China has officially entered a new era of cyber regulation. As of January 1, 2026, the amended China cybersecurity law is now in effect, representing the most significant update to the framework since it was first introduced in 2017. The changes redefine how organizations must respond to cyber incidents, how swiftly regulators can impose penalties, and how Chinese authorities can assert jurisdiction, even over foreign entities. For organizations operating in China, selling products or services into the Chinese market, or relying on suppliers connected to Chinese critical infrastructure, the compliance landscape has already shifted. Cybersecurity obligations are no longer defined by extended investigation timelines or staged remediation. Instead, the law emphasizes speed, accountability, and immediate regulatory engagement. 

Near-Real-Time Incident Reporting is Now Mandatory 

One of the most consequential elements of the amended China cybersecurity law is the tightening of incident reporting timelines. Operators of critical information infrastructure are now required, in certain scenarios, to submit an initial notification of significant cybersecurity incidents within as little as 60 minutes. In other cases, the reporting window extends to four hours, but regulators have made clear that expectations align with near-real-time disclosure.  These requirements are reinforced by the Administrative Measures for National Cybersecurity Incident Reporting, issued by the Cyberspace Administration of China (CAC), which came into force on November 1, 2025. The measures consolidate previously fragmented reporting obligations into a unified framework that applies to all network operators that build or operate networks within China or provide services through Chinese networks.  Cybersecurity incidents are classified into four levels of severity. “Relatively major” incidents, such as data breaches affecting more than one million individuals or causing economic losses exceeding RMB 5 million (approximately USD 700,000), must be reported within four hours of discovery. A preliminary report must be followed by a detailed assessment within 72 hours and a post-incident review within 30 days after resolution.  At the highest tier, “particularly serious” incidents must be reported within one hour. Authorities receiving such reports are required to notify the National Cyberspace Administration and the State Council within 30 minutes, accelerating escalation to the highest levels of government. 

China's Cybersecurity Law Introduced Tougher Penalties and Expanded Personal Liability 

The amended China cybersecurity law substantially raises the cost of non-compliance. Organizations found in serious violation now face fines of up to RMB 10 million, while individuals directly responsible can be fined up to RMB 1 million. The inclusion of personal liability reflects a broader regulatory trend toward holding executives, security leaders, and responsible managers directly accountable.  Regulators are also empowered to act more quickly. The traditional enforcement sequence, warning, rectification, followed by penalties, has been streamlined. Authorities may now issue penalties without first requiring corrective actions, accelerating enforcement timelines.  Supply chain accountability has hardened as well, particularly for operators of Chinese critical infrastructure. The amended law introduces penalties tied to the use of non-compliant products or services. In some cases, fines may reach up to ten times the purchase amount, increasing exposure for procurement and vendor management failures. 

Expanded Extraterritorial Reach 

Another major change is the expansion of extraterritorial jurisdiction. Previously, the Chinese cybersecurity law focused primarily on foreign conduct that directly harmed China’s critical information infrastructure. The amended language now extends coverage to any foreign activity that endangers China’s network security, regardless of whether it directly targets critical infrastructure.  In severe cases, authorities may impose punitive measures such as asset freezes or other sanctions. For multinational organizations, this expansion introduces new compliance risks tied to global operations, including cloud routing decisions, software dependencies, managed services, network equipment, and manufacturing origins that intersect with China-connected systems. 

AI Governance Formally Embedded Into the China Cybersecurity Law 

For the first time, artificial intelligence is explicitly addressed within the China cybersecurity law. A newly added article emphasizes state support for AI development while simultaneously strengthening AI ethics governance and safety oversight. The law encourages the use of AI to improve cybersecurity management, acknowledging its role as both a defensive capability and a potential source of systemic risk.  While the amendments outline strategic priorities, detailed implementation of guidance is expected through future regulations or technical standards. The formal integration of AI governance into foundational cybersecurity legislation signals that compliance expectations will increasingly extend beyond traditional IT security into algorithmic accountability and risk management. 

Defined Thresholds for Severe Cyber Incidents 

The CAC’s reporting measures provide detailed criteria for classifying severe cyber incidents. “Particularly serious” incidents include cyberattacks or system failures affecting government portals, major news websites, or critical infrastructure for more than 24 hours, or as little as six hours if an entire system is affected.  Incidents that disrupt essential services for more than 50% of a province’s population or affect the daily lives of more than 10 million people, including utilities, transportation, and healthcare, also fall into this category. Large-scale data breaches involving the personal information of more than 100 million citizens or financial losses exceeding RMB 100 million (approximately USD 14 million) are similarly classified.  Once an incident is resolved, network operators are required to submit a comprehensive report within 30 days, detailing root causes, response measures, impact assessments, corrective actions, and lessons learned. 

Compliance Pressure Extends Across Global Supply Chains 

The practical impact of these changes extends well beyond China’s borders. As Sanjiv Cherian wrote on LinkedIn, “Can our SOC classify severity and determine reportability within 60 minutes? Do we have delegated authority to notify waiting for the executive to sign off across time zones? Is our evidence pipeline mature enough to produce regulator-ready documentation while the incident is still unfolding?”  He added that most organizations spend the first hour trying to understand what happened. Under the amended China cybersecurity law, that first hour has become compliance time.  For global enterprises connected to Chinese critical infrastructure, through vendors, software, networks, or managed services, the 2026 amendments represent a decisive shift. Speed, documentation, and accountability are no longer optional components of cybersecurity programs. They are now legally enforceable obligations at the core of China’s cybersecurity enforcement regime. 

By Salleh Kodri, Sr Presales consultant, Cyble As 2025 comes to a close, one thing is clear to me: The most damaging cyber incidents across ASEAN this year did not start with malware, zero-days, or system breaches. They started with trust. Across my work in Malaysia, Singapore, Thailand, Indonesia, the Philippines, and Vietnam, I repeatedly saw organizations doing “everything right” from a technical security standpoint, yet still suffering real-world damage because their brand, identity, or executives were exploited. 2025 was the year many of us finally realized that brand is no longer a marketing concern. It is a cyber asset, and in ASEAN, it has become one of the most abused attack surfaces.

Malaysia: When Customers Were Hit Before Banks Even Knew

In Malaysia, I saw multiple cases where:

• Fake banking websites and phishing pages were already circulating
• Scam campaigns were active in Bahasa Malaysia
• Customers were already losing money

Before the institution itself had any alert. What struck me was this: There was no breach. No malware. No SOC alert. The damage happened entirely outside the bank’s environment, through brand impersonation, fake domains, and social media abuse. By the time complaints reached the organization, trust had already eroded. The lesson was painful but clear: If you only monitor what happens inside your network, you will always be late.

Singapore: Reputation Damage Moves Faster Than Regulation

In Singapore, the challenge was not capability, it was speed and exposure. I observed:

• Fake government-related services appearing online
• Impersonation attempts abusing official-looking communications
• Scam infrastructure spun up and taken down rapidly

Even in a highly regulated, mature environment, brand abuse moved faster than response processes. What concerned stakeholders most was not technical impact, but public confidence. Once trust is questioned, no amount of post-incident explanation can fully undo the damage. Singapore reinforced a critical truth for me in 2025: Cybersecurity maturity does not automatically protect digital reputation.

Thailand: Executive Impersonation Became the Weakest Link

In Thailand, the most alarming trend I encountered was executive identity abuse. We saw:

• Fake LINE and WhatsApp accounts impersonating senior leaders
• Social media profiles cloning executives from banks and enterprises
• Attempts to influence internal decisions using perceived authority

These were not sophisticated hacks. They were psychological attacks, exploiting hierarchy, respect, and urgency. What made this dangerous was that traditional security tools had no visibility into it. The risk sat squarely at the intersection of human trust and digital identity, a space most security programs were not designed to defend.

Indonesia: Scale Made Brand Abuse a Business Model

Indonesia showed me what happens when scale meets weak visibility. With its massive digital population, attackers exploited:

• Fake mobile apps using trusted brand names
• Clone domains targeting regional customers
• Long-running scam campaigns that reused infrastructure

In several cases, takedown efforts were slow, not because teams didn’t care, but because they discovered the abuse far too late. By the time action was taken, the attackers had already moved, rebranded, and relaunched elsewhere. Indonesia highlighted something important: Brand abuse in ASEAN is not opportunistic, it is industrialized.

Philippines: Trust Was Exploited Through Familiarity

In the Philippines, what stood out to me was how attackers weaponized familiar communication channels. We encountered:

• SMS and messaging-based impersonation
• Social engineering campaigns tailored to local behavior
• Brand abuse that felt “normal” to recipients

Victims didn’t think they were being attacked. They thought they were interacting with legitimate services. The danger here wasn’t technology, it was perception. And perception is exactly what brand abuse manipulates best.

Vietnam: Digital Growth Outpaced Brand Defense

Vietnam’s rapid digital growth in 2025 came with an unintended consequence: Brand exposure expanded faster than brand protection. I observed:

• New digital services being impersonated almost immediately
• Fake pages and domains launched within days of public announcements
• Limited monitoring beyond core infrastructure

Vietnam reminded me that digital transformation without intelligence-led visibility creates silent risk, especially when brand assets are treated as secondary concerns.

Why 2025 Changed My View on Cyber Risk in ASEAN

Across all these countries, one pattern kept repeating:

• No malware required
• No system compromise needed
• No technical alert triggered

Yet real harm occurred—financial, reputational, and regulatory. That was my biggest takeaway of 2025: Cyber risk in ASEAN is no longer defined by system compromise alone. It is defined by how easily trust can be abused.

Brand Is Now a Cyber Asset, Whether We Like It or Not

In 2025, I stopped asking: “Is this a cybersecurity issue?” And started asking: “Does this harm trust, safety, or public confidence?” Because once customers, citizens, or partners lose trust, recovery becomes exponentially harder than restoring a system from backup. Brands, executives, and digital identities now require the same discipline we apply to networks and endpoints:

• Continuous monitoring
• Early intelligence
• Rapid disruption
• Clear ownership

Looking Into 2026: Trust Will Be the New Perimeter

As ASEAN continues to digitize, attackers will not slow down. They will go where defense is weakest, and in many organizations, that is still outside the firewall. In 2026, the question will no longer be: “Are we secure?” It will be: “Do we know how our brand, identity, and trust are being abused—right now?” Those who answer that question honestly and act on it will be ahead. Those who don’t will keep defending systems while attackers exploit perception.

Personal Closing

2025 changed how I see cybersecurity in ASEAN. Not as a technology problem, but as a trust problem. And trust, once lost, is the hardest asset to recover. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)