Home » The Biweekly Pulse: 20th – 31st October – China’s Cybersecurity Law, Australia’s RCM Mark, and Battery Due Diligence Updates
Blog 24 min read

The Biweekly Pulse: 20th – 31st October – China’s Cybersecurity Law, Australia’s RCM Mark, and Battery Due Diligence Updates

Nov 05, 2025 The Biweekly Pulse: 20th – 31st October – China’s Cybersecurity Law, Australia’s RCM Mark, and Battery Due Diligence Updates

The Pulse was originally posted on 5th November, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

Check out the latest 2025 Regulatory Compliance Updates with The Pulse, your biweekly source for global regulatory insights!

  1. 2025 Update on EU REACH and POPs Restrictions: Key Insights, Whitepaper, October 2025
  2. Supply Chain Due Diligence in Europe: An Overview of Key Trends in 2025 and Areas to Watch in 2026, Whitepaper, October 2025
  3. Emerging Human Rights Due Diligence Regulations Across the Globe, Webinar Presentation, October 2025

What is Our Content Team Talking About?

China Adopted Major Amendments to the Cyber Security Law, Effective 1 January 2025

by Giselle Chia, Senior Regulatory Compliance Specialist

On 28 October 2025, the Chinese President issued Order No. 61 concerning a Decision of the Standing Committee of the National People’s Congress of the same day to amend various key aspects of the Cyber Security Law.

Scheduled to take effect on 1 January 2026, the amendments introduce new articles and revise existing ones, mainly focusing on strengthening governance, promoting artificial intelligence (AI) development, clarifying personal information processing, and significantly increasing penalties for violations.

Support for AI and Technology

The amendments explicitly states that the State shall:

  • Support fundamental research in AI and the development of key technologies such as algorithms;
  • Advance the construction of infrastructure including training data resources and computing power;
  • Refine ethical standards for AI, strengthen risk monitoring, assessment and safety oversight; and
  • Promote the application and healthy development of AI.

In addition, the State will support innovative approaches to cyber security management by employing new technologies such as AI to enhance cyber security protection levels.

Personal Information Processing by Network Operators

The amendments mandate network operators processing personal information to comply with the Cyber Security Law and other relevant laws and administrative regulations, including the Civil Code and the Personal Information Protection Law.

Increased Penalties and Fines

The amendments introduce tiered, significantly higher fines, especially for critical information infrastructure (CII) operators and for violations causing severe consequences.

CII Security Protection Obligations

  • Failure of CII operators to fulfil CII-specific security protection obligations may result in up to a RMB 1,000,000 fine for the operator and up to RMB 100,000 fine for personnel.

Severe and Particularly Severe Consequences:

  • Causing severe consequences (e.g., large-scale data leakage, partial loss of CII functionality): fines from RMB 500,000 to RMB 2,000,000 for the operator, and RMB 50,000 to RMB 200,000 for personnel.
  • Causing particularly severe consequence (e.g., loss of major CII functionality): fines from RMB 2,000,000 to RMB 10,000,000 for the operator, and RMB 200,000 to RMB 1,000,000 for personnel.

CII Procurement Security:

  • CII operators who use network products or services that have not undergone or passed a security review are subject to penalties, including an order to cease use and eliminate the impact on national security. They can also be fined between 1 to 10 times the procurement cost, and the personnel can be fined RMB 10,000 to RMB 100,000.

CII Personal Information Processing and Cross-Border Data Transfer:

  • CII operators who violates the following provisions shall be handled and penalised according to the provisions of relevant laws and administrative regulations (e.g., the Personal Information Protection Law):
    • publishing or transmitting information prohibited from being published or transmitted;
    • infringing upon the rights and interests of personal information;
    • storing personal information and important data outside of China, or providing personal information and important data to an overseas recipient. 

Violations of network operators that infringe upon personal information rights are also to be handled and penalised according to the provisions of relevant laws and administrative regulations like the Personal Information Protection Law.

Besides, the amendments introduce penalties for the illegal sale of critical network equipment or dedicated network security products. Selling or providing critical network equipment or dedicated network security products that have not passed or are deemed non-compliant with security testing and security testing requirements may result in fines of 1 to 5 times the illegal proceeds and can lead to business suspension or license revocation.

Foreign entities or individuals engaging in activities that endanger the cyber security of China will be held legally accountable. For severe consequences, relevant State departments can impose sanctions, including the freezing of assets.

What Are Our Knowledge Partners Talking About?

Productwise Battery Shorts, Part 4: New Supply Chain Due Diligence Obligations

by Cooley

In Part 4 of our ‘Battery Shorts’ series, we look at the new supply chain due diligence requirements for companies under the European Union (EU) Batteries Regulation. These requirements were originally due to apply from 18 August 2025, but the European Commission extended this date by two years, to 18 August 2027.

If you are wondering whether the Batteries Regulation applies to your products, please see Part 1 of our series.

Who is in scope?

The battery due diligence obligations apply to manufacturers or importers placing batteries on the EU market, where their net turnover (or the net turnover of their group) is at least 40 million euros in the financial year preceding the last financial year. There is currently a European Commission proposal to increase this turnover threshold to 150 million euros. This proposal is part of a larger package of reforms and is currently still under negotiation.

The obligations apply to economic operators responsible for placing both stand-alone batteries and batteries that are incorporated into products on the EU market. This means that manufacturers and importers will be responsible for compliance with these requirements where they place batteries on the EU market, even where their batteries were originally sourced from a third party outside the EU.

What are the new requirements?

From 18 August 2027, companies in scope must implement a comprehensive battery due diligence system covering the following pillars:

1. Battery due diligence policy (DDP)

Businesses must adopt a corporate battery DDP addressing the sourcing of cobalt, lithium, nickel, natural graphite and related compounds. The policy must identify social and environmental risks and align with international standards. The battery DDP must also be verified by a notified body, and compliance must be audited annually.

2. Update supplier contracts

Supplier contracts must incorporate both the company’s battery DDP and its risk management measures. In practice, this means that most businesses will need to take steps to amend their existing contracts now, so the new measures are incorporated for the compliance deadline.

3. Traceability system

Companies are also required to establish a system of controls and transparency over their supply chain, including a chain of custody or traceability system which identifies upstream actors in the battery supply chain. In practice, this can take some time to put in place, given many companies’ limited visibility over their supply chains beyond their direct suppliers. The traceability system must be supported by documentation that provides at least the following information:

  • A description of the raw material, including its trade name and type.
  • The name and address of the supplier that supplied the raw material to the economic operator that places the batteries on the market.
  • The country of origin of the raw material and the market transactions from the raw material’s extraction to the immediate supplier to the economic operator placing the battery on the market.
  • The quantity of the raw material present in the battery, expressed in percentage or weight.
  • Third-party verification reports issued by a notified body, or if these are not available and the raw material originates from a conflict-affected and high-risk area, additional information as set out in the Organisation for Economic Co-operation and Development (OECD) Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-….

For many businesses, this will require greater scrutiny over their supply chains, particularly for those purchasing batteries from third parties before incorporating them into products.

4. Oversight responsibility with top management level

Businesses must establish a risk management system that assigns responsibility for overseeing the battery DDP to the company’s ‘top management level’. The company must also report the findings of its risk assessment to the top management level. Generally, we see companies setting this up by establishing a committee that includes senior management.

5. Due diligence and risk management

Businesses must conduct a risk assessment to establish whether there are any adverse impacts in their battery supply chain associated with the risk categories listed in Annex X (which includes environmental impacts, human rights and community life, including that of Indigenous people). Following this assessment, businesses are required to develop a risk management plan which includes a strategy to address the identified risks – including mitigation, supplier engagement and escalation – with the findings being reported to top level management. Companies are expected to keep this plan under review, and it should be adapted when any new risks are identified.

6. Grievance mechanism

There is also a requirement for the company’s due diligence system to integrate grievance and remediation mechanisms aligned with the United Nations’ Guiding Principles on Business and Human Rights.

7. Annual Report

Annually, businesses must publish a report on a free-to-access website which must include data and information on steps taken to comply with the due diligence requirements, any significant adverse impacts in identified risk categories and how these have been addressed. The report must also include a summary of the third-party audit carried out regarding the business’ compliance with its battery DDP. The first report will likely need to be published by 18 August 2028.

8. Annual Closure

Documentation, including audit and verification reports, must be retained for 10 years after the last battery covered by the battery DDP is placed on the market.

Compliance with all the requirements mentioned in this blog post must be audited periodically by a notified body.

How can companies get support with compliance?

Businesses can join a recognised scheme to support their compliance programs but will remain individually liable for compliance. This means that while schemes can support compliance, ultimately it will be up to each company to make sure they have a compliant policy and process, do the audit on time and keep the necessary documentation. At the time of writing this post, no due diligence schemes have been recognised by the European Commission. Once a scheme has been recognised, it will be recorded in a public register maintained by the European Commission. The European Commission is required to adopt guidelines to support the due diligence obligations by 27 July 2026.

What should my business do next?

The Batteries Regulation applies in addition to other EU due diligence laws, such as the Conflict Minerals Regulation, Critical Raw Materials Act and the upcoming Corporate Sustainability Due Diligence Directive (CSDDD). Businesses are advised to approach their EU supply chain diligence compliance holistically, since it may be possible to leverage compliance with other due diligence laws that also apply to them. 

Concretely, we recommend that companies:

  • Review existing supply chain policies and update for EU Batteries Regulation compliance or create a new battery DDP.
  • Review and update contracts with battery suppliers to integrate the battery DDP and risk management processes.
  • Update governance processes and assign oversight responsibility to top management.
  • Put in place a traceability system for the battery supply chain. 
  • Start doing due diligence on the company’s battery supply chains to assess environmental and/or human rights risks, and document processes.
  • Engage a notified body for the audit once they are designated by the European Commission.

Stay tuned for Part 5 of our ‘Battery Shorts’ series, which will cover the new removability and replaceability requirements in the Batteries Regulation.

What Are Our Clients Asking About?

Is the Australian RCM mark required for each product components of an electronic enclosure (wireless board, RF module etc.) or is it sufficient on the enclosure as a whole?

Answered by Andrew O’Neill, Regulatory Compliance Specialist

Under the Australian regulatory framework administered by the ACMA and ERAC, the RCM mark applies to the final, market-ready product rather than to each internal component. This means the RCM should appear on the complete enclosure as sold, not on each wireless or RF module inside it. The party responsible for placing the final product on the Australian market must ensure that the product as a whole complies with the relevant requirements for radio, EMC, and electrical safety, where applicable.

If the wireless modules integrated into the enclosure are already RCM-approved, you may rely on their existing compliance, provided that their RF characteristics are not altered in any way, such as by changing antennas, shielding, or operating conditions. The module supplier’s test reports and Declaration of Conformity should be retained in the technical file as evidence of compliance. However, if any modification affects the RF performance, or if multiple modules are combined in a way that changes emission behavior, new testing may be necessary to demonstrate continued conformity.

In cases where the enclosure includes multiple RF modules, power supplies, or other components that could influence electromagnetic emissions, EMC testing of the complete assembly is generally required. Likewise, if the product is mains-powered, it may fall under the Electrical Equipment Safety System (EESS), which carries additional registration obligations.

Only the final marketed enclosure needs to bear the RCM mark, supplier identification (for example, the Australian company name or registration number), and model number. The internal boards or modules do not require separate RCM marks once enclosed.

Stay Ahead Of 2025 Regulatory Compliance Updates with The Pulse

Want to stay on top of 2025 Regulatory Compliance Updates?

All insights in The Pulse come directly from C2P – the trusted compliance platform used by over 300 of the world’s leading brands. With coverage across 195+ countries, C2P empowers you to achieve, maintain, and expand market access faster and with confidence.

C2P is an enterprise SaaS platform designed to meet your unique compliance needs. It brings together everything in one place – regulations, standards, requirements, and evidence – so you can manage compliance across the enterprise with ease.

Need more? Our tailored add-on packages unlock use-case-specific solutions, enriched global regulatory content, and direct access to a global team of subject matter experts and professional services.

C2P is your key to unlocking global market access.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Keep Your Finger on the Pulse of Regulatory News!

Join 30,000+ compliance professionals for 2025 regulatory compliance updates on hot compliance issues, market insights on the latest trends, and free regulatory webinars and whitepapers

sign me up

Related Resources