Draft Regulation Expands Critical Information Infrastructure Definition and Requirements

Another draft rule, “Regulation on the Security Protection of Critical Information Infrastructure” (Draft Regulation), was released for public comments on July 10, 2017, by the Cyberspace Administration of China (CAC). The submission deadline for comments is August 10, 2017. The Draft Regulation is one of a series of new implementation and explanation rules for the Cybersecurity Law of China which took effect about two months ago.

The Cybersecurity Law introduced the concept of Critical Information Infrastructure (CII) and devoted its Section 2 of Chapter III to outlining the responsibilities and obligations of network operators to ensure CII operation security. The Draft Regulation has expanded the definition of CII and imposed additional obligations and requirements on CII operators.

Definition of CII

The Cybersecurity Law defines CII as (i) certain industry sectors including telecommunications, energy, transportation, water resources, finance, public utilities and e-government, and (ii) a catch-all category of “other infrastructures in the event of the occurrence of any damages, loss of function, or any data leakage that may seriously endanger the national security, the national welfare, the livelihoods of the people, or the public benefits.” Based on the above definition, several issues need to be clarified: (a) whether all players in the shortlisted industry sectors will be viewed as CII operators, or if they need to reach certain operation scale or scale of data controlled/processed, (b) whether all IT systems or components thereof used by such operators will constitute CII, and (c) how to determine whether an entity and its system falls in the “catch-all” category of such definition.

The Draft Regulation does not provide the answers to all of the above questions. Instead, it has modified the definition of CII under Cybersecurity Law and expanded the shortlisted industry sectors to a broader coverage including the entities in five groups listed below. The reason for listing such entities is that if the network facilities and information systems operated and managed by such entities were destroyed or became malfunctioned, the consequences would seriously endanger the national security, as well as public welfare and benefits, based on the Draft Regulation.

1. Governmental agencies, and the entities in the sectors of energy, finance, transportation, water resources, health care, education, social insurance, environmental protection, public utilities and others.
2. Information network operators for telecommunications, broadcasting and internet networks, as well as services providers of cloud computing, big data and other large-scale public information network services.
3. Entities conducting scientific research and manufacturing in the areas of national defense science and technology, large-scale equipment, chemical industry, food and drugs, and others.
4. Media entities including radio stations, TV stations, news agencies and others.
5. Other critical entities.

The Draft Regulation states that CAC will work with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) to promulgate guidelines on how to identify CII and the ministries in charge of each specific industry will apply such guidelines and make the final identification in their respective industry sectors. Even though such guidelines have not been launched yet, some practitioners are looking at an earlier guideline for reference which was issued by CAC in June 2016, named “National Network Security Inspection Operating Guideline,” a non-binding guideline issued to aid a top-down official effort to identify CII. This guideline was more likely to have served as the underlying rationale for the Cybersecurity Law issued later in the same year. 

Compliance Requirements on CII Operators

The Draft Regulation reaffirmed certain obligations imposed on CII operators by Cybersecurity Law, including those set forth in Article 21 and Article 34 of the Cybersecurity Law, which requires the CII operators to:

• Formulate internal safety management and operating codes, tighten control on authorization and access.
• Adopt technical safeguards to prevent virus, cyberattacks and cyber intrusions.
• Adopt technical measures to monitor and record the network operating status; breach incidents and the records shall be kept for at least six months.
• Conduct data categorizing, disaster recovery backup of important data and encryption.
• Designate a dedicated cybersecurity management officer and personnel, who shall be subject to background checks before being appointed to such positions.
• Conduct cybersecurity education, training and tests on involved personnel.
• Conduct drills for handling cybersecurity breach incidents.
• Conduct assessments on robustness of cybersecurity and potential risks at least once a year and report such assessment results to the regulators.

Other guidelines set forth in the Draft Regulation include requirements that:

• Purchase and use of “critical network products” or “specialized network security products” shall be subject to certain mandatory certification requirements.
• Purchase of network products and services that may affect national security shall be subject to a “security review.”
• Personal information and important data collected and generated within the People’s Republic of China shall be stored locally. With regard to cross-border transfer because of business necessity, a security assessment shall be conducted based on the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data.

The Draft Regulation has imposed additional obligations and responsibilities as follows: 

• Technical personnel in key cybersecurity positions are required to hold relevant professional qualification certificates (testing and qualification requirements are to be formulated by CAC working in conjunction with the Labor and Human Resource Administration).
• Employees are to be given a specified minimum amount of cybersecurity training: one working day per person per year for general employees and three working days per person per year for key positions.
• Systems, software and other network products developed by third parties as outsourced vendors or gifted to CII operators shall be tested on security before launched online.
• Operation and maintenance of CII shall be conducted within China; where it is necessary to perform maintenance abroad, CII operators shall report to the state industry regulators or MPS in advance.
• Vendors offering security assessment to CII operators, or sending alerts on bugs, virus or cyberattacks, or providing cloud computing or other IT services, will be subject to further regulatory rules to be formulated by CAC and other regulators.
• The principal of a CII operator may be held personally liable for breaches of the various obligations imposed under CII.

Even though the specifics of CII can only be fully identified after further guidelines to be issued, it is advisable for industry players in the listed sectors to understand the compliance requirements listed above. Please take a note that the expanded definition of CII by the Draft Regulation includes the involved government agencies as part of the Critical Information Infrastructure. Those companies which sell their products to government agencies may need to pay close attention to the above listed obligations and requirements. The CII related industry players may take reasonable precaution to prepare for future compliance and implementations.