The State Council of the People's Republic of China announced, on August 17, 2021, that it had passed a Regulation on the Security Protection of Critical Information Infrastructure (“Regulation”). Particularly, the Regulation, formulated in accordance with the Cyber Security Law, is intended to ensure the security of critical information infrastructure (“CII”) as well as to maintain cybersecurity of China where CIIs are.
CII refers to critical information infrastructure and information systems that are used in public communications and information services, energy, transportation, water conservancy, finance, public services, e-government affairs, national defense technology and other important industries and sectors, as well as network infrastructure and information systems that may seriously affect national security, the national economy, people’s livelihood, or the public interests if damaged, impaired or breached.
Non-Chinese companies may experience challenges of selling network products to CII Operators (“CIIOs”). On April 27, 2020, the Cyberspace Administration of China (CAC) together with twelve Chinese government departments promulgated the Cybersecurity Review Measures which set out a cybersecurity review requirement. Under the Cybersecurity Review Measures, CII Operators (“CIIOs”) are required to conduct a pre-assessment/determination as to whether the network products/services to be procured present potential national security concerns. If yes, CIIOs are obligated to submit an application to the government for a cybersecurity review prior to the procurement of such products and services because the products from non-Chinese companies could be viewed as a potential threat to a CII and cybersecurity.
The Regulation clarifies which government departments are in charge of CII security protection. The Ministry of Public Security (MPS) will supervise the CII security protection work under the general coordination by the Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology and other applicable departments (which may include state security, and encryption), each of which has a role within their respective jurisdiction.
How to ascertain CIIs
Sectoral regulators of different industries must formulate rules to identify CIIs within their respective jurisdictions, notify operators of the identified CIIs and file records with the MPS. Factors that sectoral regulators can consider for identification include network infrastructure and information systems that are important to the sector and core businesses in the sector; the degree of harm that may be caused if network infrastructure and information systems are damaged, impaired or breached; and any potential associated impact that these breaches may have on other sectors.
The Regulation does not set out detailed standards or operating guidelines for determining which ones will be viewed as CIIOs. Detailed implementation rules will be published by specific industrial regulators on exactly what are CIIOs, how the regulators should verify the security and trustworthiness of their network products during the procurement process, and how such verification or certification process interacts with the principle of leveling the playing field between domestic and non-Chinese players under China’s new Foreign Investment Law.
Requirements for CII operators
The CII Regulation imposes a number of obligations on CII operators in terms of protection of CII’s security. In addition to those obligations which all non-CIIO network operators need to perform under the Cyber Security Law, extra cyber security requirements which CIIO must meet include:
- Plan, deploy and implement security protection measures simultaneously with the CII itself;
- Establish a special security management institution and conduct security background checks on the person in charge and the key staff of such institution;
- Formulate an emergency response plan and organize regular emergency exercises;
- Report cyber security incidents and other important affairs to the authorities;
- Conduct cyber security testing and risk assessment at least once per year, rectify the security issues uncovered in the testing or assessment, and make reports in accordance with the requirements of the regulators;
- Prioritize secure and reliable network products and services in procurement; if national security is concerned by the procurement of network products or services by the CIIO, a security review must be passed; and
- Notify the regulators in the event of merger, division or dissolution of the CIIO, and dispose of the CII in accordance with the requirements of the regulators.
Additionally, the security assessment requirements for data export and for procurement of network device and services would be stricter for CIIOs than operators of other networks.
Relevant punitive measures
In the event of a compliance failure, CIIOs may be subject to various penalties for failure to comply with the security obligations, including orders for rectification, warnings, administrative fines of up to RMB 1 million or 10 times the price of the product or service procured by it. The person-in-charge and other directly responsible individuals may also be personally liable. The penalties prescribed by the CII Security Regulation are in addition to those set out in other laws such as the Cyber Security Law or the Criminal Law.
Considering the complex structure of CII compliance, both in terms of requirements and enforcement, CIIOs should adopt an active, or even proactive, approach to manage compliance risks. An active approach entails identifying gaps between current practices and effective laws and regulations for future remediation and rectification. As such, compliance is seen as a separate process implemented to observe laws and regulations. In general, an active approach is considered good enough for normal compliance, although there might be a deviation between operational procedures and compliance requirements. However, this deviation is easily exposed through the technical tests and assessments that are part of the compliance process.
A proactive approach means implementing effective security measures in response to all potential security threats and legal concerns, even if those measures are not explicitly stated in the laws or regulations. While more expensive and technically demanding, a proactive approach may be more effective because of its focus on potential technical and legal concerns.
Notice: next article is about Personal Information Protection Law which was just published on August 20, 2021