Beyond COVID-19: Crisis response or road to recovery?
Crisis response or road to recovery?
On July 10, 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on August 10, 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.
Under the CII Regulation the CAC will be responsible for the planning of, and the coordination for, security protection of critical information infrastructure (CII). The Public Security Authority, the National Security Authority, the State Secrets Authority and the National Cryptography Authority of China’s State Council will be the regulatory authorities of CII in their respective capacities. The relevant departments of local people's governments at or above the county level will be responsible for carrying out the security protection works in relation to CII.
The sectoral scope of what CII encompasses under the CII Regulation is wider compared with the scope of CII under the Cyber Security Law. The following sectors have been specifically referred to in the CII Regulation:
Many sectors listed above were not mentioned in the Cyber Security Law, such as healthcare, education, environmental protection, cloud computing and big data. The expansive scope of CII under the CII Regulation could increase the chances that some businesses in China could be: (1) considered to be CII operators; and (2) subject to the stringent legal requirements for CII operators under Chinese laws.
Importantly, the CAC, the Telecommunications Authority and the Public Security Authority will jointly formulate and publish the guidelines for the identification of CII. Industrial regulators will then identify the CII in their respective sectors based on those guidelines, and will report the identification results to the relevant authorities. Industry experts will be consulted during the process.
The CII Regulation repeats the requirements of the Cyber Security Law in terms of a cyber security review of the products/services purchased by CII operators that are deemed to pose a threat to China’s national security. These products are listed in a Catalogue of Key Network Equipment and Specialised Network Security Products (First Batch), published by the CAC and other authorities on June 1, 2017 (Catalogue), and any further batches to be published. A cyber security review should be conducted based on the Measures on Security Assessment for Network Products and Services (Trial Implementation) issued by the CAC on May 2, 2017.
The CII Regulation requires CII operators to conduct security examination and testing on any outsourced systems, software and donated/gifted network products used by CII operators prior to their online applications. This could potentially expand the scope of the Catalogue and render network systems and products not listed in the Catalogue subject to a cyber security review. CII operators are required to take remedial measures and to report to the competent authorities if substantial risks are identified in relation to the use of any network products/services.
The CII Regulation also requires that the operation and maintenance of CII be conducted within the territory of China. If remote maintenance is necessary for business reasons, CII operators must report this to industrial regulators and the Public Security Authority prior to undertaking remote maintenance. If the CII Regulation is issued in its current form, this localisation requirement could prohibit foreign businesses (e.g. cloud service providers) from providing services for the operation of CII because the operation must be conducted within China. However, as currently worded, this provision is not entirely clear and its implications remain to be seen.
The draft CII Regulation envisages that the CAC and the relevant departments of the State Council will jointly issue specific requirements for businesses providing the following services for CII:
It remains unclear what these requirements will be and when they will be published.
Under the CII Regulation, the responsible person of a CII operator assumes primary responsibility for the security protection of CII.A CII operator may also appoint a person responsible for the cyber security protection of CII, whose duties include the following:
The CII Regulation also introduces licensing requirements for the technical staff of key positions of cyber security of CII. The CAC and China’s Human Resources and Social Insurance Department will further issue specific rules on these licensing requirements.
The CII Regulation outlines the frameworks for the following three major systems for the security protection CII:
The CAC will work with industrial regulators or other supervisory authorities to establish and implement these three systems for the protection of CII.
The CII Regulation provides more detail in relation to the measures that industrial regulators may take in random inspections of CII operators to assess: (1) security risks associated with CII; and (2) legal compliance by CII operators (as provided for in Article 39 of Cyber Security Law). Such inspections include the ability to:
The CII Regulation specifically notes that the storage and processing of State secret information in a CII must comply with China’s state secrets laws, and that the use and management of cryptography in a CII shall be governed by China’s cryptography laws (a draft Cryptography Law was published by the Office of the State Commercial Cryptography Administration on 13 April 2017 for public comment). In addition, regulation for the protection of military CII will be issued separately by the Central Military Commission of China.
The CII Regulation is another crucial step towards implementing the Cyber Security Law by providing further details concerning its CII-related provisions.
However, under the CII Regulation the scope of CII extends to a wide range of sectors, and the CII Regulation specifically refers to: (1) CII identification guidelines to be formulated and issued by the Chinese authorities; and (2) CII identification processes to be conducted by industrial regulators or other supervisory authorities. Leaving such detail to later like this could create ambiguity and uncertainty in determining what constitutes CII. Moreover, it is unlikely that the CII Regulation and the CII-related provisions of the Cyber Security Law can actually be implemented until the CII identification process is completed.
The CII Regulation also imposes certain additional requirements for the products/services purchased by CII operators. This could have a significant impact on the service providers of CII operators. Accordingly businesses in China are advised to review their current products, services and Chinese clients and to assess the risks of being subject to these additional obligations/requirements under the CII Regulation.
The CII Regulation remains a draft for public comment at the moment and may be subject to further amendments. We will continue to monitor the situation and provide updates on any developments.
As the global aviation industry looks towards post-pandemic recovery and less turbulent skies, it is the topic of decarbonisation that is increasingly top of everyone’s agenda. There have been a number of eye-catching announcements around the world in recent weeks, from United Airlines announcing its intention to purchase 100 electric aircraft, an increased focus on the use of sustainable aviation fuel (SAF) from several airlines, and Korean Air utilising the green bond markets.
© Norton Rose Fulbright LLP 2021