Following China’s Cybersecurity Law (CSL), which came into effect on June 1, 2017 and requires the implementation of a multi-level protection scheme for cybersecurity (article 21), China’s Ministry of Public Security (MPS) issued a new draft Regulation on the Cybersecurity Multi-Level Protection Scheme (MLPS) for public comments in June this year.

2017年6月1日,《网络安全法》(“网安法”)正式生效。今年6月,为进一步明确并细化网安法第二十一条项下确立的网络安全等级保护制度的相关监管要求,公安部发布了《网络安全等级保护条例(征求意见稿)》(“条例草案”),向社会公开征求意见

The draft MLPS amends the existing MLPS, initially released in 2007, requiring, among other things, that “network operators” comply with cybersecurity requirements based on the level of risk assigned to them. Because network operators, broadly defined in the CSL as “owners, administrators of the network and network service providers,” could in practice cover any entity operating a computer network in China, including intranets, the draft will, once finalized, present another compliance challenge for multinational corporations.

对比等级保护制度的现行核心法规依据,即2007年实施的《信息安全等级保护管理办法》(“管理办法”),条例草案扩大了适用范围,要求“网络运营者”基于其所属的风险等级遵守相关网络安全要求。在网安法中,网络经营者被宽泛地定义为“网络的所有者、管理者和网络服务提供者”,而在实践中,网络经营者可能包括任何在中国运营计算机网络(包括内部网络)的实体。所以,条例草案一旦生效,将给跨国公司带来新的合规挑战。

  • How are the classifications defined?
  • 如何划分等级?

The draft MLPS classifies networks operating in China into five levels (from least to most critical) based on the networks’ relative impact on national security, social order, public interest, and individuals’ rights if compromised. Below is a table indicating the classification provided under the draft MLPS:

基于相关网络一旦破坏将对国家安全、社会秩序、公共利益和个人权利造成的相关影响,条例草案将在中国运营的“网络”分为五个等级(重要性从低到高)。条例草案规定的等级划分如下表所示:

Classification 网络等级 If such level of network is attacked or damaged, it would cause: 一旦破坏将造成:
Level 1 第一级

- General damage to legitimate rights and interests of individuals, legal persons and other organizations only.

- 针对相关公民、法人和其他组织的合法权益的损害;

Level 2 第二级

- Significant damage to legitimate rights and interests of individuals, legal persons and other organizations; or - 针对相关公民、法人和其他组织的合法权益的严重损害;或

- general damage to social order and public interest. - 针对社会秩序和公共利益的危害;

Level 3 第三级

- Severe damage to legitimate rights and interests of individuals, legal persons and other organizations; - 针对相关公民、法人和其他组织的合法权益的特别严重损害;

- significant damage to social order and public interest; or

-针对社会秩序和公共利益的严重危害;或

- general damage to national security.

- 针对国家安全的危害;

Level 4 第四级

- Severe damage to social order and public interest; or

-针对社会秩序和公共利益的特别严重危害;或

- significant damage to national security.

- 针对国家安全的严重危害;

Level 5 第五级

- Severe damage to national security.

- 针对国家安全的特别严重危害。

It is worth noting that:

需要注意的几个问题:

  • Terms such as “national security” and what damage is considered “significant” or “severe” are not defined in the draft MLPS. Further guidance on how to assess the impact level of networks is expected to be provided by Information Security Technology – Guidelines for Grading of Cybersecurity Multi-level Protection (Grading Standard), a national standard a draft of which was issued by the National Information Security Standardization Technical Committee on January 19, 2018 for public comments. In particular, the draft Grading Standard now indicates that the “critical information infrastructure,” as defined under the CSL, shall be classified as no lower than Level 3.
  • 在条例草案中,并未对“国家安全”等表述作出定义,也未具体规定何种危害被视为“严重”或“特别严重”。对于如何评估网络的影响等级,全国信息安全标准化技术委员会于2018年1月19日发布的《信息安全技术-网络安全等级保护定级指南(征求意见稿)》(“定级指南”)中作出进一步规定。特别的,定级指南草案指出,网安法下定义的“关键信息基础设施”等级不得低于第三级。
  • Networks that may cause severe damage to the legitimate rights and interests of individuals, legal persons and other organizations are classified as Level 2 under the existing MLPS, but they would instead be classified as Level 3 under the draft MLPS as shown in the above chart. Once the draft MLPS becomes effective and binding, networks operated by multinational corporations (which usually process a lot more personal and business information and data) could be more easily classified as Level 3 and thus be subject to further legal obligations and greater supervision.
  • 管理办法项下,对公民、法人和其他组织的合法权益可能造成特别严重损害的网络被划分为第二级,而从上表可以看出,该等���络在条例草案项下被划分为第三级。一旦条例草案生效,跨国公司运营的网络(该等网络通常更多地处理个人和商业信息及数据)很可能被归为第三级,从而承担更多法定义务并受到更严格监管。
  • How can the classification be determined?
  • 如何确定等级?

Pursuant to the draft MLPS, the network operator will be required to propose a classification based on a self-assessment made during the network design phase. For a classification at Level 2 or above, reviews by experts and (if applicable) competent authorities, and filings with the local counterpart of the MPS, are also required. The local MPS shall issue the filing certificate within 10 business days of the date of the submission if all legal requirements are met. The detailed filing procedures will be further formulated and released by the MPS.

根据条例草案,网络运营者将被要求在网络设计阶段进行自我评估并基于此拟定定级。对于第二级或以上的网络,须由专家和(如适用)主管部门进行评审,并向地方公安机关办理备案。如果地方公安机关确认所有法律要求均获满足,应在备案申请提交后十个工作日内签发网络安全等级保护备案证明。具体备案程序将由公安部将进一步制定发布。

  • What are the cybersecurity protection obligations?
  • 网络安全保护义务是什么?

Routine obligations at all levels

Under article 20 of the draft MLPS, all network operators must comply with routine cybersecurity protection obligations, in particular:

根据条例草案第20条,所有网络运营者须遵守一般网络安全保护义务,主要包括:

  • Designating personnel responsible and accountable for the cybersecurity multi-level protection scheme
  • 确定网络安全等级保护工作责任人,建立网络安全等级保护工作责任制,落实责任追究制度;
  • Establishing a cybersecurity management system and operational procedures for data centers and computer rooms
  • 落实机房安全管理、设备和介质安全管理、网络安全管理等制度,制定操作规范和工作流程;
  • Retaining records of network operations, cybersecurity incidents, and illegal and criminal activities for at least six months
  • 落实监测、记录网络运行状态、网络安全事件、违法犯罪活动的管理和技术措施,并按照规定留存六个月以上可追溯网络违法犯罪的相关网络日志;
  • Classifying data, and protecting important data through measures such as backups and encryption
  • 落实数据分类、重要数据备份和加密等措施;
  • Lawfully collecting, using, and processing personal information
  • 依法收集、使用、处理个人信息,并落实个人信息保护措施,防止个人信息泄露、损毁、篡改、窃取、丢失和滥用;
  • Implementing measures to detect, block, and remove illegal information
  • 落实违法信息发现、阻断、消除等措施,落实防范违法信息大量传播、违法犯罪证据灭失等措施;
  • Reporting cybersecurity incidents to the local MPS (and, if state secrets are involved, to the local state secrets agency) within 24 hours of the incident
  • 对网络中发生的事件,应当在二十四小时内向属地公安机关报告;泄露国家秘密的,应当同时向属地保密行政管理部门报告。

Although the last requirement imposes a new 24-hour timeline for breach notification, it falls short of detailing the reporting process, including what information should be included in the notification report. Network operators are also required to conduct an annual self-assessment of the implementation status of the MLPS, make timely rectifications, and report the results to the local MPS.

尽管最后一项中提及二十四小时向公安机关报告的义务,但条例草案项下未规定该等报告程序的具体要求(包括应报告何种信息)。另外,网络运营者还须每年对其执行网络安全等级保护的情况进行自我评估,发现问题及时整改,并向当地公安机关报告。

Special obligations for classifications at Level 3 or above

Under article 21 of the draft MLPS, networks with a classification at Level 3 or above need to comply with special cybersecurity protection obligations, in particular:

根据条例草案第21条,第三级以上网络的运营者须遵守特殊网络安全保护义务,主要包括:

  • Establishing the network security management organization, job responsibilities, and escalation-approval procedures for operational matters
  • 确定网络安全管理机构,明确网络安全等级保护的工作职责,对网络变更、网络接入、运维和技术保障单位变更等事项建立逐级审批制度;
  • Developing an overall cybersecurity plan and safeguards strategy, and putting into place the necessary security infrastructure, subject to review and approval by technical experts
  • 制定并落实网络安全总体规划和整体安全防护策略,制定安全建设方案,并经专业技术人员评审通过;
  • Implementing rules on background checks and certificate requirements for cybersecurity personnel
  • 对网络安全管理负责人和关键岗位的人员进行安全背景审查,落实持证上岗制度;
  • Providing real-time monitoring and analysis of network operations, traffic, user behavior, and cybersecurity incidents, and reporting the results to the local MPS
  • 落实网络安全态势感知监测预警措施,建设网络安全防护管理平台,对网络运行状态、网络流量、用户行为、网络安全案事件等进行动态监测分析,并与同级公安机关对接;
  • Establishing backup and recovery procedures for critical networks and telecommunication systems
  • 落实重要网络设备、通信链路、系统的冗余、备份和恢复措施;
  • Establishing assessment procedures for the cybersecurity multi-level protection scheme, regularly assessing the classification of the network, and reporting the results to the local MPS
  • 建立网络安全等级测评制度,定期开展等级测评,并将测评情况及安全整改措施、整改结果向公安机关和有关部门报告。

Operators of networks with a classification of Level 3 or above must also pass a test set and given by an accredited testing agency before their networks go online. The operators must also formulate an emergency cybersecurity plan and conduct periodic emergency response drills. Moreover, technical maintenance of networks at Level 3 or above must be conducted within the PRC and not remotely from another country, or if remote technical maintenance is required for business needs, a network security assessment must be conducted and risk control measures put into place. Additional requirements are imposed on operators of networks at Level 3 or above. These relate to cybersecurity product procurement, network service providers, and the use and testing of encryption measures under the draft MLPS.

新建的第三级以上网络应在通过网络安全等级测评机构的等级测评后方可投入运行。该等网络的运营者还应制定网络安全应急预案,定期开展网络安全应急演练。除此之外,第三级以上网络应当在境内实施技术维护,而不得境外远程技术维护。因业务需要,确需进行境外远程技术维护的,应当进行网络安全评估,并采取风险管控措施。另外,条例草案亦对第三级以上网络的运营者就网络安全产品购买、网络服务机构、密码使用及评估措施设定了一系列额外要求。

  • What are the enforcement measures and legal liabilities?
  • 规定了哪些监管手段和法律责任?

Compared with the existing MLPS, the draft MLPS introduces more enforcement measures, such as blocking information transmission and disconnecting the internet in case of emergency, initiating the investigation of cybersecurity incidents, and summoning the relevant personnel of network operators (legal representatives, the main people in charge, etc.) for consultation.

相较现行的管理办法,条例草案中提出了更多监管手段,包括事件调查、紧急情况断网措施、及约谈制度(约谈人士包括网络运营者的法定代表人、主要负责人等)。

Furthermore, by incorporating the relevant articles under the CSL, the draft MLPS, as compared with the existing MLPS, provides more clear guidance as to the applicable legal liabilities (from administrative orders requiring corrective measures to monetary penalties imposed on network operators and relevant personnel) in the following situations:

另外,条例草案中还援引了网安法中如下法律责任条款,较之管理办法规定了更为明确的法律责任(包括对网络运营者及相关人员责令改正、给予警告、以及处以罚款等),且可执行度大大增加:

  • Violations of obligation to protect network security (article 59 of the CSL)
  • 违犯网络安全保护相关义务的法律责任(网安法第59条);
  • Violations of obligation to protect personal information (article 64 of the CSL)
  • 违犯个人信息相关义务的法律责任(网安法第64条);以及
  • Failure to comply with instructions from enforcement authorities or refusal to cooperate with investigations (article 69 of the CSL)
  • 不执行主管机关指令或拒绝协助调查的法律责任(网安法第69条)

The draft MLPS also highlights that network operators classified at Level 3 or above may be subject to more severe penalties for violations.

同时,条例草案也强调了第三级以上网络的运营者违反相关规定的,应从重处罚。

Conclusion

Once the draft MLPS is adopted, multinational corporations doing business in China that fall under the category of network operators will first need to check the applicable classification on their networks and, if the network at issue would be classified as Level 3 or above, be sure to ensure compliance.

一旦条例草案被批准,属于“网络经营者”的在华经营的跨国公司首先需就其网络核定相关定级。如果该等网络属于第三级或以上级别,则其需对合规事项投入特别关注。