The Regulations for the Security Protection of Critical Information Infrastructure (the “CII Regulations”) were recently promulgated and will come into effect alongside the Data Security Law (the “DSL”) on September 1, 2021.
The Cybersecurity Law (the “CSL”), which was promulgated in November 2016 and took effect on June 1, 2017, first introduced the concept and regulatory requirements for critical information infrastructure (the “CII”). Article 31 of the CSL prescribes that "the specific scope and security measures for critical information infrastructure shall be developed by the State Council". After the effectiveness of the CSL, a common question was how to identify a CII. With the promulgation of the CII Regulations, the answer to this question is becoming clearer.
Article 25 of the National Security Law, which came into effect in July 2015, stipulates that “the State shall construct a network and information security protection system, upgrade the capacity to protect network and information security, step up the innovative research, development and application of network and information technologies and achieve the security and controllability of core network and information technologies, critical infrastructure and information systems and data in key areas; the State shall also enhance network management, prevent, stop and punish illegal and criminal network activities such as cyberattacks, cyber invasion, cyber theft and the dissemination of illegal and harmful information, so as to safeguard national sovereignty, security and development interests in cyberspace.”
In March 2016, the Resolution of the Fourth Session of the Twelfth National People's Congress on the Outline of the Thirteenth Five-Year Plan for National Economic and Social Development clearly put forward the “critical information infrastructure protection system”, requiring that “(The State shall) establish a CII protection system and improve the design, construction and operation supervision mechanism for important information systems related to national security. (The State shall) focus on making breakthroughs in key technologies of information management, information protection, security review and fundamental support, and improve the independent support ability. (The State shall) strengthen the threat perception and continuous defense capacity building of CII’s core technology and equipment. (The State shall) improve the multi-level protection system of important information systems. (The State shall) improve the linkage security mechanisms for the integration of key industries, key areas and important information systems. (The State shall) actively develop the information security industry. "
The CSL clearly stipulates the definition of CII, the protection obligations of CII operators, the compliance obligations of CII operators relating to purchasing network products and services, data localization and cross-border data transmission.
In July 2017, the Cyberspace Administration of China released the draft of the Regulations for the Security Protection of Critical Information Infrastructure (the “CII Draft”), which includes the specific provisions on the scope of CII and the protection requirements for CII.
In September 2020, the Ministry of Public Security promulgated the Guiding Opinions on Implementing the Multi-Level Protection System for Cybersecurity and the Security Protection System for Critical Information Infrastructure, which stipulates that public security bodies shall guide and supervise the security protection of CII. At the same time, competent and regulatory authorities in charge of important industries and sectors shall develop rules for the identification of CII in their own industries and file the same with the Ministry of Public Security for record. Based on such identification rules, they shall organize the identification of CII in their own industries and sectors, and promptly notify the relevant operators of the identification results and report the same to the Ministry of Public Security.
Compared with the CII Draft, the CII Regulations have made great adjustments to the supervision systems, identification methods and specific obligations. From these changes it can be seen that with the formulation and promulgation of the DSL, the exploration of the scope of important data, and the gradual accumulation of experience in the administration of data and network security in different industries, it is difficult to find a clear and universally applicable standard for the identification of CII, and the protection of specific data (such as important data) is not necessarily associated with the identification of CII. In other words, the network should be protected at different levels and the data should also be protected at different levels, but the two are not necessarily related. For ordinary non-CII network operators who possess national core data or important data, it is also required to comply with stricter data protection obligations. In addition, the scope of the CII should not be defined too broadly. CII can only have enhanced protection when the scope of CII is controllable.
1. Define CII in a conceptual manner and the competent authorities should formulate specific rules for identification
Article 2 of the CII Regulations defines CII as “important network facilities and information systems of important industries and sectors such as public communications and information services, energy, transport, water conservation, finance, public services, e-government, science and technology industry for national defense, and other important network facilities and information systems, the damage or disability of which or a data breach in connection with, may severely threaten the national security, national economy, people's livelihoods and public interests.” This definition is similar to the description of key industries in Article 31 of the CSL, with only the addition of “science and technology industry for national defense”.
Articles 8 and 9 of the CII Regulations require that the competent departments as well as the supervision and administrative departments of the above-mentioned important industries and sectors should be the departments responsible for the security protection of CII (the “protection departments”). The protection departments will establish the identification rules based on the particular situation of the industry and file them to the public security department of the State Council for record. The following factors should be considered when establishing identification rules: (1) the importance of network facilities and information systems to the key core businesses of the industry and the sector; (2) the harm that may be brought by the damage or disability of or a data breach in connection with the network facilities and information systems; and (3) the associated impact on other industries and sectors.
It can be seen that the CII Regulations basically adopt the same identification framework under the CSL, namely, the “industry-based standard” plus the “result-based standard”. However, the CII Regulations do not explicitly require the protection departments to publicly disclose the identification rules, and only requires them to file to the public security department of the State Council for record.
2.Clearly require the protection departments to promptly notify operators after CII identification
Article 10 of the CII Regulations clearly stipulates that the protection departments shall be responsible for organizing the identification of CII in their own industries and sectors according to the identification rules, promptly notify the operators of the identification results and report to the public security department of the State Council.
Before the promulgation of the CII Regulations, companies could only independently assess whether they were likely to be deemed CII operators (the “CIIO”) according to the general provisions of the CSL. As the assessment standards are quite general, there may be some uncertainty in a companies’ self-assessment. According to Article 10 of the CII Regulations, we understand that the protection departments will inform the relevant companies of the CII identification result promptly after such identification. Therefore, after receiving notice from the protection departments, such companies can clearly know that they have been included in the scope of CIIOs.
3. Security protection obligations of CIIOs
Based on the existing framework under the CSL and the DSL and other mechanisms such as multi-level protection of cybersecurity, the CII Regulations provide for the following specific responsibilities and requirements for CIIOs:
“Three synchronizations”: the safety protection measures should be planned, constructed and used synchronously with CII;
Responsibility system for principal responsible persons: the principal responsible person of a CIIO should take overall responsibility for CII security protection;
Establishment of a specialized security management department: a specialized security management department should be established and a security background check should be performed on the person in charge of the specialized security management department and the personnel in key positions. The specialized security management department should perform duties such as establishing relevant systems, drawing up plans, carrying out assessments, formulating emergency plans, conducting regular drills, handling security incidents, organizing education and training, fulfilling the responsibility for personal information and data security protection, implementing security management for related services such as CII design, construction, operation and maintenance, and reporting network security incidents;
Guarantee of operation: the CIIO should guarantee the operating expenses of the specialized security management department, assign appropriate personnel to the department, and make sure that personnel of the specialized security management department participate in decisions relating to network security and informationization;
Annual evaluation: the CIIO should self-conduct network security detection and risk assessment on CII at least once a year or by entrusting a network security service agency, and any problems should be promptly rectified and reported;
Incident reporting: when a major cybersecurity incident occurs or is threatened with respect to CII, it should be reported to the relevant protection departments, information departments, public security departments and networks in accordance with the law;
Conclude confidentiality agreements and conduct security reviews when purchasing network products and services: priority should be given to safe and reliable network products and services at the time of purchase. To purchase network products and services, a confidentiality agreement must be signed with the service provider in accordance with the applicable regulations. If the network products and services can affect national security, a security review should also be conducted in accordance with the national cybersecurity regulations;
Reporting obligations in the event of a merger, division or dissolution: a merger, division or dissolution should be reported to the protection department in a timely manner and any CII should be disposed of to ensure security.
We believe that the promulgation of the CII Regulations has set a clear basis and regulatory framework for the protection of CII. For companies:
1． The CII identification method has become clearer and more specific;
2． For companies deemed as CIIOs, the CII Regulations have established a system of a primary responsible person and clearly listed the compliance obligations of CIIOs. Companies that fail to fulfill their compliance obligations and the direct responsible persons of that company may bear the corresponding legal consequences;
3． For companies that have been deemed as CIIOs, in addition to the requirements under the CII Regulations, such companies should also pay attention to the requirements for CIIOs that may be found in other laws and regulations, such as the Cybersecurity Review Measures and the Cryptography Law;
4． The purchase activities of CIIOs with network product and service providers will be subject to stricter regulations. Therefore, such providers should be more proactive in complying with the laws and regulations and increase their investment in cybersecurity and data protection, in order to demonstrate their compliance and that they are “secure and trustworthy” during any cybersecurity review or due diligence conducted by CIIOs.