On June 10, 2017, the Cyberspace Administration of China (the “CAC”) released the Draft Regulations on the Security Protection of Critical Information Infrastructure (the “Draft Regulations” 《关键信息基础设施安全保护条例(征求意见稿)》). The CAC is seeking public comments with a deadline of August 10, 2017. The final version will likely be announced soon after that date.
Since the promulgation of the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”) on November 7, 2016, the CAC has released a series of supporting regulations for implementing the Cybersecurity Law, such as the Draft Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (April 11, 2017), Regulations on Internet-based News Information Services (May 2, 2017) and Measures on Security Examination for Online Products and Services (May 2, 2017).
The most important feature of the Cybersecurity Law is the concept of Critical Information Infrastructure (“CII”). The Draft Regulations are intended to establish a very rigorous system for the protection, supervision and administration of CII.
The Draft Regulations are applicable to the planning, construction, operation, maintenance, and use of CII as well as the security protection of CII.
Expanded Scope of CII Operators
Compared with the Cybersecurity Law, the Draft Regulations have expanded the scope of CII to the following new fields: health care, education, social insurance, environmental protection, cloud computing, big data, national defense, large equipment manufacturing, chemical industry, and food and drug.
Below is the detailed list of CII operators under the Draft Regulations:
1. Government agencies and all types of entities in the energy, finance, transportation, water conservation, health care, education, social insurance, environmental protection, and public utilities sector;
2. Information networks, such as telecommunication networks, radio and television networks and internet, and entities providing cloud computing, big data, and other large-scale public information network services;
3. Research and manufacturing entities in sectors such as science and technology for national defense, large equipment manufacturing, chemical industry, and food and drug sectors;
4. Press units such as radio stations, television stations and news agencies; and
5. Other key entities.
Identification of CII
Not all of the network facilities and information systems operated and administered by the above CII operators will be recognized as CII. An information infrastructure would be considered as CII if the damage, dysfunction, or data leakage may severely jeopardize national security, people's livelihood, or the public interest.
While entities in the listed fields will undoubtedly be subject to the administration of the Draft Regulations, the CAC retains the authority to identify “other key entities” under the above list as CII operators.
According to the Draft Regulations, the CAC will coordinate with the Ministry of Industry and Information Technology and the Ministry of Public Security to formulate a guideline for identifying CII. Upon the release of such identification guideline, each ministry in charge of a specific industry can then identify CII in its own industry.
Graded Administration System
Under the Draft Regulations, the CAC will be the main administrator in supervising the regulations on CIIs, and other relevant authorities or regulators will bear corresponding duties. Specifically,
1. The CAC is responsible for coordinating the security protection of CII and related supervision and administration;
2. The public security, national security, the State secrecy administration and the State encryption administration authorities are in charge of relevant cybersecurity protection, supervision, and administration within the scope of their respective duties;
3. Relevant departments of people’s governments at or above county level must conduct security protection activities for CII according to relevant provisions of the State; and
4. Industrial authorities or regulators must establish and improve the cybersecurity monitoring and warning system for CIIs of the industry.
CII Data Localization and CII Maintenance Localization
The Draft Regulations reaffirm the CII data localization requirements under the Cybersecurity Law; personal information and important data collected and generated by a CII operator within the territory of China must be stored within China. If it is truly necessary to provide such personal information or important data outbound, the operator must undergo a national security evaluation for outbound transfer.
Furthermore, the Draft Regulations require maintenance for CIIs to be conducted within the territory of China. If remote maintenance from overseas is truly necessary, a CII operator must report to the industrial authority or regulator and the public security authority in advance.
The maintenance localization requirements may have a huge impact on the multi-national corporations that are recognized as CII operators. Globally synchronized maintenance of network facilities for multi-national corporations (as CII operators) may be difficult to achieve in the future, and such CII operators have to fulfill their reporting obligations under the Draft Regulations.
Procurement and Outsourcing of CII Products and Services
Vendors of CII network equipment and special cybersecurity products will be affected by the Draft Regulations as well. If a network product or service procured by a CII operator may impact national security, such network product or service must pass a cybersecurity review according to the Measures on Security Examination for Online Products and Services. The CII operator must also execute a security and confidentiality agreement with the vendor.
Joint Liabilities for CII Operators and Their Employees in Charge
The Draft Regulations adopt a dual obligation system for the CII operators. Both the CII entities and their relevant employees in charge will bear CII security protection obligations. Below are such obligations of an employee in charge of a CII operator under the Draft Regulations:
1. The person in charge of a CII operator is the person primarily responsible for the operator's security protection of CII;
2. A CII operator must have a person in charge of cybersecurity; and
3. Technical professionals at key cybersecurity positions of a CII operator must hold related professional certificates (detailed rules for position certification will be developed by the CAC and human resources and social security authority of the State).
Observation
The Chinese government intends to use the Draft Regulations, along with the Cybersecurity Law and other supporting regulations, to build a strict regulatory system for CII and CII operators. Entities that fall within the list of CII operators must be in compliance with the Draft Regulations when they take effect. It would be advisable to start building a compliance mechanism, such as data localization, vendor screening, and/or personnel responsibility, etc. For entities that may be designated as CII operators, they should conduct a self-evaluation of how their business operations may relate to CII supervision before the final promulgation of the CII identification guideline.
Additionally, CII operators that require overseas remote maintenance of network facilities and information systems may prepare for the option of local maintenance or prepare for the reporting mechanism as required by the Draft Regulations.