China Cybersecurity Law update: Finally, draft regulations on "Critical Information Infrastructure"

The new draft Regulations came as the fourth implementation rule (only one of which has been finalised) relating to the Cyber Security Law since the law came into effect on 1 June 2017. As discussed in Update (5), relevant authorities and ministries are expected to promulgate regulations and implementation measures within 12 months from the date the Cyber Security Law came into effect to provide proper guidance to businesses on the scope and operation of the new law. 

The draft Regulations were first put forward on the legislative agenda of the State Council in March 2016, even before the Cyber Security Law was passed (see Update (1)). The new draft Regulations are read with much interest by all who are keen to have a better understanding which system is likely to be regarded as "critical information infrastructure" under the Cyber Security Law.

What is "critical information infrastructure" (CII)?

As previously discussed, Article 31 of the Cyber Security Law provides a non-exhaustive list of selected critical industries and areas whose information infrastructure would be regarded as CII, including public communications, information services, energy, transport, water conservancy, finance, public services, and e-governance etc., and more broadly, other information infrastructure which may cause serious consequences if it suffers any damage, loss of function, or leakage of data. The specific scope of "CII" is yet to be formulated by State Council.

The new draft Regulations provide a scope in line with the Cyber Security Law but further lists out additional industries and sectors whose network facilities and information systems should be included in the scope of CII:

• industries: healthcare, education, social security and environmental protection;
• information networks: radio and television networks, and internet; service providers providing cloud computing, big data and other large public information and network services;
• scientific research and production: defence industry, large equipment industry, petrochemical industry, and food and drug industry;
• media and news: radio stations, television stations, and news services.

The draft Regulations further provide that the State Council (in conjunction with other authorities) will set up a "CII Identification Guideline" and industry supervisory authorities are required to follow this CII Identification Guideline for the purposes of identifying CII in their respective industries and sectors.

Key cyber security obligations of operators of CII

In addition to restating some of the duties and obligations of operators of CII provided under the Cyber Security Law, the draft Regulations also set out in greater detail certain specific obligations. For example:

• Key obligations of responsible officers: the key obligations of the responsible officers appointed by the operators of CII for cyber security are specified under Article 25;
• Qualification requirement: "specialist personnel in key positions" (运营者网络安全关键岗位专业技术人员) will be subject to a qualification requirement (Article 26) although details of such requirement are still unknown;
• Education and training: CII operators should provide cyber security education and training programme for general personnel for not less than 1 working day per year, and not less than 3 working days per year for the "specialist personnel in key positions" (Article 27).
• Security assessment: CII operators are required under Article 28 of the Regulations to establish a security assessment procedure for conducting security assessment before CII commences operation and when there are "significant changes" to the CII. This appears to expand on the existing obligation to conduct security review of network products and services procured by a CII operator, and is in addition to the annual audit obligation under Article 38 of the Cyber Security Law;
• Third party service providers: CII operators should conduct security testing of any network systems, software or products that are developed by third party service providers, and any network products that are donated to the CII operator, before use (Article 32);
• Maintenance of CII: the operational maintenance of CII should be conducted in China. If maintenance is required to be conducted remotely in a place outside of China for business need, operators of CII are required to first report to the relevant supervisory authorities (Article 34).

Data localisation requirement

The draft Regulations reiterate Article 31 of the Cyber Security by providing that any export of personal information or important data that is required to be stored in China may be exported outside of China for business need and subject to security assessment. The draft Regulations further provide that the security assessment will be conducted in accordance with the Measures on Security Assessment relating to Export of Personal Information and Important Data. This is consistent with the current developments as the Measures, which are currently still in draft form, are expected to be finalised shortly. For further information on the draft Measures, please refer to Update (6).

Cyber security incident monitoring and response

There are more detailed provisions relating to cyber security incident monitoring and response that support the existing requirements under the Cyber Security Law. For example, the CAC will co-ordinate with relevant supervisory authorities to establish a cyber security incident monitoring, early warning and information reporting system and establish a CII cyber security information sharing system for the purposes of sharing of "network security information" (Article 38). There are also additional details on how relevant supervisory authorities should conduct spot-checks and tests on CII operators in respect of their network security obligations (Articles 40-42).

Observations

The draft Regulations set out extensively the network security and information security obligations of CII operators, and further requires relevant supervisory authorities to work together to support and monitor compliance with the relevant requirements. They provide a better understanding of the scope and extent of the key obligations relevant to CII operators.

The separate "CII Identification Guideline" hopefully will assist businesses to assess if they are considered as CII operators. The CAC official previously acknowledged that how CII should be defined is a complex concept that needs to be carefully considered and constructed, and may also need to be regularly reviewed, particularly in light of the experience of other countries which also have the concept of CII in their law. For example, the concept of CII under the German IT Security Act was recently amended and the scope of CII sets out not only the key industries to which CII relates, but also the critical services and facility categories of each relevant specific industry. We expect a similar level of detail will be found in the "CII Identification Guideline".