On July 10, 2017, the Cyberspace Administration of China (“CAC”) released its draft regulations on security protection of key information infrastructures (“Draft Regulations”), open for public comment until August 10, 2017.


  • The Draft Regulations are applicable to the planning, construction, operation, maintenance, use and security protection of key information infrastructures (“KIIs”) in mainland China. 
  • Compared with the Cybersecurity Law, the Draft Regulations further define KIIs and include the following areas: hygiene and medical treatment, education, social security, environmental protection, broadcast and TV networks, internet, cloud computing, big data, large equipment, chemical, food and drugs, broadcasting and TV stations, and news agencies.
  • If a KII is newly built, stops operating or changes significantly, the operator must promptly report the circumstances to the regulatory authorities.
  • KII operators’ cybersecurity managers will also be in charge of:
  • formulating cybersecurity rules, regulations and operating procedures, and supervising their implementation;
  • assessing skills of staff in key positions;
  • formulating and implementing KII operators’ cybersecurity training plans;
  • organizing cybersecurity examination and emergency drills, and cybersecurity
  • events; and
  • reporting major cybersecurity matters and incidents to the corresponding state departments.


  • KIIs must be operated and maintained on mainland China. If overseas remote maintenance is required, KII operators must previously inform the competent or regulatory authorities for industries, and the state public security department.
  • KII operators must:


  • organize cybersecurity training for employees;
  • conduct security assessments of systems and software outsourced for development and donated network products, before their launch;
  • take appropriate measures to eliminate potential risks and report any material risks if any network product or service has a defect, loophole or entails any other risk. Under the Cybersecurity Law, the providers of network products or services (and not the KII operators) must fulfill this obligation.


  • Regardless of whether they qualify as KIIs under the Cybersecurity Law, operators that breach security protection obligations will face the higher penalties imposed on KII operators.
  • Date of issue: July 10, 2017. Deadline for public comment: August 10, 2017