assessments to practitioners;

（3） Perform disaster recovery backup for important systems and databases;

（4） Develop emergency plans for cybersecurity incidents and conduct regular drills;

（5） Other obligations stipulated by laws and administrative regulations.

Article 35: Operators of critical information infrastructure who purchase network products and services that may affect national security shall undergo a national security review organized by the national cyberspace administration department in conjunction with relevant departments of the State Council.

Article 36: Operators of critical information infrastructure who purchase network products and services shall sign security and confidentiality agreements with providers in accordance with regulations, clarifying their security and confidentiality obligations and responsibilities.

Article 37: Operators of critical information infrastructure shall store personal information and important data collected and generated within the territory of the People's Republic of China. If it is necessary to provide overseas services due to business needs, security assessments shall be conducted in accordance with the methods formulated by the national cyberspace administration department in conjunction with relevant departments of the State Council; If laws and administrative regulations have other provisions, they shall be followed.

Article 38: Operators of critical information infrastructure shall conduct at least one annual inspection and evaluation of the security and potential risks of their networks on their own or by commissioning network security service agencies, and submit the inspection and evaluation results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.

Article 39: The national cyberspace administration shall coordinate and coordinate relevant departments to take the following measures for the security protection of critical information infrastructure:

（1） Spot check and detect security risks of critical information infrastructure, propose improvement measures, and if necessary, entrust network security service agencies to detect and evaluate security risks in the network;

（2） Regularly organize network security emergency drills for operators of critical information infrastructure to improve their ability to respond to network security incidents and collaborate effectively;

（3） Promote the sharing of network security information among relevant departments, operators of critical information infrastructure, research institutions, network security service providers, etc;

（4） Provide technical support and assistance for emergency response to network security incidents and restoration of network functions.

Chapter 4 Network Information Security

Article 40: Network operators shall strictly keep confidential the user information they collect and establish a sound system for protecting user information.

Article 41: Network operators shall follow the principles of legality, legitimacy, and necessity when collecting and using personal information, publicly disclose the rules for collection and use, clearly state the purpose, method, and scope of information collection and use, and obtain the consent of the collected party.

Network operators shall not collect personal information unrelated to the services they provide, and shall not collect or use personal information in violation of laws, administrative regulations, and agreements between both parties. They shall also handle the personal information they keep in accordance with laws, administrative regulations, and agreements with users.

Article 42: Network operators shall not disclose, tamper with, or damage the personal information they collect; Without the consent of the recipient, personal information shall not be provided to others. However, except for those that cannot be identified as specific individuals and cannot be restored after processing.

Network operators should take technical and other necessary measures to ensure the security of the personal information they collect, prevent information leakage, damage, and loss. When personal information leakage, damage, or loss occurs or may occur, remedial measures should be taken immediately, and users should be informed in a timely manner according to regulations and reported to the relevant competent authorities.

Article 43: If an individual discovers that a network operator has collected or used their personal information in violation of laws, administrative regulations, or the agreement between both parties, they have the right to request the network operator to delete their personal information; If it is found that the personal information collected and stored by the network operator is incorrect, the network operator has the right to request correction. Network operators should take measures to delete or correct it.

Article 44: No individual or organization shall steal or obtain personal information in any other illegal manner, nor shall they illegally sell or provide personal information to others.

Article 45: Departments and their staff responsible for network security supervision and management in accordance with the law must strictly keep confidential any personal information, privacy, and trade secrets they become aware of while performing their duties, and shall not disclose, sell, or illegally provide them to others.

Article 46: Any individual or organization shall be responsible for their use of the internet, and shall not establish websites or communication groups for committing fraud, teaching criminal methods, producing or selling prohibited or controlled items, or other illegal and criminal activities. They shall not use the internet to publish information related to the commission of fraud, the production or sale of prohibited or controlled items, or other illegal and criminal activities.

Article 47: Network operators shall strengthen the management of information published by their users. If they discover information that is prohibited from being published or transmitted by laws and administrative regulations, they shall immediately stop transmitting the information, take measures such as elimination, prevent the spread of information, keep relevant records, and report to the relevant competent authorities.

Article 48: Any electronic information sent or application software provided by individuals or organizations shall not have malicious programs set up, and shall not contain information prohibited by laws and administrative regulations from being published or transmitted.

Electronic information transmission service providers and application software download service providers shall fulfill their security management obligations. If they know that their users have engaged in the behaviors specified in the preceding paragraph, they shall stop providing services, take disposal measures such as elimination, keep relevant records, and report to the relevant competent authorities.

Article 49: Network operators shall establish a system for complaints and reports on network information security, publicize information on complaint and report methods, and promptly accept and handle complaints and reports related to network information security.

Network operators shall cooperate with the supervision and inspection carried out by the cyberspace administration and relevant departments in accordance with the law.

Article 50: The national cyberspace administration and relevant departments shall perform their duties of network information security supervision and management in accordance with the law. If they discover information that is prohibited from being published or transmitted by laws and administrative regulations, they shall require the network operator to stop transmission, take disposal measures such as elimination, and keep relevant records; For the above-mentioned information originating from outside the People's Republic of China, relevant institutions should be notified to take technical and other necessary measures to block its dissemination.

Chapter 5 Monitoring, Early Warning and Emergency Response

Article 51: The state shall establish a system for network security monitoring, early warning, and information dissemination. The national cyberspace administration should coordinate and coordinate relevant departments to strengthen the collection, analysis, and reporting of network security information, and issue unified network security monitoring and warning information in accordance with regulations.

Article 52: The department responsible for the security protection of critical information infrastructure shall establish and improve the network security monitoring, early warning, and information notification system in its industry and field, and submit network security monitoring and early warning information in accordance with regulations.

Article 53: The national cyberspace administration shall coordinate with relevant departments to establish and improve mechanisms for assessing and responding to network security risks, develop emergency plans for network security incidents, and regularly organize drills.

The department responsible for the security protection of critical information infrastructure should develop emergency plans for network security incidents in their respective industries and fields, and regularly organize drills.

The emergency plan for network security incidents should classify network security incidents according to factors such as the degree of harm and scope of impact after the incident occurs, and stipulate corresponding emergency response measures.

Article 54: When the risk of a cybersecurity incident increases, relevant departments of the people's governments at or above the provincial level shall, in accordance with the prescribed authority and procedures, and based on the characteristics of the cybersecurity risk and the potential harm it may cause, take the following measures:

（1） Require relevant departments, institutions, and personnel to collect and report relevant information in a timely manner, and strengthen monitoring of network security risks;

（2） Organize relevant departments, institutions, and professionals to analyze and evaluate network security risk information, predict the likelihood, scope of impact, and degree of harm of events;

（3） Issuing network security risk warnings to the society and issuing measures to avoid and mitigate harm.

Article 55: In the event of a network security incident, the emergency plan for network security incidents shall be immediately activated, investigations and evaluations shall be conducted, and network operators shall be required to take technical and other necessary measures to eliminate security risks, prevent the expansion of harm, and promptly release warning information related to the public to the society.

Article 56: If relevant departments of the people's governments at or above the provincial level discover that there are significant security risks or security incidents in the network during the performance of their responsibilities for network security supervision and management, they may, in accordance with the prescribed authority and procedures, interview the legal representative or main person in charge of the operator of the network. Network operators should take measures as required to rectify and eliminate hidden dangers.

Article 57: In case of network security incidents, emergencies or production safety accidents, they shall be handled in accordance with relevant laws and administrative regulations such as the Emergency Response Law of the People's Republic of China and the Work Safety Law of the People's Republic of China.

Article 58: In order to maintain national security and public order, and to deal with major sudden social security incidents, temporary measures such as restrictions on network communication may be taken in specific areas with the decision or approval of the State Council.

Chapter 6 Legal Liability

Article 59: If a network operator fails to fulfill the network security protection obligations stipulated in Articles 21 and 25 of this Law, the relevant competent department shall order it to rectify and give a warning; Those who refuse to correct or cause consequences such as endangering network security shall be fined not less than 10000 yuan but not more than 100000 yuan, and the directly responsible person in charge shall be fined not less than 5000 yuan but not more than 50000 yuan.

If the operator of critical information infrastructure fails to fulfill the network security protection obligations stipulated in Articles 33, 34, 36, and 38 of this Law, the relevant competent department shall order correction and give a warning; Those who refuse to correct or cause consequences such as endangering network security shall be fined not less than 100000 yuan but not more than 1 million yuan, and the directly responsible person in charge shall be fined not less than 10000 yuan but not more than 100000 yuan.

Article 60: Those who violate the provisions of the first and second paragraphs of Article 22 and the first paragraph of Article 48 of this Law by committing any of the following acts shall be ordered to rectify and given a warning by the relevant competent department; Those who refuse to correct or cause consequences such as endangering network security shall be fined not less than 50000 yuan but not more than 500000 yuan, and the directly responsible person in charge shall be fined not less than 10000 yuan but not more than 100000 yuan:

（1） Setting up malicious programs;

（2） Failure to take immediate remedial measures for security defects, vulnerabilities, and other risks in its products and services, or failure to promptly inform users and report to relevant regulatory authorities in accordance with regulations;

（3） Unauthorized termination of providing security maintenance for its products and services.

Article 61: If a network operator violates the provisions of Article 24, Paragraph 1 of this Law by failing to require users to provide their true identity information, or by providing relevant services to users who do not provide their true identity information, the relevant competent department shall order them to make corrections; For those who refuse to make corrections or whose circumstances are serious, a fine of not less than 50000 yuan but not more than 500000 yuan shall be imposed, and the relevant competent department may order the suspension of relevant business, business rectification, website closure, revocation of relevant business licenses or revocation of business licenses. The directly responsible person in charge and other directly responsible personnel shall be fined not less than 10000 yuan but not more than 100000 yuan.

Article 62: Those who violate the provisions of Article 26 of this Law by conducting activities such as network security certification, testing, risk assessment, or releasing network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public shall be ordered to make corrections and given warnings by the relevant competent authorities; For those who refuse to make corrections or whose circumstances are serious, a fine of not less than 10000 yuan but not more than 100000 yuan shall be imposed, and the relevant competent department may order the suspension of relevant business, business rectification, website closure, revocation of relevant business licenses or revocation of business licenses. The directly responsible person in charge and other directly responsible personnel shall be fined not less than 5000 yuan but not more than 50000 yuan.

Article 63: If a person violates the provisions of Article 27 of this Law by engaging in activities that endanger network security, or providing programs or tools specifically designed for engaging in activities that endanger network security, or providing technical support, advertising promotion, payment settlement, and other assistance to others engaged in activities that endanger network security, and the offense does not constitute a crime, the public security organs shall confiscate the illegal gains, detain the person for up to five days, and may impose a fine of not less than 50000 yuan but not more than 500000 yuan; Those with serious circumstances shall be detained for not less than five days but not more than fifteen days, and may be fined not less than 100000 yuan but not more than one million yuan.

If a unit commits the acts mentioned in the preceding paragraph, the public security organs shall confiscate the illegal gains, impose a fine of not less than 100000 yuan but not more than 1 million yuan, and punish the directly responsible supervisors and other directly responsible personnel in accordance with the provisions of the preceding paragraph.

Individuals who violate Article 27 of this Law and are subject to public security management penalties shall not engage in key positions in network security management and network operations for five years; Individuals who have been criminally punished are prohibited from engaging in key positions in network security management and network operations for life.

Article 64: If a network operator, network product or service provider violates the provisions of Article 22, paragraph 3, and Articles 41 to 43 of this Law and infringes upon the right to protection of personal information in accordance with the law, the relevant competent department shall order them to make corrections, and may impose a warning, confiscate illegal gains, or impose a fine of not less than one time but not more than ten times the illegal gains depending on the circumstances. If there are no illegal gains, a fine of not more than one million yuan shall be imposed, and the directly responsible person in charge and other directly responsible persons shall be fined not less than ten thousand yuan but not more than one hundred thousand yuan; If the circumstances are serious, the relevant business may be ordered to suspend, suspend for rectification, close the website, revoke the relevant business license, or revoke the business license.

Those who violate the provisions of Article 44 of this Law by stealing or obtaining personal information through other illegal means, illegally selling or illegally providing personal information to others, but do not constitute a crime, shall have their illegal gains confiscated by the public security organs and be fined not less than one time but not more than ten times their illegal gains. If there are no illegal gains, they shall be fined not more than one million yuan.

Article 65: If the operator of critical information infrastructure violates the provisions of Article 35 of this Law by using network products or services that have not undergone security review or have not passed security review, the relevant competent department shall order them to stop using them and impose a fine of not less than one time but not more than ten times the purchase amount; Impose a fine of not less than 10000 yuan but not more than 100000 yuan on the directly responsible supervisors and other directly responsible personnel.

Article 66: If the operator of critical information infrastructure violates the provisions of Article 37 of this Law by storing network data overseas or providing network data overseas, the relevant competent department shall order correction, give a warning, confiscate illegal gains, impose a fine of not less than 50000 yuan but not more than 500000 yuan, and may also order suspension of relevant business, suspension of business rectification, closure of websites, revocation of relevant business licenses or revocation of business licenses; Impose a fine of not less than 10000 yuan but not more than 100000 yuan on the directly responsible supervisors and other directly responsible personnel.

Article 67: Those who violate the provisions of Article 46 of this Law by establishing websites or communication groups for the purpose of carrying out illegal and criminal activities, or using the internet to publish information related to the implementation of illegal and criminal activities, but do not constitute a crime, shall be detained for not more than five days by the public security organs and may be fined not less than 10000 yuan but not more than 100000 yuan; Those with serious circumstances shall be detained for not less than five days but not more than fifteen days, and may be fined not less than 50000 yuan but not more than 500000 yuan. Close websites and communication groups used for illegal and criminal activities.

If a unit commits the acts mentioned in the preceding paragraph, the public security organ shall impose a fine of not less than 100000 yuan but not more than 500000 yuan, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.

Article 68: If a network operator violates the provisions of Article 47 of this Law by not stopping the transmission of information prohibited by laws and administrative regulations, taking disposal measures such as elimination, and keeping relevant records, the relevant competent department shall order correction, give a warning, and confiscate illegal gains; For those who refuse to make corrections or whose circumstances are serious, a fine of not less than 100000 yuan but not more than 500000 yuan shall be imposed, and they may be ordered to suspend relevant business, suspend business for rectification, close websites, revoke relevant business licenses or revoke business licenses. The directly responsible person in charge and other directly responsible personnel shall be fined not less than 10000 yuan but not more than 100000 yuan.

Electronic information transmission service providers and application software download service providers who fail to fulfill their security management obligations as stipulated in Article 48 (2) of this Law shall be punished in accordance with the provisions of the preceding paragraph.

Article 69: If a network operator violates the provisions of this Law and commits any of the following acts, the relevant competent department shall order it to rectify:; For those who refuse to make corrections or whose circumstances are serious, a fine of not less than 50000 yuan but not more than 500000 yuan shall be imposed. For the directly responsible supervisors and other directly responsible personnel, a fine of not less than 10000 yuan but not more than 100000 yuan shall be imposed:

（1） Not taking measures such as stopping or eliminating the transmission of information prohibited by laws and administrative regulations in accordance with the requirements of relevant departments;

（2） Refusing or obstructing the supervision and inspection carried out by relevant departments in accordance with the law;

（3） Refusing to provide technical support and assistance to public security organs and national security organs.

Article 70: Those who publish or transmit information prohibited by the second paragraph of Article 12 of this Law and other laws and administrative regulations shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 71: Those who commit illegal acts as stipulated in this Law shall be recorded in their credit files in accordance with relevant laws and administrative regulations, and shall be made public.

Article 72: If the operator of the government network of a state organ fails to fulfill the obligation of network security protection as stipulated in this Law, its superior organ or relevant organ shall order it to make corrections; Punish the directly responsible supervisors and other directly responsible personnel in accordance with the law.

Article 73: If the cyberspace administration and relevant departments violate the provisions of Article 30 of this Law by using information obtained in the performance of network security protection duties for other purposes, the directly responsible supervisors and other directly responsible personnel shall be punished in accordance with the law.

If the staff of the cyberspace administration department and relevant departments neglect their duties, abuse their power, engage in favoritism and fraud, and do not constitute a crime, they shall be punished according to law.

Article 74: Anyone who violates the provisions of this Law and causes harm to others shall bear civil liability in accordance with the law.

Those who violate the provisions of this law and constitute a violation of public security management shall be subject to public security management penalties in accordance with the law; Those who commit crimes shall be held criminally responsible in accordance with the law.

Article 75: If overseas institutions, organizations, or individuals engage in activities that harm the key information infrastructure of the People's Republic of China, such as attacking, invading, interfering, or destroying it, and cause serious consequences, they shall be held legally responsible in accordance with the law; The public security department of the State Council and relevant departments may also decide to freeze the assets or take other necessary sanctions against the institution, organization, or individual.

Chapter 7 Supplementary Provisions

Article 76: The meanings of the following terms in this Law:

（1） Network refers to a system composed of computers or other information terminals and related devices that collect, store, transmit, exchange, and process information according to certain rules and procedures.

（2） Network security refers to the ability to take necessary measures to prevent attacks, intrusions, interference, destruction, illegal use, and accidents on the network, to ensure stable and reliable operation of the network, and to safeguard the integrity, confidentiality, and availability of network data.

（3） Network operators refer to the owners, managers, and service providers of a network.

（4） Network data refers to various electronic data collected, stored, transmitted, processed, and generated through the internet.

（5） Personal information refers to various information recorded electronically or in other ways that can be used alone or in combination with other information to identify the personal identity of a natural person, including but not limited to the person's name, date of birth, ID number, personal biometric information, address, phone number, etc.

Article 77: In addition to complying with this Law, the operational security protection of networks storing and processing information involving state secrets shall also comply with the provisions of confidentiality laws and administrative regulations.

Article 78: The security protection of military networks shall be separately stipulated by the Central Military Commission.

Article 79: This Law shall come into effect on June 1, 2017.