China Expands AI Governance with New Cybersecurity Law Amendments

China amends Cybersecurity Law to explicitly cover AI governance

China introduced amendments to its Cybersecurity Law that expand the law’s scope to explicitly include AI governance, strengthen requirements around supply-chain cybersecurity, and increase penalties for noncompliance. The IAPP notes that the updated framework is expected to be operationalized through more than 30 standards focused on AI security, AI agents, and data infrastructure, with rollout expected in 2026.

For organizations building, deploying, or supporting AI systems that operate in China—or that touch Chinese data ecosystems—this signals a shift from “AI policy guidance” toward enforceable cybersecurity-style controls. The near-term work is less about model novelty and more about proving control: how data (including synthetic data) is sourced, transformed, accessed, monitored, and governed across the lifecycle.

• AI pipelines become compliance artifacts. Expect requirements to document and demonstrate controls across data ingestion, training, evaluation, deployment, and monitoring—so build audit trails that cover both real and synthetic datasets.
• Supply-chain scrutiny rises. Vendor and dependency management (data providers, model components, agents, tooling, infrastructure) will likely be treated as cybersecurity risk, pushing teams toward tighter third-party controls and clearer accountability.
• Standards-driven implementation is coming. With 30+ AI security standards slated for 2026, teams should plan for a controls mapping exercise (what you do today vs. what the standards will likely require) rather than one-off policy updates.
• Cross-border compliance gets harder. As AI governance is pulled into national cybersecurity frameworks, privacy and compliance teams should anticipate stricter expectations around how training data and derived artifacts move across jurisdictions.