On 17 August 2021, the Chinese central government released the long-awaited Regulations on Critical Information Infrastructure (CII) Security Protection (CII Regulation), which took effect on 1 September 2021.
In this article, we highlight the key provisions of the CII Regulation and set out our observations on the regime.
The concept of CII was first introduced into law by the Cyber Security Law (CSL), which dedicated a section to the security protection of CII when it was enacted in November 2016. The Cyberspace Administration of China (CAC) released a draft regulation on protecting the security of CII for public consultation in July 2017, but it had not been promulgated until the release of the CII Regulation. A few draft national standards on CII were released for public comments in 2017 and 2020, but none has been adopted so far.
The absence of implementing regulations has since become a major obstacle for effectively implementing the protection measures for the CII under the CSL. For instance, we had not seen any enforcement case under the cybersecurity review regime that concerns the supply chain security and data processing activities of the CII operators, until CAC announced the cybersecurity review investigation on DiDi and others in July this year. Even the DiDi case has been questioned as to the applicability of the cybersecurity review regulation to the DiDi, since it has not been officially identified as an operator of CII.
The release of the CII Regulation will provide more clarity as to how the CII protection regime will be established and enforced.
Highlights of Key Provisions
I. Scope of CII
The definition of CII under the CII Regulation is essentially the same as that under the CSL. CII is defined as the important network infrastructure and information system, the destruction, loss of function or data leakage of which could seriously ham the state security, national economy, people’s livelihood and public interest.
The CII Regulation highlights a few “important industries and sectors” where CII will be identified, including public communications and information services, energy, transport, hydraulic engineering, finance, public services, e-government, and defence technology industry. The regulation falls short of specifying any sub-industries or sectors. Notably, it does not exclude any other industries, and therefore any network infrastructure and information system falling in the definition could be considered CII.
Certain industries that appeared in the 2017 draft, like environmental protection, chemical engineering, food and pharmaceutical, have been removed from the scope of important industries and sectors in the final version of CII Regulation. However, whether a particular system will be considered CII will depend on the identification process discussed below.
II. Identification of CII
For important industries and sectors, the relevant regulators will be charged with the responsibilities of protecting CIIs in their relevant industries and sectors, which are termed the Protection Departments.
In particular, Protection Departments have the powers to make rules for identifying CII and to identify the CII according to such rules. In making the rules, the Protection Departments will take into account the following factors, including:
- the importance of the network infrastructure and information systems to the key or core operation of the relevant industry or sector;
- the level of harm on the network infrastructure and information systems in the event of destruction, loss of function or data leakage; and
- any consequential impact on other industries or sectors.
Once the Protection Department identifies the CII, it must notify the operators and the Ministry of Public Security (MPS).
The CII Regulation does not leave a clue as to how the government will identify CII outside the important industries and sectors. It remains to be seen whether the CAC will release any guidance in that respect.
III. Obligations of CII Operators
The CII Regulation has set out obligations of the CII operators, under which the operators must
i. make rules for security protection and accountability and allocate adequate resources for implementation, which specifically requires the person in charge of the operator to take primary responsibility for security of CII;
ii. establish a dedicated security management division (Security Management Division) that is appropriately financed and staffed, and carry out security background screening on the persons in charge of the division and key staff members;
iii. carry out at least one network security test and risk assessment annually and report to the competent Protection Department;
iv. report to the Protection Department and the police any major cybersecurity incident or threat, which includes disruptions of the overall operation, fault of major functions, a leaks of national basic information (undefined in the regulation) and other important data, a large-scale leaks of personal information, extensive dissemination of illegal information in and any incident resulting in a large economic loss;
v. purchase network products and services that are “secure and trustworthy” and apply for cybersecurity review if such products and services might impact national security;
vi. sign security and confidentiality agreement with network product and service providers;
vii. report to the Protection Department in the event of a merger, split or dissolution of the operator; and
viii. cooperate with any inspection by the Protection Department and other competent authorities.
The Security Management Division are obliged to:
i. establish sound network security management and evaluation system and prepare a plan for CII security protection;
ii. improve cybersecurity protection capability and carry out cybersecurity monitoring, testing and risk assessment;
iii. prepare a contingency plan and carry out emergency drills and exercises to deal with cybersecurity incidents;
iv. identify key cybersecurity positions and carry out performance appraisals;
v. organise cybersecurity trainings;
vi. discharge personal information and data security protection responsibilities;
vii. manage the design, construction, operation and maintenance of CII; and
viii. report cybersecurity incidents and important issues.
Notably, the CII Regulation requires that the protection capability and measures outlined above be planned, built up and implemented simultaneously with the CII. One question is how the Protection Department will able to identify CII at the planning stage, which hopefully will be clarified in the identification rules to be published.
Operators violating the CII regulation are punishable by an order for rectification, a warning and, in serious cases, a fine of up to RMB 1 million (approx. US$154,000) on entities and up to RMB 100,000 (approx. US$15,400) on responsible personnel. Where the operators fail to apply for cybersecurity review for procurement of network products and services, the CAC may impose a fine of up to ten times of the purchase amount.
V. Governing Authorities
The CAC is again given the role of coordinating the regulatory efforts, whilst the MPS is responsible for supervising and guiding and security protection of CII. Protection Departments and other government ministries will take charge of CII protection in their relevant industries and sectors. Provincial-level government offices will also be responsible for protection of CII in the relevant province.
Apart from the above-mentioned ministries, the Ministry of State Security, the National Administration of State Secret Protection, and the State Cryptography Administration will also have the powers to inspect security protection of CII.
Under the CII Regulation, the energy and telecommunications sectors will be given the priority in security protection amongst all CII, and presumably relevant regulators will be given a leading role in implementing the regulation among the Protection Departments.
I. Scope of CII to be Refined
The CII Regulation fails to delineate the boundaries of the important industries and sectors, or provide a list of the Protection Departments, with all the details of scoping the CII to be set out in the identification rules to be published by the Protection Departments.
More importantly, the regulation does not shed any light on how to identify CII outside the important industries and sectors, which we hope the CAC can clarify in future regulations.
II. Silence on Cross-border Data Transfer
The CSL, the Data Security Law and the Personal Information Protection Law require the CII operators to localise personal information and important data and submit any request of cross-border data transfer for a security assessment. Bizarrely, the CII Regulation is totally silent on this topic.
It is not clear whether this omission on data export is intentional or simply neglected, but it is pity that the government did not take this opportunity to give any more details on the security assessment process.
III. Relation with Multi-Level Protection Scheme (MLPS)
One question that remains to be answered in the regulation is how a CII operator deals with any overlap between the MLPS and the CII protection regime. The draft standards published on CII suggest that the CII operators will need to comply with both the MLPS and the CII regime that contains a higher set of evaluation and inspection criteria. Compliance with MLPS will also become an integral part for evaluating the security protection capability of CII. This will no doubt increase the compliance burden of CII operators.
The CII Regulation will pave the way for enforcing the protection regimes for the CII. Companies, especially those in the important industries and sectors, should keep themselves updated with any CII identification rules to be published by the Protection Departments and evaluate the possibility of their network infrastructure and information system being considered CII.