On January 1, 2026, the revised Cybersecurity Law of the People's Republic of China officially came into force. As the first major revision of this foundational law since its enactment in 2016, it forms the top-level design of China’s cybersecurity legal system together with the Data Security Law and the Personal Information Protection Law. For enterprises relying on biometric recognition technology for security control, this revision means far more than stricter penalties—it redefines the boundaries for processing biometric data and provides clear compliance guidance for enterprises in selecting biometric technologies.
Meanwhile, the Measures for the Security Administration of Facial Recognition Technology Application took effect in June 2025, setting strict requirements for impact assessment and alternative solutions specifically for facial recognition scenarios. The national standard GB/T 45574-2025 Data Security Technology—Security Requirements for Processing Sensitive Personal Information further specifies the classification and processing norms of biometric information. Under the superposition of multiple regulations, enterprises’ selection of biometric technology has evolved from a pure technical choice to a strategic compliance decision.
The revised Cybersecurity Law has raised the upper limit of fines for violations from 1 million yuan to 10 million yuan, and added penalties such as suspending the operation of applications, significantly increasing the cost of violations for enterprises.
I. Interpretation of Key Points of the New Regulations
The revision of the Cybersecurity Law conveys several critical signals. First, it is the first major overhaul of this foundational law in nearly a decade, marking a comprehensive upgrade of the cybersecurity governance system by legislators. The core information of the revision can be understood from the following four dimensions.
1. Artificial Intelligence Incorporated into Law for the First Time
The newly added Article 20 makes special provisions on the security and development of artificial intelligence, clarifying that the state supports basic theoretical research and key technology R&D of AI, while improving ethical norms and strengthening risk monitoring, assessment and security supervision. This means that enterprises using AI technology to process biometric data will face stricter ethical review and security supervision requirements.
2. Substantially Increased Penalties to Build a Strong Deterrence System
The upper limit of fines has jumped from 1 million yuan to 10 million yuan in the revised version, with new penalty types such as suspending application operations added. At the same time, legal liability extends from enterprises to individuals, and directly responsible personnel will face harsher punishments. The sharply increased cost of violations puts forward higher requirements for the processing procedures of biometric data.
3. Coordination of the Three Laws to Form a Tight Regulatory Network
The revised version strengthens the systematic connection with the Data Security Law and the Personal Information Protection Law, providing clear law enforcement guidelines through "applicable reference" clauses. When processing biometric data, enterprises must meet the requirements of all three laws simultaneously, and negligence in any link may trigger law enforcement actions.
4. Flexible Law Enforcement Clauses
Notably, the newly added Article 73 is connected with the Administrative Penalty Law, clarifying that enterprises may be given mitigated, reduced or no punishment if they take the initiative to eliminate harmful consequences, promptly correct minor violations without harmful consequences, or have no subjective fault. This clause provides a "safety buffer" for enterprises with active compliance efforts.
II. Compliance Red Lines and Bottom Lines for Biometric Data
The revised Cybersecurity Law and supporting regulations jointly define the "red lines" and "bottom lines" for the processing of biometric data. When deploying biometric systems, enterprises must meet compliance requirements in the following dimensions.
1. Definition and Classification of Sensitive Information
Biometric information is explicitly listed as "sensitive personal information", including facial, fingerprint, voiceprint, iris, genetic information and so on. This means that no matter which biometric technology an enterprise adopts, the collected data will be subject to the highest level of protection requirements.
2. Full Life Cycle Compliance Requirements
| Compliance Link |
Core Requirements |
Legal Basis |
| Collection Notification |
Obtain separate consent from the individual and clearly inform the purpose and method of processing |
Article 29 of the Personal Information Protection Law |
| Impact Assessment |
Conduct a Personal Information Protection Impact Assessment (PIA) before use |
Article 9 of the Measures for the Security Administration of Facial Recognition Technology Application |
| Transmission Security |
Adopt at least channel encryption, and preferably combine it with content encryption |
GB/T 45574-2025 Data Security Technology—Security Requirements for Processing Sensitive Personal Information |
| Storage Security |
Encrypted storage, and biometric templates shall be non-reversible |
Cybersecurity Law + Data Security Law |
| Compliance Audit |
Processors handling information of more than 1 million people must appoint a protection responsible person |
Measures for the Administration of Personal Information Protection Compliance Audits |
| Site Notification |
Collection equipment installed in public places must be equipped with prominent prompt signs |
Article 26 of the Personal Information Protection Law |
It can be seen from the above requirements that the regulations not only focus on the notification and consent in the data collection link, but also extend regulatory supervision to the full life cycle of data transmission, storage and audit. Under such a regulatory framework, the security architecture of biometric technology itself becomes a key variable for compliance—the quality of technical selection directly determines the level of compliance costs.
III. Iris vs. Face: Privacy and Compliance Comparison of the Two Technologies
In enterprise-level biometric scenarios, facial recognition and iris recognition are the two most mainstream technical routes. However, under the new compliance framework, the two show significant differences in data security and privacy protection.
| Comparison Dimension |
Face Recognition |
Iris Recognition |
| Data Reversibility |
Face images can be restored to original photos, with a high risk of leakage |
Iris encoding templates are non-reversible, naturally conforming to the principle of "data available but not visible" |
| Remote Forgery Risk |
Can be cracked through photos, videos, and AI deepfake technology |
The iris is located inside the eyeball and cannot be collected or forged remotely |
| Public Place Compliance |
Prominent prompt signs are required, and installation in private spaces is prohibited |
Active cooperative collection, with higher user awareness |
| Data Storage Security |
Facial feature vectors still have a certain reversibility after storage |
Chip-level AES-256 encryption, hardware-isolated storage, with higher data security |
| Impact Assessment Difficulty |
Multiple risk factors such as privacy collection and deepfakes need to be considered |
The technical architecture inherently avoids most risks, making the assessment process simpler |
| Recognition Accuracy |
Affected by factors such as light, angle, and makeup, with a false recognition rate of about one in a million |
Binocular recognition accuracy reaches one in a billion, unaffected by appearance changes |
From a compliance perspective, iris recognition technology has significant structural advantages. Its core lies in "data available but not visible"—the digital template generated after encoding iris features cannot be reversely restored to the original biological image. Even if the database is breached, attackers cannot restore the user’s biometric features. This technical feature is naturally consistent with the storage requirement of "non-reversible restoration" for biometric templates in the Security Requirements for Processing Sensitive Personal Information.
Facial recognition technology, by contrast, faces more compliance challenges. The Measures for the Security Administration of Facial Recognition Technology Application clearly requires a Personal Information Protection Impact Assessment (PIA) before using facial recognition technology, prohibits the installation of facial recognition equipment in private spaces such as hotel rooms and public bathrooms, and mandates the provision of alternative identification solutions. These special provisions reflect regulators’ concerns over the inherent risks of facial recognition technology.
IV. Homsh’s Compliance Solutions
As a pioneer in iris recognition technology in China, WuHan Homsh Technology Co., Ltd. (Homsh) has built a complete technical system from chips to terminals and from algorithms to solutions, capable of providing enterprises with full-link compliance-level biometric recognition solutions.
1. PhaseIris 3.0: Compliance-Level Algorithm Architecture
PhaseIris 3.0, the third-generation core iris recognition algorithm independently developed by Homsh, adopts a 384-bit operation width and can compress the feature data template size to 2KB without reducing biometric feature points. Crucially, there is no mathematical reverse inference relationship between the encoded digital template and the original iris image, realizing true "data available but not visible". The binocular recognition accuracy reaches one in a billion, far exceeding the industry average.
2. Qianxin Series Chips: Hardware-Level Security Barrier
The Qianxin Series dedicated ASIC chips for iris recognition launched by Homsh are the world’s first chips that fully implement the iris recognition algorithm in hardware. Different from the traditional software + general-purpose processor architecture, the Qianxin chips adopt an on-chip system isolation architecture, combined with full hardware AES-256 encryption, ensuring that iris template data is processed in a hardware security environment throughout the whole process of collection, encoding, matching and storage. The encoding speed is less than 50ms, and the single-core matching time is only 320 nanoseconds.
This means that biometric data never exists in plaintext in any software-accessible memory space, fundamentally eliminating the risk of data leakage at the software level—a security level that traditional pure software biometric solutions cannot achieve.
3. D Series Access Control Terminals and G Series Channel Gates: Compliance Implementation Terminals
At the terminal product level, Homsh’s D Series Iris Access Control Terminals and G Series Iris Channel Gates are all built with Qianxin chips, supporting the completion of all recognition processes locally on the device side. This "edge-side computing" architecture means that biometric data does not need to be uploaded to the server, avoiding the risk of data leakage in network transmission and greatly simplifying the enterprise’s compliance audit process.
The D Series Access Control Terminals support a recognition distance of 30cm to 70cm, complete binocular iris registration and authentication within 1 second, and a single device can store tens of thousands of template data. The G Series Channel Gates are suitable for high-traffic scenarios such as large parks and industrial facilities, supporting multi-device networking collaboration.
V. Suggestions for Enterprise Biometric Compliance Implementation
Based on the requirements of the revised Cybersecurity Law and supporting regulations, we recommend that enterprises promote biometric compliance construction from the following five levels.
Step 1: Prioritize Compliance Audit
Enterprises should first conduct a comprehensive compliance audit of existing biometric systems to assess whether the current system meets the requirements of the Cybersecurity Law, Personal Information Protection Law and relevant national standards. Focus on reviewing the notification and consent mechanism for data collection, transmission encryption methods, storage security policies and data deletion mechanisms.
Step 2: Upgrade Technical Selection
Prioritize biometric technologies with "non-reversible restoration" features to reduce data security risks from the source. Iris recognition technology has natural advantages in meeting compliance requirements due to the irreversibility of its encoded templates. At the same time, products with hardware-level encryption capabilities should be selected to avoid potential security risks caused by pure software solutions.
Step 3: Prioritize Edge-Side Computing
Adopt an edge-side computing architecture as much as possible to complete the collection, encoding and matching of biometric features all on the device side. This not only reduces the security risks of network transmission, but also simplifies the compliance management of data flow for enterprises. Homsh’s Qianxin chip solution is a typical practice of this concept.
Step 4: Establish Full Life Cycle Management
Establish a full life cycle management system for biometric data, from collection notification, use authorization, storage encryption, audit tracking to data deletion. It is recommended to appoint a dedicated person in charge of personal information protection and conduct regular compliance audits.
Step 5: Form a Compliance Document System
Improve compliance documents such as personal information protection impact assessment reports, data processing records, and security incident response plans. In regulatory inspections or compliance audits, a complete document system can effectively prove the enterprise’s compliance efforts and trigger the protection of "mitigated or reduced punishment" in the new flexible law enforcement clauses of the Cybersecurity Law.
Conclusion: Compliance Is Not a Cost, but a Competitiveness
The revised Cybersecurity Law sends a clear signal to the market: the processing of biometric data is no longer an internal matter of the technical department, but a strategic issue related to the enterprise’s compliance lifeline. In this context, choosing a biometric technology that meets compliance requirements from the architectural design level is not only a reasonable choice to reduce risks, but also a competitive advantage in the enterprise’s digital transformation.
With its technical feature of "data available but not visible", hardware-level security guarantee and one-in-a-billion recognition accuracy, iris recognition has found the optimal balance between compliance requirements and security performance. For enterprises evaluating the upgrade of biometric technology, this is a window period to re-examine technical selection and establish compliance advantages.
