China has significantly expanded its so-called “digital Great Wall” with the enforcement of sweeping amendments to its Cybersecurity Law (CSL), a move that is accelerating the exit of foreign cybersecurity firms from the Chinese market. The revised law, which came into force on January 1, 2026, introduces harsher penalties, stricter certification requirements and broader legal reach, fundamentally reshaping how foreign technology can operate in the country.
According to a Reuters report, Chinese authorities have instructed domestic firms to stop using cybersecurity software from the United States and Israel, citing national security risks. The directive affects several major US companies, including VMware, Palo Alto Networks, Fortinet, CrowdStrike, SentinelOne, Mandiant and Rapid7, as well as Israel’s Check Point Software Technologies.
At the heart of the shift is the amended CSL, which removes the requirement for initial regulatory warnings and sharply increases fines. Under revised Article 23, all cybersecurity products must now pass a rigorous state-run security review and receive official certification before being sold or used in China. Products that fail this process are deemed “uncertified,” and companies that continue to use them face severe penalties.
Article 62 of the amended law allows authorities to impose fines of up to 10 million yuan (around $1.4 million) on companies using uncertified cybersecurity tools. This effectively turns the use of foreign software into a major financial and legal risk for Chinese businesses.
The amendments also strengthen data localisation and infrastructure controls. Article 35 requires operators of Critical Information Infrastructure to ensure that any network products they procure pass a national security review if they could affect state security. Article 37 mandates that all data collected within China must be stored domestically, a provision that directly challenges cloud-based cybersecurity firms whose platforms rely on global data flows for threat analysis.
One of the most far-reaching changes is the expansion of the law’s extraterritorial scope. The former Article 75 has been merged into Article 77, extending liability to overseas organisations and individuals whose activities are deemed to impact China’s cybersecurity. This provision allows Beijing to sanction foreign firms or freeze assets even if they have no physical presence in China.
Together, these changes mark a decisive shift in Beijing’s technology strategy. By making state certification, local data storage and national security reviews mandatory, China is reducing dependence on Western technology and asserting tighter control over its digital ecosystem. The effective purge of US and Israeli cybersecurity firms signals that, under the new legal regime, national security considerations will ultimately determine who can do business in the world’s second-largest economy.
