New Delhi | China has moved decisively to harden its digital borders, forcing American and Israeli cybersecurity companies out of its core technology ecosystem under the banner of national security. A revised Cybersecurity Law (CSL), which came into force on January 1, 2026, has sharply raised regulatory barriers for foreign technology, turning compliance failures into high-risk legal and financial liabilities for Chinese firms using overseas software.
According to a Reuters report, the new rules have directly impacted several major US cybersecurity players, including VMware (owned by Broadcom), Fortinet, CrowdStrike, SentinelOne, Mandiant, Palo Alto Networks and Rapid7. Israel’s Check Point Software Technologies is also among the affected firms. Chinese companies have been instructed to stop using foreign cybersecurity tools that fail to meet the government’s revised approval standards.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Legal framework to push out foreign tech
The amended CSL is widely seen as Beijing’s toughest regulatory action yet against foreign digital technology. Under the revised law, penalties have been significantly increased and earlier provisions requiring prior warnings have been removed. As a result, the use of unapproved foreign software is no longer a technical choice but a serious legal exposure.
Open-source intelligence analysis by India Today’s OSINT team indicates that the law has been designed to systematically remove foreign technology from China’s digital infrastructure and replace it with domestic alternatives under the “Made in China” strategy.
Mandatory government certification
Under the revised Article 23, every cybersecurity product must now undergo a stringent security review conducted by Chinese authorities. Until a product receives official government certification, it cannot be sold or used within China. Software that fails to clear the review is labelled “uncertified”, effectively barring it from the Chinese market.
This provision places foreign vendors at a structural disadvantage, as certification criteria and review processes remain opaque and tightly controlled by state agencies.
Heavy fines raise compliance pressure
Companies that continue to use uncertified cybersecurity products face severe penalties. Article 62 allows regulators to impose fines of up to 10 million yuan (approximately $1.4 million). For Chinese firms, this has made the continued use of foreign cybersecurity software a costly and risky proposition, accelerating the shift toward domestic alternatives.
Industry observers say the fear of penalties alone is enough to force enterprises to abandon foreign vendors, even without formal bans.
Global impact on cyber industry
The regulatory changes are expected to ripple through the global cybersecurity market. If US or Israeli firms fail China’s security reviews, their products could be barred entirely, while their Chinese clients may also face regulatory action. This dual liability has made foreign cybersecurity products commercially untenable for many Chinese enterprises.
Digital borders tightened further
China has also reinforced its concept of “digital sovereignty”. Under Article 35, operators of critical information infrastructure (CIIOs) are required to ensure that all network equipment and digital products pass national security assessments. This applies to sectors ranging from energy and telecom to finance and transportation.
Data must stay within China
Article 37 mandates strict data localisation. All data generated within China must be stored domestically, a rule that poses major challenges for cloud-based cybersecurity firms that rely on global data flows to analyse threats.
Companies such as CrowdStrike and SentinelOne operate global threat intelligence platforms that transfer data across borders for real-time analysis. China’s localisation rules directly conflict with this operating model, making compliance extremely difficult without restructuring global architectures.
Extraterritorial reach of the law
One of the most consequential changes is the law’s expanded extraterritorial scope. Revised provisions now allow Chinese authorities to take action against foreign companies or individuals located outside China if their activities are deemed to threaten China’s cybersecurity. The government is empowered to impose penalties, including freezing assets, even if the entity has no physical presence in the country.
Clear signal to the West
Taken together, the amendments send an unambiguous message: China intends to decouple its digital future from Western technology. Local data storage, state certification and security clearances are no longer negotiable. Market access will now be governed almost entirely by national security considerations.
The crackdown on US and Israeli cybersecurity firms is not merely a regulatory adjustment—it signals that in the world’s second-largest economy, business access in the digital sector will ultimately be decided by the state’s security priorities.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
