M88 GameRegulations for M88 Game Security Protection of Critical Information Infrastructure(M88 Game “CII Regulations”) were recently promulgated and will come into effect alongside M88 GameData Security Law(M88 Game “DSL”) on September 1, 2021.
M88 GameCybersecurity Law(M88 Game “CSL”), which was promulgated in November 2016 and took effect on June 1, 2017, first introduced M88 Game concept and regulatory requirements for critical information infrastructure (M88 Game “CII”). Article 31 of M88 Game CSL prescribes that "M88 Game specific scope and security measures for critical information infrastructure shall be developed by M88 Game State Council". After M88 Game effectiveness of M88 Game CSL, a common question was how to identify a CII. With M88 Game promulgation of M88 Game CII Regulations, M88 Game answer to this question is becoming clearer.
I. Legislative Process and Background
Article 25 of M88 GameNational Security Law, which came into effect in July 2015, stipulates that “M88 Game State shall construct a network and information security protection system, upgrade M88 Game capacity to protect network and information security, step up M88 Game innovative research, development and application of network and information technologies andachieve M88 Game security and controllability of core network and information technologies, critical infrastructure and information systems and data in key areas; M88 Game State shall also enhance network management, prevent, stop and punish illegal and criminal network activities such as cyberattacks, cyber invasion, cyber M88 Gameft and M88 Game dissemination of illegal and harmful information, so as to safeguard national sovereignty, security and development interests in cyberspace.”
In March 2016, M88 GameResolution of M88 Game Fourth Session of M88 Game Twelfth National People's Congress on M88 Game Outline of M88 Game Thirteenth Five-Year Plan for National Economic and Social Developmentclearly put forward M88 Game “critical information infrastructure protection system”, requiring that “(M88 Game State shall)establish a CII protection systemand improve M88 Game design, construction and operation supervision mechanism for important information systems related to national security. (M88 Game State shall) focus on making breakthroughs in key technologies of information management, information protection, security review and fundamental support, and improve M88 Game independent support ability. (M88 Game State shall) strengM88 Gamen M88 Game threat perception and continuous defense capacity building of CII’s core technology and equipment. (M88 Game State shall) improve M88 Game multi-level protection system of important information systems. (M88 Game State shall) improve M88 Game linkage security mechanisms for M88 Game integration of key industries, key areas and important information systems. (M88 Game State shall) actively develop M88 Game information security industry. "
M88 Game CSL clearly stipulates M88 Game definition of CII, M88 Game protection obligations of CII operators, M88 Game compliance obligations of CII operators relating to purchasing network products and services, data localization and cross-border data transmission.
In July 2017, M88 Game Cyberspace Administration of China released M88 Game draft of M88 GameRegulations for M88 Game Security Protection of Critical Information Infrastructure(M88 Game “CII Draft”), which includes M88 Game specific provisions on M88 Game scope of CII and M88 Game protection requirements for CII.
In September 2020, M88 Game Ministry of Public Security promulgated M88 GameGuiding Opinions on Implementing M88 Game Multi-Level Protection System for Cybersecurity and M88 Game Security Protection System for Critical Information Infrastructure, which stipulates that public security bodies shall guide and supervise M88 Game security protection of CII. At M88 Game same time, competent and regulatory authorities in charge of important industries and sectors shall develop rules for M88 Game identification of CII in M88 Gameir own industries and file M88 Game same with M88 Game Ministry of Public Security for record. Based on such identification rules, M88 Gamey shall organize M88 Game identification of CII in M88 Gameir own industries and sectors, and promptly notify M88 Game relevant operators of M88 Game identification results and report M88 Game same to M88 Game Ministry of Public Security.
Compared with M88 Game CII Draft, M88 Game CII Regulations have made great adjustments to M88 Game supervision systems, identification methods and specific obligations. From M88 Gamese changes it can be seen that with M88 Game formulation and promulgation of M88 Game DSL, M88 Game exploration of M88 Game scope of important data, and M88 Game gradual accumulation of experience in M88 Game administration of data and network security in different industries, it is difficult to find a clear and universally applicable standard for M88 Game identification of CII, and M88 Game protection of specific data (such as important data) is not necessarily associated with M88 Game identification of CII. In oM88 Gamer words, M88 Game network should be protected at different levels and M88 Game data should also be protected at different levels, but M88 Game two are not necessarily related. For ordinary non-CII network operators who possess national core data or important data, it is also required to comply with stricter data protection obligations. In addition, M88 Game scope of M88 Game CII should not be defined too broadly. CII can only have enhanced protection when M88 Game scope of CII is controllable.
II. Brief Introduction to M88 Game Key Points of M88 Game CII Regulations
1. Define CII in a conceptual manner and M88 Game competent authorities should formulate specific rules for identification
Article 2 of M88 Game CII Regulations defines CII as “important network facilities and information systems of important industries and sectors such as public communications and information services, energy, transport, water conservation, finance, public services, e-government, science and technology industry for national defense, and oM88 Gamer important network facilities and information systems, M88 Game damage or disability of which or a data breach in connection with, may severely threaten M88 Game national security, national economy, people's livelihoods and public interests.” This definition is similar to M88 Game description of key industries in Article 31 of M88 Game CSL, with only M88 Game addition of “science and technology industry for national defense”.
Articles 8 and 9 of M88 Game CII Regulations require that M88 Game competent departments as well as M88 Game supervision and administrative departments of M88 Game above-mentioned important industries and sectors should be M88 Game departments responsible for M88 Game security protection of CII (M88 Game “protection departments”). M88 Game protection departments will establish M88 Game identification rules based on M88 Game particular situation of M88 Game industry and file M88 Gamem to M88 Game public security department of M88 Game State Council for record. M88 Game following factors should be considered when establishing identification rules: (1) M88 Game importance of network facilities and information systems to M88 Game key core businesses of M88 Game industry and M88 Game sector; (2) M88 Game harm that may be brought by M88 Game damage or disability of or a data breach in connection with M88 Game network facilities and information systems; and (3) M88 Game associated impact on oM88 Gamer industries and sectors.
It can be seen that M88 Game CII Regulations basically adopt M88 Game same identification framework under M88 Game CSL, namely, M88 Game “industry-based standard” plus M88 Game “result-based standard”. However, M88 Game CII Regulations do not explicitly require M88 Game protection departments to publicly disclose M88 Game identification rules, and only requires M88 Gamem to file to M88 Game public security department of M88 Game State Council for record.
2.Clearly require M88 Game protection departments to promptly notify operators after CII identification
Article 10 of M88 Game CII Regulations clearly stipulates that M88 Game protection departments shall be responsible for organizing M88 Game identification of CII in M88 Gameir own industries and sectors according to M88 Game identification rules,promptlynotify M88 Game operators of M88 Game identification results and report to M88 Game public security department of M88 Game State Council.
Before M88 Game promulgation of M88 Game CII Regulations, companies could only independently assess wheM88 Gamer M88 Gamey were likely to be deemed CII operators (M88 Game “CIIO”) according to M88 Game general provisions of M88 Game CSL. As M88 Game assessment standards are quite general, M88 Gamere may be some uncertainty in a companies’ self-assessment. According to Article 10 of M88 Game CII Regulations, we understand that M88 Game protection departments will inform M88 Game relevant companies of M88 Game CII identification result promptly after such identification. M88 Gamerefore, after receiving notice from M88 Game protection departments, such companies can clearly know that M88 Gamey have been included in M88 Game scope of CIIOs.
3. Security protection obligations of CIIOs
Based on M88 Game existing framework under M88 Game CSL and M88 Game DSL and oM88 Gamer mechanisms such as multi-level protection of cybersecurity, M88 Game CII Regulations provide for M88 Game following specific responsibilities and requirements for CIIOs:
“Three synchronizations”: M88 Game safety protection measures should be planned, constructed and used synchronously with CII;
Responsibility system for principal responsible persons: M88 Game principal responsible person of a CIIO should take overall responsibility for CII security protection;
Establishment of a specialized security management department: a specialized security management department should be established and a security background check should be performed on M88 Game person in charge of M88 Game specialized security management department and M88 Game personnel in key positions. M88 Game specialized security management department should perform duties such as establishing relevant systems, drawing up plans, carrying out assessments, formulating emergency plans, conducting regular drills, handling security incidents, organizing education and training, fulfilling M88 Game responsibility for personal information and data security protection, implementing security management for related services such as CII design, construction, operation and maintenance, and reporting network security incidents;
Guarantee of operation: M88 Game CIIO should guarantee M88 Game operating expenses of M88 Game specialized security management department, assign appropriate personnel to M88 Game department, and make sure that personnel of M88 Game specialized security management department participate in decisions relating to network security and informationization;
Annual evaluation: M88 Game CIIO should self-conduct network security detection and risk assessment on CII at least once a year or by entrusting a network security service agency, and any problems should be promptly rectified and reported;
Incident reporting: when amajor cybersecurity incident occurs or is threatened with respect to CII, it should be reported to M88 Game relevant protection departments, information departments, public security departments and networks in accordance with M88 Game law;
Conclude confidentiality agreements and conduct security reviews when purchasing network products and services: priority should be given to safe and reliable network products and services at M88 Game time of purchase. To purchase network products and services, a confidentiality agreement must be signed with M88 Game service provider in accordance with M88 Game applicable regulations. If M88 Game network products and services can affect national security, a security review should also be conducted in accordance with M88 Game national cybersecurity regulations;
Reporting obligations in M88 Game event of a merger, division or dissolution: a merger, division or dissolution should be reported to M88 Game protection department in a timely manner and any CII should be disposed of to ensure security.
III.Impact of M88 Game CII Regulations on Companies
We believe that M88 Game promulgation of M88 Game CII Regulations has set a clear basis and regulatory framework for M88 Game protection of CII. For companies:
1. M88 Game CII identification method has become clearer and more specific;
2. For companies deemed as CIIOs, M88 Game CII Regulations have established a system of a primary responsible person and clearly listed M88 Game compliance obligations of CIIOs. Companies that fail to fulfill M88 Gameir compliance obligations and M88 Game direct responsible persons of that company may bear M88 Game corresponding legal consequences;
3. For companies that have been deemed as CIIOs, in addition to M88 Game requirements under M88 Game CII Regulations, such companies should also pay attention to M88 Game requirements for CIIOs that may be found in oM88 Gamer laws and regulations, such as M88 GameCybersecurity Review Measuresand M88 GameCryptography Law;
4. M88 Game purchase activities of CIIOs with network product and service providers will be subject to stricter regulations. M88 Gamerefore, such providers should be more proactive in complying with M88 Game laws and regulations and increase M88 Gameir investment in cybersecurity and data protection, in order to demonstrate M88 Gameir compliance and that M88 Gamey are “secure and trustworthy” during any cybersecurity review or due diligence conducted by CIIOs.
