China’s State Council on August 17 released the Critical Information Infrastructure Security Protection Regulations (“Regulations”)1 effective September 1, a key administrative regulation in the implementation of the 2016 Cybersecurity Law (“CSL”) which provided that critical information infrastructure (“CII”) shall be given priority protection against cybersecurity risks and threats at home and abroad (Article 5). The Regulations, finalized from a 2017 draft, clarify the definition of CII, the authorities-in-charge of CII security protection, determination of CII, obligations of a CII Operator (“CIIO”), CII security support and promotion, and legal liability.
The Regulations clarify the definition of CII, largely based on the description in the CSL, to include the following industries and sectors:
- Public communications and information services
- Water conservancy
- Public services
- Defense technology industry
- Other important network facilities and information systems that, once damaged, disabled or suffer a data disclosure, may severely threaten the national security, national economy, people’s livelihood or public interest (Article 2).
Compared with the definition of CII as specified in the CSL, only “defense technology industry” is specifically added in the Regulations.
The Regulations clarify which government departments are in charge of CII security protection. The Ministry of Public Security (MPS) will supervise the CII security protection work under the general coordination by the Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology and other applicable departments (which may include state security, and encryption (Article 28)), each of which have a role within their respective jurisdiction (Article 3).
Industry regulators which are CII security protection work departments will formulate the rules for determination of CII, organize the determination of CII within their respective industries and sectors, notify CIIOs of the results of determinations, and report the same to MPS (Articles 8 – 10).
The CIIO is primarily responsible for its own CII security protection (Article 4). Its obligations include, among others:
- Promptly report to the CII security protection work department any large change to CII that may affect the results of the CII determination (Article 11);
- Set up a special security management section (Article 14);
- Conduct at least once a year cybersecurity testing and risk assessment by itself or third party cybersecurity service organization, and promptly correct any security issues so identified and report to the CII security protection work department as required (Article 17);
- Report to the CII security protection work department and public security major cybersecurity incidents or upon discovery of major cybersecurity threats (Article 18);
- Give priority to purchasing “secure and trusted” network products and services; conduct security reviews when the network products or services may have an impact on national security (Article 19);
- Enter into security confidentiality agreements with network product/service providers (Article 20);
- Promptly report to the CII security protection work department in the event of merger, division or dissolution, and dispose CII as required by the CII security protection work department and ensure security (Article 21).
A CIIO may be subject to a fine of RMB 100,000 to 1 Million if it refuses to take corrective action or causes such consequences as a compromise of cybersecurity, and a fine of RMB 10,000 to 100,000 on the directly responsible supervisor, in case of any of the following, among other events (Article 39):
- Failure to report to the CII security protection work department in the event of a large change to CII which may affect the result of the determination of CII;
- Failure to conduct cybersecurity testing and risk assessment at least once a year, correct identified security issues, or report to the CII security protection work department;
- Failure to enter into a security confidentiality agreement with network product and service providers as required by relevant regulations;
- Failure to promptly report to the CII security protection work department in case of merger, division or dissolution, or dispose CII as required by the CII security protection work department.
A CIIO which fails to conduct a security review as required when purchasing network products and services which may have an impact on national security will face a fine of one to ten times the amount of the purchase price, and a fine of RMB 10,000 to 100,000 on the directly responsible supervisor or the directly liable individual (Article 41).
Foreign companies may experience challenges selling network products to CIIOs as such products are required to be “secure and trusted” under the Regulations. This is largely consistent with the cybersecurity review requirement set out in the Cybersecurity Review Measures promulgated on April 27, 2020 by twelve Chinese government departments led by the CAC. Under the Cybersecurity Review Measures, CIIOs are required to conduct a pre-assessment/determination as to whether the network products/services to be procured present potential national security concerns. If yes, CIIOs are obligated to submit an application to the government for a cybersecurity review before procurement of such products and services. The cybersecurity review requirement will likely make CIIOs prefer domestic products over foreign products.
The Regulations do not set out detailed standards or operating guidelines for determining who will be viewed as CIIOs, and we will need to await detailed implementation rules published by specific industrial regulators on exactly who are CIIOs, how they should verify the security and trustworthiness of their network products during the procurement process, and how such verification or certification process interacts with the principle of leveling the playing field between domestic and foreign players under China’s new Foreign Investment Law.