Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

5 messages for critical information infrastructure operators in China

Draft regulations issued on securities of critical information infrastructure further strengthening the cyber security protections in China.

17 July 2017

Publication

The Cyberspace Administration of China (CAC) released a draft Regulation on Security Protection for Critical Information Infrastructure (the CII Regulation) aiming to provide elaborated rules on protection of China’s critical information infrastructure (CII).  The CII Regulation, if adopted in its current firm, would significantly affect the companies which operate CIIs or conduct business on a CII.

This briefing summarizes top five messages which CII operators should be aware of.

1. Level of Legislation

The CII Regulation is named as a “regulation” (条例) rather than “measure” (办法) or “rule” (规定), which means that the CII Regulation would like be an administrative regulation enacted by the State Council (although the drafting is led by CAC).  In other words, the CII Regulation, if adopted, will be a formal source of law, binding all government agencies and courts as well as private businesses.

This suggests that:

  1. all relevant government agencies, not only CAC but the telecoms operator, the customs office, the encryption administration will jointly enforce the CII Regulation, and
  2. a breach of the CII Regulation in a gross negligent manner may expose the relevant companies and direct responsible persons to criminal liabilities.

2. Linkage with Other Legislations

The CII Regulation creates linkages to other regulations and measures on cyber securities.  Firstly, the export of data which collected on CIIs is subject to the administrative measure on data exportation; secondly, the procurement of network products and services used for CII must comply with the requirements under the Administrative Measures for Security assessment of Network Products and Services; thirdly, the operators of CII must adopt technical and managerial measures to protect the CII according to the principles under the Measures for Network Security Protection by Levels issued by the Ministry of Public Security.

These linkages to other administrative rules require that businesses involving CIIs look into various laws, regulations, and measures in understanding their exposures and obligations in terms of protection of the security of CII which they operate.

3. Identification of CII

Although the CII Regulation has elaborated provisions to define the term of CII, the scope of CII remains unclear because the definition of the term still has a “catch-all item” that networks of “other critical units” are CIIs.  The CII Regulation further set out procedures for the government to form CII identification guidance and, subsequently to identify CIIs accordingly.

The rules under the CII Regulation suggest that it is primarily the government’s responsibility to identify CIIs.  For the businesses which may involve operation or use of CIIs should monitor the further development of the CII identification guidance and assess the possibility that they be considered CII operators.

4. Burdens on CII Operators

The CII Regulation imposes a number of obligations on CII operators in terms of protection of CII’s security.  In addition to those obligations which all network operators need to perform under the Cyber Security Law, extra cyber security requirements which CII operators must meet include:

  1. conducting security check against and to organize trainings for those staff involved in operation of CII
  2. to back systems routinely
  3. to prepare and implement contingency plan
  4. to conduct risk assessment at a frequency no fewer than once a year
  5. to conduct due diligence against vendors of outsourced information service
  6. to have maintenance services in China unless otherwise undergo a security assessment by the government.

Additionally, the security assessment requirements for data export and for procurement of network device and services would be stricter for CII operators than operators of other networks.

Based on these requirements, it is our view that the first and most critical matter CII operators must do appear to be the adoption and implementation of IT related policies, include risk management, disaster recovery, trainings, and security assessments.  The adoption and implementation of these policies are easiest to do and most efficient.

5. Potential Liabilities

Under the CII Regulation, if a CII operator fails to perform its security obligations, not only the operator (as a company) will be held liable, the direct responsible person may be subject to an administrative fine up to RMB100,000.  In serious cases, a criminal liability may incur.

This suggests that the protection of CII not only about CII operators (as companies) but about direct responsible staff personally.

This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document. Simmons & Simmons is registered in China as a foreign law firm. We are permitted by Chinese regulations to provide information on the impact of the Chinese legal environment and also to provide a range of other services. We are not admitted to practise in China and cannot, and do not purport to, provide Chinese legal services. We are, however, able to co-ordinate with local counsel to issue a formal legal opinion should this be required.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.