On July 10, 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on August 10, 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.
Regulatory Authorities of CII
Under the CII Regulation the CAC will be responsible for the planning of, and the coordination for, security protection of critical information infrastructure (CII). The Public Security Authority, the National Security Authority, the State Secrets Authority and the National Cryptography Authority of China’s State Council will be the regulatory authorities of CII in their respective capacities. The relevant departments of local people's governments at or above the county level will be responsible for carrying out the security protection works in relation to CII.
Expansive Scope of CII
The sectoral scope of what CII encompasses under the CII Regulation is wider compared with the scope of CII under the Cyber Security Law. The following sectors have been specifically referred to in the CII Regulation:
- Government agencies, energy, finance, transportation, water conservation, healthcare, education, social security, environmental protection and public utilities;
- Telecommunications networks, radio and television networks, the Internet and other information networks, cloud computing, big data and other large-scale public information network services;
- National defense science and technology, large-scale equipment, chemical, food and drugs; and
- Radio stations, television stations and news agencies.
Many sectors listed above were not mentioned in the Cyber Security Law, such as healthcare, education, environmental protection, cloud computing and big data. The expansive scope of CII under the CII Regulation could increase the chances that some businesses in China could be: (1) considered to be CII operators; and (2) subject to the stringent legal requirements for CII operators under Chinese laws.
Importantly, the CAC, the Telecommunications Authority and the Public Security Authority will jointly formulate and publish the guidelines for the identification of CII. Industrial regulators will then identify the CII in their respective sectors based on those guidelines, and will report the identification results to the relevant authorities. Industry experts will be consulted during the process.
Additional Requirements for Products/Services Purchased by CII Operators
The CII Regulation repeats the requirements of the Cyber Security Law in terms of a cyber security review of the products/services purchased by CII operators that are deemed to pose a threat to China’s national security. These products are listed in a Catalogue of Key Network Equipment and Specialised Network Security Products (First Batch), published by the CAC and other authorities on June 1, 2017 (Catalogue), and any further batches to be published. A cyber security review should be conducted based on the Measures on Security Assessment for Network Products and Services (Trial Implementation) issued by the CAC on May 2, 2017.
The CII Regulation requires CII operators to conduct security examination and testing on any outsourced systems, software and donated/gifted network products used by CII operators prior to their online applications. This could potentially expand the scope of the Catalogue and render network systems and products not listed in the Catalogue subject to a cyber security review. CII operators are required to take remedial measures and to report to the competent authorities if substantial risks are identified in relation to the use of any network products/services.
The CII Regulation also requires that the operation and maintenance of CII be conducted within the territory of China. If remote maintenance is necessary for business reasons, CII operators must report this to industrial regulators and the Public Security Authority prior to undertaking remote maintenance. If the CII Regulation is issued in its current form, this localisation requirement could prohibit foreign businesses (e.g. cloud service providers) from providing services for the operation of CII because the operation must be conducted within China. However, as currently worded, this provision is not entirely clear and its implications remain to be seen.
The draft CII Regulation envisages that the CAC and the relevant departments of the State Council will jointly issue specific requirements for businesses providing the following services for CII:
- Cyber security examination, testing and assessment;
- Release of cyber security threats information, including system vulnerabilities, computer virus and cyberattacks; and
- Cloud computing services and information technology outsourcing services.
It remains unclear what these requirements will be and when they will be published.
Persons Responsible for Cyber Security Protection of CII
Under the CII Regulation, the responsible person of a CII operator assumes primary responsibility for the security protection of CII.A CII operator may also appoint a person responsible for the cyber security protection of CII, whose duties include the following:
- Organize the formulation of cyber security rules and systems, operational procedures and supervise the implementation of the same;
- Organize the skills assessment of the personnel of key positions;
- Organize the formulation and implementation of cyber security education and training program;
- Organize cyber security inspections and emergency drills, handle cyber security incidents; and
- Report important cyber security matters and events to the relevant authorities.
The CII Regulation also introduces licensing requirements for the technical staff of key positions of cyber security of CII. The CAC and China’s Human Resources and Social Insurance Department will further issue specific rules on these licensing requirements.
Frameworks of Monitoring, Emergency Response and Examination of CII
The CII Regulation outlines the frameworks for the following three major systems for the security protection CII:
- Monitoring, early warning and information sharing;
- Emergency response and disposal; and
- Examination, testing and assessment.
The CAC will work with industrial regulators or other supervisory authorities to establish and implement these three systems for the protection of CII.
The CII Regulation provides more detail in relation to the measures that industrial regulators may take in random inspections of CII operators to assess: (1) security risks associated with CII; and (2) legal compliance by CII operators (as provided for in Article 39 of Cyber Security Law). Such inspections include the ability to:
- Request that the relevant personnel of CII operators provide explanations;
- Review, obtain, and copy documentation and records in relation to cyber security protection;
- Examine the formulation and implementation of cyber security management systems and the planning, construction and operation of cyber security technical measures of CII;
- Utilise inspection tools or authorise cyber security service providers to conduct technical inspections; and
- Conduct other necessary measures as agreed with CII operators.
Compliance with State Secrets and Cryptography Regulations
The CII Regulation specifically notes that the storage and processing of State secret information in a CII must comply with China’s state secrets laws, and that the use and management of cryptography in a CII shall be governed by China’s cryptography laws (a draft Cryptography Law was published by the Office of the State Commercial Cryptography Administration on 13 April 2017 for public comment). In addition, regulation for the protection of military CII will be issued separately by the Central Military Commission of China.
The CII Regulation is another crucial step towards implementing the Cyber Security Law by providing further details concerning its CII-related provisions.
However, under the CII Regulation the scope of CII extends to a wide range of sectors, and the CII Regulation specifically refers to: (1) CII identification guidelines to be formulated and issued by the Chinese authorities; and (2) CII identification processes to be conducted by industrial regulators or other supervisory authorities. Leaving such detail to later like this could create ambiguity and uncertainty in determining what constitutes CII. Moreover, it is unlikely that the CII Regulation and the CII-related provisions of the Cyber Security Law can actually be implemented until the CII identification process is completed.
The CII Regulation also imposes certain additional requirements for the products/services purchased by CII operators. This could have a significant impact on the service providers of CII operators. Accordingly businesses in China are advised to review their current products, services and Chinese clients and to assess the risks of being subject to these additional obligations/requirements under the CII Regulation.
The CII Regulation remains a draft for public comment at the moment and may be subject to further amendments. We will continue to monitor the situation and provide updates on any developments.