On 10 July 2017, the Cyberspace Administration of China issued the draft Regulations on Protection of Critical Information Infrastructure. The public is invited to provide comments on the draft regulations before 10 August 2017.
The new draft Regulations came as the fourth implementation rule (only one of which has been finalised) relating to the Cyber Security Law since the law came into effect on 1 June 2017. As discussed in Update (5), relevant authorities and ministries are expected to promulgate regulations and implementation measures within 12 months from the date the Cyber Security Law came into effect to provide proper guidance to businesses on the scope and operation of the new law.
The draft Regulations were first put forward on the legislative agenda of the State Council in March 2016, even before the Cyber Security Law was passed (see Update (1)). The new draft Regulations are read with much interest by all who are keen to have a better understanding which system is likely to be regarded as "critical information infrastructure" under the Cyber Security Law.
What is "critical information infrastructure" (CII)?
As previously discussed, Article 31 of the Cyber Security Law provides a non-exhaustive list of selected critical industries and areas whose information infrastructure would be regarded as CII, including public communications, information services, energy, transport, water conservancy, finance, public services, and e-governance etc., and more broadly, other information infrastructure which may cause serious consequences if it suffers any damage, loss of function, or leakage of data. The specific scope of "CII" is yet to be formulated by State Council.
The new draft Regulations provide a scope in line with the Cyber Security Law but further lists out additional industries and sectors whose network facilities and information systems should be included in the scope of CII:
The draft Regulations further provide that the State Council (in conjunction with other authorities) will set up a "CII Identification Guideline" and industry supervisory authorities are required to follow this CII Identification Guideline for the purposes of identifying CII in their respective industries and sectors.
Key cyber security obligations of operators of CII
In addition to restating some of the duties and obligations of operators of CII provided under the Cyber Security Law, the draft Regulations also set out in greater detail certain specific obligations. For example:
Data localisation requirement
The draft Regulations reiterate Article 31 of the Cyber Security by providing that any export of personal information or important data that is required to be stored in China may be exported outside of China for business need and subject to security assessment. The draft Regulations further provide that the security assessment will be conducted in accordance with the Measures on Security Assessment relating to Export of Personal Information and Important Data. This is consistent with the current developments as the Measures, which are currently still in draft form, are expected to be finalised shortly. For further information on the draft Measures, please refer to Update (6).
Cyber security incident monitoring and response
There are more detailed provisions relating to cyber security incident monitoring and response that support the existing requirements under the Cyber Security Law. For example, the CAC will co-ordinate with relevant supervisory authorities to establish a cyber security incident monitoring, early warning and information reporting system and establish a CII cyber security information sharing system for the purposes of sharing of "network security information" (Article 38). There are also additional details on how relevant supervisory authorities should conduct spot-checks and tests on CII operators in respect of their network security obligations (Articles 40-42).
Observations
The draft Regulations set out extensively the network security and information security obligations of CII operators, and further requires relevant supervisory authorities to work together to support and monitor compliance with the relevant requirements. They provide a better understanding of the scope and extent of the key obligations relevant to CII operators.
The separate "CII Identification Guideline" hopefully will assist businesses to assess if they are considered as CII operators. The CAC official previously acknowledged that how CII should be defined is a complex concept that needs to be carefully considered and constructed, and may also need to be regularly reviewed, particularly in light of the experience of other countries which also have the concept of CII in their law. For example, the concept of CII under the German IT Security Act was recently amended and the scope of CII sets out not only the key industries to which CII relates, but also the critical services and facility categories of each relevant specific industry. We expect a similar level of detail will be found in the "CII Identification Guideline".