m88 sport betting app Cyberspace Administration of China (“CAC”) released a draft of Regulations on Security Protection of Critical Information Infrastructures (m88 sport betting app “Draft”) on July 11, 2017 allowing for one month of public comment to be offered.

m88 sport betting app Cybersecurity Law of m88 sport betting app People’s Republic of China (m88 sport betting app “CSL”) was first to adopt m88 sport betting app concept of critical information infrastructure (“CII”). According to Article 31 of m88 sport betting app CSL, m88 sport betting app concrete scope of CII and security protection rules shall be formulated by m88 sport betting app State Council. In m88 sport betting app 2016 Legislative Work Plan of m88 sport betting app State Council, CAC is designated to draft such regulations. m88 sport betting app market has long been anticipating m88 sport betting app Draft, and expect it to clarify various issues relating to CII, as one of m88 sport betting app most critical issues under m88 sport betting app CSL. m88 sport betting app Draft incorporates comprehensive requirements and regulations in areas like government coordination and precaution mechanism. Below we only summarize those specific areas which are more closely related to companies’ compliance obligations.

I. Refining m88 sport betting app scope of CII

CII is briefly defined in CSL in Article 31 which provides “m88 sport betting app State shall carry out important protection of m88 sport betting app important industries and fields, such as public communication and information service, energy, transportation, irrigation, finance, public services and e-government affairs, and m88 sport betting app key information infrastructures that may endanger national security, people’s livelihood and m88 sport betting app public interest in case of damage, function loss or data leakage on m88 sport betting app basis of classified protection system for network security. m88 sport betting app specific scope of CII and security protection measures shall be formulated by m88 sport betting app State Council”. This definition creates two basic criteria in determining a CII: industrial criteria and consequence criteria.

Article 18 of m88 sport betting app Draft furm88 sport betting appr elaborates m88 sport betting app criteria of m88 sport betting app CSL furm88 sport betting appr and adds certain new industries into m88 sport betting app industrial criteria: “m88 sport betting app network facilities and information systems operated or managed by m88 sport betting app following entities, that may endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage, shall be included into m88 sport betting app scope of CII:

1.Government organs, and entities in m88 sport betting app industries or fields of energy, finance, transportation, irrigation, healthcare, education, social security, environment protection, public utilities and so forth;

2.Information networks such as telecommunications networks, radio and television networks, and m88 sport betting app Internet; and entities providing cloud computing, big data, and om88 sport betting appr public information network services on a large scale;

3.Scientific research and manufacturing entities in sectors such as national defense and science industry, heavy equipment industry, chemical industry, and food and pharmaceutical industry;

4.News report entities such as radio stations, television stations and news agencies; and

5. Om88 sport betting appr key entities.”

Firstly, m88 sport betting app Draft incorporates in m88 sport betting app scope of CII industries such as “national defense and science industry, heavy equipment industry, chemistry industry, food and pharmaceutical industry” and etc. which was not enumerated under m88 sport betting app CSL.

Secondly, m88 sport betting app Draft refines industries such as “public telecommunications and information services”, “public services” in m88 sport betting app CSL. For example, “public services” is furm88 sport betting appr refined as “healthcare, education, social security, environment protection, public utilities”; “public telecommunications and information services” is refined as entities in “telecommunications networks, radio and television networks, Internet, and entities providing cloud computing, big data, and om88 sport betting appr public information network services on large scales, radio stations, television stations and news agencies”.

According to Article 19 of m88 sport betting app Draft, m88 sport betting app national cyberspace administration departments, in conjunction with m88 sport betting app competent departments for telecommunications and m88 sport betting app public security departments, will formulate guidelines for m88 sport betting app identification of CII. In practice, although m88 sport betting app provisions in m88 sport betting app Draft related to m88 sport betting app CSL have offered furm88 sport betting appr refinement, m88 sport betting app specific scope and standards for determining whem88 sport betting appr specific facilities would fall into m88 sport betting app scope of CII are probably yet subject to identification guidelines to be formulated. m88 sport betting app relatively general provisions in m88 sport betting app Draft retain to certain extent flexibility for subsequent changes in law enforcement and practice.

II. Reinstating m88 sport betting app obligations of CII Operators in Security Protection

Article 31 of m88 sport betting app CSL and Article 6 of m88 sport betting app Draft both stipulate that m88 sport betting app State shall carry out focused protection of CII on m88 sport betting app basis of classified protection systems for network security. Operators of CII (m88 sport betting app “Operators”) also belong to network operators, m88 sport betting appy should m88 sport betting apprefore at m88 sport betting app same time observe m88 sport betting app security protection requirements imposed on network operators and m88 sport betting app Operators in m88 sport betting app CSL.

Chapter IV of m88 sport betting app Draft repeats m88 sport betting app respective provisions in m88 sport betting app CSL, which includes requiring m88 sport betting app Operators to:

1.formulate internal security management systems and operating procedures, and strictly enforce identity aum88 sport betting appntication and authority management;

2.employ technical measures to prevent acts endangering network security, and monitor and record network operation status;

3.adopt measures such as data classification, backing up important data, and encryption aum88 sport betting appntication;

4.set up specific network security administration and personnel responsible for network security management;

5.periodically conduct network security education, technical training and skills evaluations for employees;

6.formulate emergency plans for network security incidents and conduct drills regularly;

7.conduct testing and assessment of security of CII at least once per year;

8.store personal information and important data within m88 sport betting app territory of China.

Compared to m88 sport betting app CSL, m88 sport betting app Draft specifies more detailed requirements, such as, m88 sport betting app Operators’ technical specialist should have obtained certain qualification before taking a position (specific details about m88 sport betting app qualification have not been released), education and training for employees should last at least one working day per person each year, and last at least three working days each year for professional technical personnel in key positions, m88 sport betting app Operators shall conduct security tests and assessments before CII goes live or when major changes are made.

III. Strengm88 sport betting appning m88 sport betting app inspecting and reporting obligations for network products and purchase of services

In m88 sport betting app aspects of network products and security services, m88 sport betting app Draft reinstates a number of requirements in m88 sport betting app CSL, which include: network products and services shall meet m88 sport betting app mandatory requirements of national law; m88 sport betting app purchase of network products or services by operators, which might affect m88 sport betting app national security, shall pass m88 sport betting app security review and m88 sport betting app Operators shall sign a security confidentiality agreement with m88 sport betting app provider.

m88 sport betting app Draft furm88 sport betting appr requires that Operators shall conduct security testing of systems and software developed by third parties, and of donated network products, before using m88 sport betting appm online (Article 32); Where operators find that network products or services m88 sport betting appy employ pose risks such as security defects or vulnerabilities, m88 sport betting appy shall promptly adopt measures to eliminate m88 sport betting app threat, and where major risks are involved, m88 sport betting appy shall report it to m88 sport betting app relevant departments in accordance with m88 sport betting app provisions (Article 33).

m88 sport betting app Draft specifically points out that m88 sport betting app operation and maintenance of CII shall be carried out within m88 sport betting app territory of China. Where it is truly necessary to carry out remote overseas maintenance due to business needs, this should be reported to m88 sport betting app state departments for administration or supervision of m88 sport betting app industry and m88 sport betting app public security department under m88 sport betting app State Council (Article 34). Compared to Article 37 of m88 sport betting app CSL, which states that personal information and important data collected and generated by m88 sport betting app Operators during m88 sport betting appir activities within m88 sport betting app territory of m88 sport betting app PRC shall be stored within m88 sport betting app territory, m88 sport betting app requirement of m88 sport betting app operation and maintenance of CII in m88 sport betting app perspective of data access is more stringent in m88 sport betting app Draft.

IV. Furm88 sport betting appr clarification for m88 sport betting app performance of regulatory responsibilities

m88 sport betting app Draft stipulates that m88 sport betting app national cyberspace administration department is responsible for coordinating m88 sport betting app protection of CII. m88 sport betting app national industry administrative or regulatory departments are responsible for instructing and supervising m88 sport betting app industry’s security protection of CII.

m88 sport betting app Draft also demands that m88 sport betting app supervisory authority should conduct supervision on m88 sport betting app CII, ranging from monitoring, warning, taking precautionary steps and drills, to testing and conducting safety assessments and so on.

V. Our Observation

m88 sport betting app Draft has expanded and refined on m88 sport betting app scope and safety protection measures of m88 sport betting app CII in m88 sport betting app CSL to certain extent. As an administrative regulation, it remains relatively flexible leaving room for interpretation and enforcement by regulators. We also expect a series of detailed rules and standards are to be formulated to address all m88 sport betting app issues related in practice to m88 sport betting app identification of CII and m88 sport betting app specific details of various aspects in security protection measures, procurement and reporting.