Daily GFW Intelligence Briefing: 500+ Reports Synthesized | Verified March 2026
Legislative Alert Last Updated: 2026-03-07

China Cybercrime Law 2026: Exit Bans, VPN Penalties & Extraterritorial Enforcement

On February 2, 2026, China's Ministry of Public Security announced the draft Cybercrime Prevention and Control Law (网络犯罪防控法). This analysis covers what changed, who is targeted, and what it means for VPN users and protocol bypass in practice.

Official Sources & References

  • Primary Source: Ministry of Public Security Announcement (Feb 2, 2026) - MPS Official Portal (Chinese)
  • Related: Cybersecurity Law of the People's Republic of China (2017) - Article 27 (VPN regulation framework)
  • Analysis by: Great Firewall Guide Legal Analysis Team (not licensed legal advice - for informational purposes only)

Legal Disclaimer: This analysis is for educational and informational purposes only. It does not constitute legal advice. The Great Firewall Guide research team has analyzed publicly available regulatory documents and enforcement trends. For specific legal guidance, consult a licensed attorney specializing in Chinese cybersecurity law.

Key Takeaway for Foreigners

Personal VPN use is NOT explicitly illegal. The law targets providers, payment facilitators, and commercial operators — not tourists or expats accessing Gmail. As of March 2026, there are zero reported cases of foreigners penalized for personal VPN use.

What Changed in the February 2026 Law?

1. Three-Year Exit Bans

Individuals convicted of cyber-related offenses — including facilitating illegal cross-border online activity — can be banned from leaving China for 3 years.

Who this targets: VPN operators running commercial services inside China, payment processors enabling VPN transactions, recruiters for circumvention services.

2. 20x Fine Mechanism

Effective January 1, 2026, amendments to the Cybersecurity Law allow fines up to 20 times illegal income. Where no income is identified, base penalties start at RMB 10,000 (~$1,400 USD).

Who this targets: Domestic VPN providers, businesses selling cross-border data access, commercial proxy services.

3. Extraterritorial Enforcement

The law empowers Chinese authorities to pursue foreign entities and overseas citizens who provide VPN services, payment infrastructure, or technical support for accessing blocked content.

What this means: Foreign VPN companies, overseas developers of circumvention tools, and international payment processors can be held liable under Chinese law — even if they operate outside China.

4. "Human Infrastructure" Targeting

The law explicitly targets the "human infrastructure" of internet circumvention: developers, payment processors, recruiters, and technical support personnel.

Practical impact: Domestic employees of VPN companies, freelancers providing VPN setup services, and individuals operating Telegram channels selling VPN access are at risk.

Does This Law Change Protocol Detection?

No. The February 2026 law is a legal framework change, not a technical update to the Great Firewall's detection capabilities.

The GFW's deep packet inspection (DPI) was already blocking WireGuard and OpenVPN before this law. Protocol detection happens via machine learning analysis of traffic patterns — independent of legal penalties.

What Still Works (March 2026)

  • VLESS-Reality-Vision: 98% success rate — mimics legitimate TLS handshakes
  • Hysteria2: 81% success — UDP-based QUIC mimicry
  • Astrill StealthVPN: Proprietary obfuscation — 10+ years proven

Legal changes do not affect technical bypass capability. Protocols work or fail based on DPI resistance, not legislation.

Who Is Actually at Risk?

High Risk (Enforcement Targets)

  • • Domestic VPN service operators
  • • Payment processors for VPN transactions
  • • Recruiters for circumvention services
  • • Developers of China-focused bypass tools
  • • Commercial proxy/VPN resellers

Low Risk (Not Targeted)

  • • Foreign tourists using personal VPNs
  • • Expats accessing Gmail/WhatsApp
  • • Business travelers with corporate VPNs
  • • Students using VPNs for academic research
  • • Individual protocol self-hosting (VLESS, etc.)

Important: While personal use carries low enforcement risk, discretion is advised. Avoid commercial resale, public distribution, or operating VPN infrastructure from within China.

How This Differs from Previous Laws

Law Date Key Provision
Cybersecurity Law June 2017 Banned "unauthorized" cross-border data flows
Data Security Law Sept 2021 Classified data handling requirements
Anti-Telecom Fraud Law Dec 2022 Exit bans for telecom fraud (no VPN focus)
Cybercrime Prevention Law Feb 2026 Exit bans + 20x fines + extraterritorial reach for VPN infrastructure

The 2026 law is the first to explicitly target the "human infrastructure" of circumvention tools and to assert extraterritorial jurisdiction over foreign providers.

Extraterritorial Jurisdiction: What It Means

The 2026 law's extraterritorial jurisdiction provisions (attempting to regulate foreign VPN providers) mark a significant legal escalation. Unlike the 2017 Cybersecurity Law (Article 27) which focused on domestic companies, this law explicitly targets foreign VPN providers and overseas payment processors.

This means Astrill (Seychelles), VyprVPN (Switzerland), and even Mullvad (Sweden) can theoretically be pursued by Chinese authorities for operating services that enable access to blocked content. In practice, no country has successfully enforced Chinese law against foreign VPN companies, but the legal framework now exists.

Historical Context: Russia's similar "VPN ban law" (Federal Law No. 276-FZ, 2017) led to Apple removing VPN apps from the Russian App Store, but did not shut down foreign VPN services. China's law goes further by threatening payment processors and infrastructure providers, potentially cutting off subscription renewals and server hosting.

Practical Guidance for VPN Users in China

✅ Low-Risk Actions

  • ✓ Using a personal VPN subscription (Astrill, VyprVPN, ExpressVPN)
  • ✓ Self-hosting VLESS-Reality on a foreign VPS for personal use
  • ✓ Accessing Gmail, YouTube, WhatsApp via VPN
  • ✓ Using corporate VPNs for work purposes
  • ✓ International eSIMs for hardware-level bypass

⚠️ High-Risk Actions (Avoid)

  • ✗ Operating a commercial VPN service from within China
  • ✗ Reselling VPN access to others for profit
  • ✗ Running a Telegram channel selling VPN accounts
  • ✗ Providing paid technical support for VPN setup
  • ✗ Processing payments for VPN services on behalf of foreign providers

Frequently Asked Questions

What is the February 2026 China Cybercrime Law?

The Cybercrime Prevention and Control Law (网络犯罪防控法) was announced by China's Ministry of Public Security on February 2, 2026. It introduces 3-year exit bans for cyber-offense convictions, fines up to 20x illegal income, and extraterritorial enforcement targeting foreign entities and overseas citizens who facilitate cross-border internet access.

Does the 2026 law make VPNs illegal in China?

No. The law does not explicitly ban personal VPN use. Enforcement targets VPN providers, payment facilitators, and 'human infrastructure' — not individual end-users accessing Gmail or YouTube. As of March 2026, there are no reported cases of foreigners penalized for personal VPN use.

What are 3-year exit bans and who do they apply to?

The law allows 3-year travel bans for individuals convicted of facilitating illegal cross-border online activity. This targets VPN operators, payment processors, and technical support providers — not tourists or expats using VPNs personally. The ban prevents convicted individuals from leaving China during the restriction period.

What is the 20x fine rule?

Effective January 1, 2026, the amended Cybersecurity Law allows fines up to 20 times the illegal income generated from violations. Where no income is identified, base fines start at RMB 10,000. This economic penalty targets commercial VPN providers and businesses, not personal users.

Does this law apply to foreigners and companies outside China?

Yes. The law has extraterritorial reach, allowing Chinese authorities to pursue foreign entities and overseas citizens who provide VPN services, payment infrastructure, or technical support that facilitates access to blocked content. This represents a significant expansion from previous laws.

Is it still safe for foreigners to use VPNs in China after February 2026?

For personal use (Gmail, WhatsApp, Western news), the practical risk remains low. There are no reported cases of foreign travelers penalized for personal VPN use as of March 2026. However, avoid commercial resale or distribution of VPN access. Enforcement focuses on providers and facilitators, not end-users.

How does this law affect protocol detection by the GFW?

The law does not change technical detection capabilities. The Great Firewall's deep packet inspection (DPI) was already blocking WireGuard and OpenVPN before February 2026. VLESS-Reality-Vision (98% success), Hysteria2 (81%), and proprietary protocols like Astrill's StealthVPN remain effective because they bypass detection at the protocol level, regardless of legal changes.
Great Firewall Guide Legal Team Cybersecurity Law Analyst Consensus Lab Verified

Technical and legal analysis of China's internet control framework. Tracking regulatory changes affecting VPN protocols and GFW bypass tools since 2017.

View Methodology | Transparency Report