Cybersecurity Act

Chapter I. General provisions
Article 1 This Law is enacted for the purpose of guaranteeing cybersecurity, safeguarding the sovereignty of cyberspace and national security, the public interests of society, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the healthy development of economic and social informatization.
Article 2 The construction, operation, maintenance and use of networks within the territory of the People's Republic of China, as well as the supervision and management of network security, shall be governed by this Law.
Article 3 The State adheres to the equal importance of network security and the development of informatization, follows the policy of active utilization, scientific development, management in accordance with law and ensuring security, promotes the construction of network infrastructure and interconnection, encourages network technological innovation and application, supports the cultivation of network security personnel, establishes and improves the network security guarantee system, and enhances the ability to protect network security.
Article 4 The State formulates and continuously improves its cybersecurity strategy, specifies the basic requirements and main objectives for safeguarding cybersecurity, and proposes cybersecurity policies, tasks and measures in key areas.
Article 5: The State shall take measures to monitor, defend and dispose of cybersecurity risks and threats originating from within and outside the territory of the People's Republic of China, and to protect critical information.infrastructureFreedom from attack, intrusion, interference and damage, punishment of cybercrime activities in accordance with the law, and maintenance of security and order in cyberspace.
Article 6 The State advocates honest and trustworthy, healthy and civilized network behavior, promotes the dissemination of socialist core values, takes measures to raise the awareness and level of network security in society as a whole, and forms a good environment in which society as a whole participates in promoting network security.
Article 7 The State shall actively engage in international exchanges and cooperation in cyberspace governance, cybertechnology research and development and standard-setting, and combating cybercrime, and shall promote the building of a peaceful, secure, open and cooperative cyberspace and the establishment of a multilateral, democratic and transparent system of cybergovernance.
Article 8  National cyber-credit authorityIt is responsible for the overall coordination of network security work and related supervision and management work. The competent telecommunication department of the State Council, the public security department and other relevant authorities shall be responsible for network security protection and supervision and management within their respective areas of responsibility in accordance with the provisions of this Law and relevant laws and administrative regulations.
The responsibilities of the relevant departments of the local people's governments at or above the county level for network security protection and supervision and management shall be determined in accordance with the relevant provisions of the State.
Article 9 Network operators to carry out business and service activities, must comply with laws and administrative regulations, respect for social morality, compliance with business ethics, honesty and credit, fulfill the obligations of network security protection, accept the supervision of the government and society, and assume social responsibility.
Article 10 The construction, operation of the network or the provision of services through the network shall, in accordance with the provisions of laws and administrative regulations and the mandatory requirements of national standards, take technical measures and other necessary measures to ensure the safe and stable operation of the network, to effectively respond to network security incidents, to prevent illegal and criminal activities on the network, and to safeguard the integrity of the network data, confidentiality and usability.
Article 11 Network-related industry organizations, in accordance with the statute, to strengthen industry self-discipline, formulate a code of conduct for network security, guide members to strengthen network security protection, improve the level of network security protection, and promote the healthy development of the industry.
Article 12 The State protects the rights of citizens, legal persons and other organizations to use the network in accordance with the law, promotes the popularization of network access, improves the level of network services, provides safe and convenient network services for society, and guarantees the free flow of network information in an orderly manner in accordance with the law.
Any individual or organization using the Internet shall abide by the Constitution and laws, comply with public order, respect social morality, and shall not jeopardize the security of the Internet, nor shall they use the Internet to engage in activities that endanger national security, honor and interests, incite subversion of state power, overthrow of the socialist system, incitement to split the country, undermining national unity, propaganda of terrorism and extremism, propaganda of ethnic hatred and discrimination, dissemination of violence, obscene and pornographic information, fabrication and dissemination of false information that disrupts economic order and social order, and infringement of other people's reputation, privacy and intellectual property rights and interests. information, fabricating and disseminating false information to disrupt economic and social order, and infringing on others' honor, privacy, intellectual property rights and other legitimate rights and interests.
Article 13 The State supports the research and development of network products and services conducive to the healthy growth of minors, punishes by law the use of the Internet to engage in activities that jeopardize the physical and mental health of minors, and provides minors with a safe and healthy network environment.
Article 14 Any individual or organization has the right to report to the Internet information, telecommunications, public security and other departments for acts that endanger network security. The department receiving the report shall promptly deal with it in accordance with the law; if it does not fall within the responsibilities of the department, it shall promptly transfer it to the department with the authority to deal with it.
The relevant departments shall keep the relevant information of the informant confidential, to protect the legitimate rights and interests of the informant.
Chapter II. Cybersecurity support and promotion
Article 15 The State shall establish and improve the network security standard system. The administrative department in charge of standardization under the State Council and other relevant departments under the State Council shall, in accordance with their respective responsibilities, organize the formulation and timely revision of national and industrial standards relating to the management of network security and the security of network products, services and operations.
The State supports the participation of enterprises, research institutes, institutions of higher learning and network-related industry organizations in the formulation of national and industry standards for cybersecurity.
Article 16 The State Council and the people's governments of provinces, autonomous regions and municipalities directly under the Central Government shall coordinate planning, increase investment, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technology, promote secure and trustworthy cyberproducts and services, protect intellectual property rights in cybertechnology, and support the participation of enterprises, research institutes and institutions of higher education in the State's cybersecurity technological innovation projects.
Article 17 The State promotes the construction of a socialized service system for network security and encourages relevant enterprises and institutions to carry out security services such as network security certification, testing and risk assessment.
Article 18 The State encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and promotes technological innovation and economic and social development.
The State supports innovative approaches to cybersecurity management and the use of new cybertechnologies to enhance the level of cybersecurity protection.
Article 19 The people's governments at all levels and their relevant departments shall organize and carry out regular network security publicity and education, and guide and supervise the relevant units to do a good job in network security publicity and education.
The mass media should conduct targeted publicity and education on cybersecurity for society.
Article 20 The State supports enterprises and educational and training institutions, such as higher education institutions and vocational schools, to carry out education and training related to cybersecurity, adopt various ways to cultivate cybersecurity talents, and promote the exchange of cybersecurity talents.
Chapter III. Network Operational Security
Section I. General provisions
Article 21 The State shall implement a network security level protection system. Network operators shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations to safeguard the network from interference, damage or unauthorized access, and to prevent network data from being leaked or stolen or tampered with:
(a) Developing internal security management systems and operating procedures, identifying the person responsible for network security, and implementing the responsibility for network security protection;
(ii) Technical measures to prevent computer viruses and network attacks, network intrusion and other acts that jeopardize network security;
(c) Take technical measures to monitor and record network operation status and network security events, and retain relevant network logs for not less than six months in accordance with the regulations;
(iv) Measures such as data classification, backup and encryption of important data;
(v) Other obligations stipulated by laws and administrative regulations.
Article 22 Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; when their network products and services are found to have security flaws, vulnerabilities and other risks, they shall immediately take remedial measures, inform users in a timely manner in accordance with the provisions of the report to the relevant competent authorities.
Providers of network products and services shall provide security maintenance for their products and services on an ongoing basis; the provision of security maintenance shall not be terminated within the period specified or agreed upon by the parties.
Where a network product or service has the function of collecting user information, its provider shall make it clear to the user and obtain consent; where personal information of the user is involved, it shall also comply with the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.
Article 23 Network-critical equipment and products dedicated to network security shall be sold or made available only after they have been qualified for security certification or security testing in accordance with the mandatory requirements of the relevant national standards by qualified organizations. The State Net Information Department, in conjunction with the relevant departments of the State Council, shall formulate and publish a product catalog of network-critical equipment and special products for network security, and promote mutual recognition of the results of security certification and security testing, so as to avoid duplication of certification and testing.
Article 24 The network operator for the user for network access, domain name registration services, for fixed-line telephone, cell phone and other network procedures, or to provide users with information dissemination, instant messaging and other services, in the agreement with the user or to confirm the provision of services, the user shall require the user to provide real identity information. If the user does not provide true identity information, the network operator shall not provide relevant services for him.
The State implements the strategy of network trusted identity, supports research and development of secure and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identities.
Article 25 The network operator shall formulate an emergency response plan for network security incidents, and dispose of security risks such as system vulnerabilities, computer viruses, network attacks and network intrusion in a timely manner; in the event of incidents jeopardizing network security, it shall immediately activate the emergency response plan, take corresponding remedial measures and report to the relevant competent authorities in accordance with the regulations.
Article 26 carries out network security certification, testing, risk assessment and other activities to the community to release system vulnerabilities, computer viruses, network attacks, network intrusion and other network security information, shall comply with the relevant provisions of the State.
Article 27 No individual or organization shall engage in activities that endanger network security, such as illegal intrusion into other people's networks, interference with the normal functions of other people's networks, or theft of network data; no program or tool shall be provided that is specifically designed to engage in activities that endanger network security, such as intrusion into the network, interference with the normal functions of the network and its protective measures, or theft of network data; and no person shall be provided with technical support, advertising and promotion, payment and settlement and other assistance.
Article 28 Network operators shall provide technical support and assistance to the public security organs and national security organs for the maintenance of national security and the investigation of crimes in accordance with the law.
Article 29 The State supports cooperation among network operators in the collection, analysis, notification and emergency response of network security information, so as to improve the security capacity of network operators.
Relevant industry organizations establish and improve the industry's cybersecurity protection norms and collaboration mechanisms, strengthen the analysis and assessment of cybersecurity risks, regularly provide risk warnings to members, and support and assist members in coping with cybersecurity risks.
Article 30 The information obtained by the Internet information department and relevant departments in the performance of network security protection duties can only be used for the needs of maintaining network security and shall not be used for other purposes.
Section II. Operational security of critical information infrastructures
Article 31 The State shall, on the basis of the network security level protection system, implement key protection for critical information infrastructures in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and other critical information infrastructures that, if damaged, lose their functions or have their data leaked, may seriously jeopardize national security, the people's livelihood and the public interest. The specific scope and security protection methods for critical information infrastructures shall be formulated by the State Council.
The State encourages network operators outside the critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.
Article 32 In accordance with the division of responsibilities prescribed by the State Council, the departments responsible for the security protection of critical information infrastructures prepare and organize the implementation of security planning for critical information infrastructures in their own industries and fields, and guide and supervise the security protection of the operation of critical information infrastructures.
Article 33 The construction of critical information infrastructure should ensure that it has the performance to support the stable and continuous operation of the business, and to ensure that the security technology measures are synchronized planning, construction and use.
Article 34 In addition to the provisions of Article 21 of this Law, operators of critical information infrastructures shall fulfill the following security protection obligations:
(i) Setting up a specialized security management body and a person in charge of security management, and conducting security background checks on that person and on personnel in key positions;
(ii) Regularly conduct network security education, technical training and skills assessment for practitioners;
(iii) Disaster recovery for critical systems and databases;
(d) Formulate contingency plans for cybersecurity incidents and conduct regular drills;
(v) Other obligations stipulated by laws and administrative regulations.
Article 35 Where the operators of critical information infrastructure procure network products and services that may affect national security, they shall pass the national security review organized by the State Net Information Department in conjunction with the relevant departments of the State Council.
Article 36 Operators of critical information infrastructure to purchase network products and services, shall, in accordance with the provisions of the security and confidentiality agreement with the provider, clear security and confidentiality obligations and responsibilities.
Article 37 Operators of critical information infrastructures in the People's Republic of China in the operation of the collection and generation of personal information and important data shall be stored in the territory. If, due to business needs, it is necessary to provide them outside the country, a security assessment shall be carried out in accordance with the methods formulated by the State Net Information Department in conjunction with the relevant departments of the State Council; if otherwise provided for by laws and administrative regulations, the provisions thereof shall be followed.
Article 38 Operators of critical information infrastructure shall, on their own or by commissioning a network security service organization, conduct at least one test and assessment of the security of their networks and possible risks each year, and report the test and assessment and improvement measures to the relevant departments responsible for the security and protection of critical information infrastructures.
Article 39 The national Internet information department shall coordinate relevant departments to take the following measures for the security protection of critical information infrastructure:
(a) Conduct random inspection and testing of the security risks of critical information infrastructure, propose improvement measures, and, if necessary, commission network security service organizations to test and assess the security risks of the network;
(ii) Regularly organizing cybersecurity emergency response drills for operators of critical information infrastructures, so as to improve the level of response to cybersecurity incidents and the ability to work together;
(c) Promoting the sharing of cybersecurity information among relevant departments, operators of critical information infrastructures, as well as relevant research institutions and cybersecurity service organizations;
(d) Provide technical support and assistance in the emergency response to cybersecurity incidents and the restoration of network functions.
Chapter IV. Network information security
Article 40 The network operator shall keep the user information it collects strictly confidential, and establish and improve the user information protection system.
Article 41 Network operators shall follow the principles of legality, legitimacy and necessity in the collection and use of personal information, publicize the rules for collection and use, express the purpose, manner and scope of collection and use of information, and obtain the consent of the person from whom the information is collected.
Network operators shall not collect personal information unrelated to the services they provide, shall not collect or use personal information in violation of the provisions of laws and administrative regulations and the agreement between the two parties, and shall handle personal information kept by them in accordance with the provisions of laws and administrative regulations and the agreement with users.
Article 42 Network operators shall not disclose, tamper with or destroy the personal information they collect; and shall not provide personal information to others without the consent of the person from whom it was collected. However, it shall not be provided to others without the consent of the collected person, except when it is processed in such a way that it is impossible to identify a specific individual and cannot be restored.
Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect and to prevent the leakage, destruction or loss of information. In the event that leakage, destruction or loss of personal information occurs or is likely to occur, they shall immediately take remedial measures, promptly inform users in accordance with the regulations and report to the relevant competent authorities.
Article 43 Where an individual finds that a network operator has collected or used his or her personal information in violation of the provisions of laws and administrative regulations or the agreement between the two parties, he or she shall have the right to request the network operator to delete his or her personal information; and where he or she finds that his or her personal information has been collected or stored incorrectly by the network operator, he or she shall have the right to request the network operator to correct it. The network operator shall take measures to delete or correct it.
Article 44 No individual or organization shall steal or obtain personal information by other illegal means, or illegally sell or illegally provide personal information to others.
Article 45 Departments with network security supervision and management responsibilities in accordance with the law and their staff must keep strictly confidential the personal information, privacy and commercial secrets known in the performance of their duties, and shall not disclose, sell or illegally provide to others.
Article 46 Any individual or organization shall be responsible for its use of the Internet, and shall not set up websites or communication groups for the purpose of committing fraud, teaching criminal methods, or producing or selling prohibited or controlled items, or other illegal and criminal activities, and shall not use the Internet to disseminate information relating to the commission of fraud, or the production or sale of prohibited or controlled items, or other illegal and criminal activities.
Article 47 A network operator shall strengthen the management of information released by its users, and if it finds that the release or transmission of information is prohibited by laws or administrative regulations, it shall immediately stop the transmission of such information, take measures such as elimination and other disposable measures to prevent the spread of the information, keep the relevant records and report them to the competent authorities concerned.
Article 48 The electronic information sent and application software provided by any individual or organization shall not be set up with malicious programs or contain information prohibited from publication or transmission by laws or administrative regulations.
Electronic information sending service providers and application software downloading service providers shall fulfill their security management obligations, and if they know that their users have behaved as stipulated in the preceding paragraph, they shall stop providing the service, take disposal measures such as elimination, keep relevant records and report to the relevant competent authorities.
Article 49 Network operators shall establish network information security complaints, reporting system, publish complaints, reporting methods and other information, timely acceptance and handling of complaints and reports on network information security.
Network operators shall cooperate with the supervision and inspection implemented by the Internet information department and relevant departments in accordance with the law.
Article 50 The State Internet information department and the relevant departments shall, in accordance with the law, perform their duties of supervision and management of network information security, and if they find that the publication or transmission of information is prohibited by laws or administrative regulations, they shall require the network operator to stop transmission, take measures to eliminate it, and keep the relevant records; for the above-mentioned information originating outside the territory of the People's Republic of China, they shall notify the relevant organizations to take technical measures and other necessary measures to block the dissemination of such information.
Chapter V. Monitoring, early warning and emergency response
Article 51 The State shall establish a system for monitoring and early warning of cybersecurity and information notification. The State Internet information department shall coordinate relevant departments to strengthen the collection, analysis and notification of cybersecurity information, and uniformly release cybersecurity monitoring and early warning information in accordance with the provisions.
Article 52 Departments responsible for the security protection of critical information infrastructure shall establish and improve the network security monitoring and early warning and information notification system in their own industries and fields, and report network security monitoring and early warning information in accordance with the provisions.
Article 53 The national Internet information department coordinates with relevant departments to establish and improve the mechanism for network security risk assessment and emergency response, formulates emergency response plans for network security incidents, and organizes regular drills.
Departments responsible for the security protection of critical information infrastructure should formulate emergency response plans for cybersecurity incidents in their own industries and fields, and organize regular drills.
The emergency response plan for cybersecurity incidents should grade cybersecurity incidents according to the degree of harm and the scope of influence of the incident and other factors, and stipulate the corresponding emergency response measures.
Article 54 When the risk of a cybersecurity incident increases, the relevant departments of the people's governments at or above the provincial level shall, in accordance with the prescribed authority and procedures and in light of the characteristics of the cybersecurity risk and the harm it may cause, take the following measures:
(a) Require relevant departments, organizations and personnel to collect and report relevant information in a timely manner and strengthen the monitoring of cybersecurity risks;
(b) Organize relevant departments, institutions and professionals to analyse and assess information on network security risks and predict the likelihood of incidents, the scope of influence and the degree of harm;
(c) Issuing early warnings to society on cybersecurity risks and issuing measures to avoid and mitigate harm.
Article 55 In the event of a network security incident, the emergency response plan for network security incidents shall be immediately activated, the network security incident shall be investigated and assessed, and the network operator shall be required to take technical measures and other necessary measures to eliminate potential security risks, prevent the expansion of harm, and promptly release to the community warning information relating to the public.
Article 56 The relevant departments of the people's governments at or above the provincial level, in the performance of network security supervision and management responsibilities, found that the network has a greater security risk or the occurrence of a security incident, may, in accordance with the prescribed authority and procedures for the network operator's legal representative or the main person in charge of the interview. The network operator shall take measures in accordance with the requirements, carry out rectification and eliminate hidden dangers.
Article 57 As a result of network security incidents, emergencies or production safety accidents shall be dealt with in accordance with the Emergency Response Law of the People's Republic of China, the Production Safety Law of the People's Republic of China and other relevant laws and administrative regulations.
Article 58 Because of the need to maintain national security and public social order and to deal with major emergencies and social security incidents, the State Council may, upon its decision or approval, take temporary measures such as restricting network communications in a specific area.
Chapter VI. Legal liability
Article 59 If a network operator fails to fulfill the network security protection obligations stipulated in Articles 21 and 25 of this Law, the competent department concerned shall order correction and give a warning; if it refuses to make corrections or if it leads to jeopardizing network security or other consequences, it shall impose a fine of 10,000 yuan or more than 100,000 yuan, and the person directly responsible for the competent person shall impose a fine of 5,000 yuan or more than 50,000 yuan.
If an operator of critical information infrastructure fails to fulfill the network security protection obligations stipulated in Articles 33, 34, 36 and 38 of this Law, the competent department concerned shall order rectification and give a warning; if it refuses to make rectification or if it leads to jeopardizing network security or other consequences, it shall impose a fine of not less than 100,000 yuan but not more than 1,000,000 yuan, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly responsible for the person in charge.
Article 60 Violation of the provisions of Article 22 (1) and (2) and Article 48 (1) of this Law, one of the following acts, the competent authorities shall order correction and give a warning; refusal to make corrections or lead to jeopardize network security and other consequences, shall be sentenced to a fine of not less than 50,000 yuan and not more than 500,000 yuan, and the persons directly responsible for the competent personnel shall be sentenced to a fine of not less than 10,000 yuan and not more than 100,000 yuan:
(i) Setting up a malicious program;
(ii) Failure to take immediate remedial measures for security defects, loopholes and other risks in its products and services, or failure to inform users and report to the relevant competent authorities in a timely manner in accordance with the provisions;
(c) Unauthorized termination of the provision of security maintenance for its products and services.
Article 61 If a network operator violates the provisions of the first paragraph of Article 24 of this Law by failing to require users to provide real identity information or by providing relevant services to users who do not provide real identity information, the competent department concerned shall order rectification; if it refuses to make rectification or if the circumstances are serious, it shall impose a fine of not less than 50,000 yuan and not more than 500,000 yuan, and may be ordered by the competent department concerned to suspend the relevant business, suspend and rectify the business, or close down the website, revoke the relevant business permit or revoke the business license, and impose a fine of 10,000 yuan or more than 100,000 yuan on the directly responsible supervisors and other directly responsible persons.
Article 62 Violation of the provisions of Article 26 of this Law, to carry out network security certification, testing, risk assessment and other activities, or to the community to release network security information such as system vulnerabilities, computer viruses, network attacks, network intrusion, etc., the competent department shall order correction and give a warning; refusal to make corrections or the circumstances are serious, shall be sentenced to a fine of not less than 10,000 yuan and not more than 100,000 yuan, and can be ordered by the competent department to suspend the related business, suspend business rectification, close the website, revoke the related business permit or revoke the business license, and impose a fine of more than 5,000 yuan and less than 50,000 yuan on the directly responsible supervisors and other directly responsible persons.
Article 63 If, in violation of the provisions of Article 27 of this Law, a person engages in activities endangering network security, or provides programs or tools specially designed for engaging in activities endangering network security, or provides technical support, advertising and promotion, payment and settlement and other assistance for others engaging in activities endangering network security, which does not constitute a crime, he or she shall be subject to confiscation of the unlawful proceeds by the public security authorities, detention for not more than five days, and may be fined not less than fifty thousand yuan and not more than five hundred thousand yuan; if the circumstances are more serious, he or she shall be sentenced to detention for not less than five days and may be fined not less than one million yuan. A fine of not less than five hundred thousand yuan may be imposed; in more serious cases, the person shall be sentenced to detention for not less than five days and not more than fifteen days, and may also be fined not less than one hundred thousand yuan and not more than one million yuan.
If a unit commits any of the acts described in the preceding paragraph, the public security authorities shall confiscate the illegal proceeds, impose a fine of not less than 100,000 yuan and not more than one million yuan, and punish the persons in charge and other persons directly responsible in accordance with the provisions of the preceding paragraph.
A person who violates the provisions of Article 27 of this Law and receives a public security management penalty shall not be allowed to engage in network security management and key positions in network operation within five years; a person who receives a criminal penalty shall not be allowed to engage in network security management and key positions in network operation for life.
Without illegal income, a fine of not more than one million yuan, and a fine of not less than 10,000 yuan and not more than 100,000 yuan for the directly responsible person in charge and other directly responsible persons; if the circumstances are serious, it may also order the suspension of the relevant business, suspend the operation and rectify the situation, close down the website, revoke the relevant business license or revoke the business license.
If, in violation of the provisions of Article 44 of this Law, a person steals or obtains by other unlawful means, illegally sells or illegally provides personal information to another person, which does not constitute a crime, the public security authorities shall confiscate the illegal income and impose a fine of not less than double and not more than ten times the illegal income, or if there is no illegal income, a fine of not more than one million yuan.
Article 65 Where an operator of critical information infrastructure violates the provisions of Article 35 of this Law by using network products or services that have not been subject to security examination or have failed security examination, the competent department concerned shall order the suspension of such use and impose a fine of not less than double but not more than ten times the amount of the procurement; and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the supervisory personnel directly in charge and other personnel directly responsible.
Article 66 If an operator of critical information infrastructure violates the provisions of Article 37 of this Law by storing network data outside the country or providing network data outside the country, it shall be ordered by the competent department concerned to make corrections, given a warning, confiscate the illegal income, and imposed a fine of not less than 50,000 yuan and not more than 500,000 yuan, and it may also be ordered to suspend the relevant business, suspend the business and rectify the situation, close down the website, revoke the relevant business permit or revoke the business license ; and impose a fine of not less than ten thousand yuan and not more than one hundred thousand yuan on the directly responsible person in charge and other directly responsible persons.
Article 67 If, in violation of the provisions of Article 46 of this Law, a person establishes a website or a communication group for the purpose of committing unlawful or criminal activities, or uses the Internet to publish information involving the commission of unlawful or criminal activities, which does not constitute a crime, he or she shall be sentenced by the public security authorities to detention for not more than five days, and may be fined not less than 10,000 yuan and not more than 100,000 yuan in addition; if the circumstances are more serious, he or she shall be sentenced to detention for not less than five days and not more than 15 days, and may also be fined not less than 50,000 yuan and not more than 500,000 yuan In more serious cases, it shall be sentenced to detention of not more than five days and not more than fifteen days, and may be fined not less than fifty thousand yuan and not more than five hundred thousand yuan. Closing down websites and communication groups used to carry out illegal and criminal activities.
If a unit commits any of the acts in the preceding paragraph, the public security authorities shall impose a fine of not less than 100,000 yuan and not more than 500,000 yuan, and shall punish the persons in charge and other persons directly responsible in accordance with the provisions of the preceding paragraph.
Article 68 If a network operator violates the provisions of Article 47 of this Law by failing to stop transmission, take disposal measures such as elimination, or keep records of information whose publication or transmission is prohibited by laws or administrative regulations, the competent department concerned shall order rectification, give a warning, and confiscate the unlawful income; and if it refuses to make rectification or the circumstances are serious, it shall impose a fine of not less than one hundred thousand yuan and not more than five hundred thousand yuan, and it may also be ordered to suspend the relevant business, suspension, rectification, closure of the website, revocation of the relevant business license or revocation of the business license, and impose a fine of not less than 10,000 yuan and not more than 100,000 yuan on the directly responsible supervisors and other directly responsible persons.
Electronic information sending service providers, application software downloading service providers, does not fulfill the security management obligations stipulated in paragraph 2 of Article 48 of this Law, shall be punished in accordance with the preceding paragraph.
Article 69 If a network operator violates the provisions of this Law and engages in any of the following acts, the competent department concerned shall order it to make corrections; if it refuses to make corrections or if the circumstances are serious, it shall impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and for the persons in charge directly responsible for the act and other persons directly responsible for the act, it shall impose a fine of not less than 10,000 yuan but not more than 100,000 yuan:
(a) Failure to take measures to stop transmission, eliminate and other disposable measures in accordance with the requirements of the relevant departments in respect of information the publication or transmission of which is prohibited by laws and administrative regulations;
(ii) Refusing or obstructing the supervision and inspection carried out by the relevant authorities in accordance with the law;
(c) Refusing to provide technical support and assistance to public security organs and State security organs.
Article 70 Anyone who publishes or transmits information prohibited from being published or transmitted by the second paragraph of Article 12 of this Law and other laws and administrative regulations shall be penalized in accordance with the provisions of the relevant laws and administrative regulations.
Article 71 Anyone who commits an illegal act under this Law shall be recorded in the credit file in accordance with the provisions of the relevant laws and administrative regulations, and shall be made public.
Article 72 If an operator of a governmental affairs network of a State organ fails to fulfill its obligation to protect network security as provided for in this Law, it shall be ordered by its superior organ or the relevant organ to make corrections; and the persons in charge and other persons directly responsible shall be punished in accordance with the law.
Article 73 If an Internet information department or a relevant department violates the provisions of Article 30 of this Law by using the information obtained in the performance of network security protection duties for other purposes, the directly responsible officer in charge and other directly responsible officers shall be given sanctions in accordance with the law.
If the staff of the Internet information department and related departments neglect their duties, abuse their powers, or engage in malpractice for personal gain, which does not constitute a crime, they shall be punished in accordance with the law.
Article 74 Anyone who violates the provisions of this Law and causes damage to others shall bear civil liability in accordance with the law.
If a violation of the provisions of this Law constitutes a violation of public security administration, public security administration penalties shall be imposed in accordance with the law; if it constitutes a crime, criminal responsibility shall be investigated in accordance with the law.
Article 75 If an institution, organization or individual outside the country engages in activities that endanger the critical information infrastructure of the People's Republic of China by attacking, intruding into, interfering with or destroying it, and if such activities result in serious consequences, it shall be investigated and held legally liable in accordance with the law; the public security department of the State Council and the relevant departments may decide to take measures to freeze the property of the institution, organization or individual, or to take other necessary sanctions.
chapter vii. bylaws
Article 76 Meaning of the following terms in this Law:
(a) Network means a system consisting of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures.
(ii) Network security refers to the ability to prevent attacks, intrusion, interference, destruction and illegal use of the network as well as accidents by taking the necessary measures to keep the network in a state of stable and reliable operation, as well as to safeguard the integrity, confidentiality and availability of network data.
(iii) Network operators, which are the owners, managers and network service providers of networks.
(iv) Network data, which refers to all kinds of electronic data collected, stored, transmitted, processed and generated through networks.
(e) Personal information refers to all kinds of information recorded electronically or otherwise that can identify a natural person individually or in combination with other information, including, but not limited to, the natural person's name, date of birth, identity document number, personal biometric information, address, telephone number and so on.
Article 77 In addition to complying with this Law, the operation and security protection of networks storing and processing information involving State secrets shall also comply with the provisions of secrecy laws and administrative regulations.
Article 78 The security protection of military networks shall be separately regulated by the Central Military Commission.
Article 79 This Law shall come into force on June 1, 2017