The Draft Regulation is mainly formulated to implement the cybersecurity multi-level protection (“MLP”) system provided in the PRC Cybersecurity Law. It applies to the establishment, operation, maintenance and use of networks within China. The MPS and its local branches will be the main government authorities administrating MLP related work.
According to the degree of importance of the network to:
- national security
- economic development
- society and
- the impact and damage that the network’s destruction, loss of function, or data corruption, disclosure, loss, or damage can have on national security, social order, public interests and any related citizens
the security protection of networks will be divided into five levels, with Level 5 enjoying the most significant security protection.
A network operator shall decide on the security protection level of its network. Where necessary, it shall engage experts or professional institutions for advice. If the security protection level of a network is expected to be decided as Level 2 or higher, the operator shall obtain the approval of the relevant business supervisory authority, and file a recordal with the local MPS.
The Draft Regulation provides a series of security protection obligations for network operators, covering both technical and organisational aspects. In particular, the Draft Regulation re-emphasises the importance of personal data protection, and makes it clear that a network operator shall report a security incident to the local MPS within 24 hours. For the operator of a network with a security protection level of Level 3 or higher, there are additional obligations. For example, the key components of the network must be tested by professional institutions; and network products and services that might affect national security must pass security examinations organised by the relevant government authorities.
The Draft Regulation also sets out requirements regarding the operation and use of networks involved in state secrets. In addition, it also provides requirements governing the use of encryption products in networks. For example, a network with a security protection level of Level 3 or higher must use encryption products and services approved by the national encryption administrative authorities.
The public will have until 27 July 2018 to submit their opinions and comments. Please click here for the full text (Chinese only) of the Draft Regulation.