The Cyberspace Administration of China (CAC) released its draft Regulations on Protection of Critical Information Infrastructure Security (Draft Regulations) on 10 July 2017. The CAC is seeking public comments on the Draft Regulations until 10 August 2017.
In this e-bulletin we highlight the key provisions of the Draft Regulations and set out our observations on the regime.
The Cyber Security Law (CSL), enacted in 2016, officially introduced the concept of critical information infrastructure (CII) for the first time with a section covering the protection of CII. Pursuant to the CSL, CIIs will be afforded special protection measures in addition to those provided under the Multi-layer Protection Scheme (MLPS), the major cyber protection regime envisaged under the CSL. These protection measures include higher standards for protection obligations and closer scrutiny by the government over the operation of the CII. The CSL authorizes the State Council to publish regulations on the scope of CII and security protection measures.
Highlights of key provisions
I. Scope of CII
In the Draft Regulations, CII is defined as network facilities which, in case of destruction, loss of function or leak of data, will result in serious damage to national security, the national economy and people's livelihood or public interest. The scope of CII includes:
(i) government, energy, finance, transport, water-resources, healthcare, education, social security, environmental protection and public utilities;
(ii) information networks (including telecommunications, broadcasting networks, and the internet) and large public information network service providers (including cloud service and big data providers);
(iii) research institutions and manufacturers in the defence, large equipment, chemical engineering, food and pharmaceuticals sectors;
(iv) news media, including radio and TV stations and news agents; and
(v) other facilities.
In addition to above, the CAC will, jointly with the Ministry of Industry and Information Technology and the Ministry of Public Security (MPS), issue CII Identification Guidelines (Identification Guidelines).
II. CII protection obligations
The protection obligations in the Draft Regulations mirror those set out in the corresponding provisions in the CSL (articles 21, 23 and 34 - 38). However, attention should be drawn to the following new obligations created in the Draft Regulations:
● Requirements for designated personnel
Each operator of CII must appoint a designated person to be in charge of cyber security management and who is responsible for:
(i) formulating internal cyber security regulations and operation manuals and supervising their implementation;
(ii) organising testing of the technical skills of key technical personnel;
(iii) organising and implementing cyber security education and training programmes;
(iv) organising cyber security inspections and contingency drills and dealing with cyber security incidents; and
(v) reporting important cyber security issues and incidents to competent authorities.
Additionally, under the Draft Regulations, key technical personnel are required to be licensed before they are permitted to work. The CAC will work with the Ministry of Human Resources and Social Security to formulate the licensing regulations.
The Draft Regulations also impose mandatory training hours for cyber security related personnel (at least one working day each year) and key technical personnel (at least three working days each year).
● Localisation requirements,
In addition to the data localisation requirements for CII, the Draft Regulations require maintenance of CII to be conducted within the territory of the PRC. Where maintenance has to be conducted remotely from abroad, the industry regulator and the MPS must be notified in advance.
● Security testing and evaluation
Under the Draft Regulations, CII is subject to security testing and evaluation by its operator and also industry regulators.
(i) Self-testing and evaluation: CII operators are required to (a) conduct security testing and evaluation before commissioning CII or where there are "significant changes"; (b) conduct testing and evaluation of the security and potential risks of CII at least once a year, rectify any issues discovered and report the result to the industry regulator; and (c) conduct testing and evaluation for outsourced systems and software and donated network products before they are put into operation.
(ii) Government testing and evaluation: industry regulators are required to conduct random security testing and evaluation of CIIs from time to time.
III. Establishment of cyber security early warning systems and information sharing and contingency planning systems
The CAC and the industry regulators are responsible for collecting, analysing and notifying cyber security information and publishing cyber security early warning information and advice on preventative measures.
The CAC will also establish systems to enable sharing of cyber security information and the implementation of cyber security contingency measures pursuant to the National Cyber Security Incident Contingency Plan published early this year.
I. Extended scope of CIIs
The scope of sectors where CIIs may exist has been significantly broadened. The inclusion of healthcare, education, environmental protection, information networks, “large public information network service” and food and pharmaceuticals means the scope of CII is more extensive than previously envisaged in the CSL and may cover a lot more facilities than initially thought.
The sectors set out in the Draft Regulations are generally consistent with the scope of CIIs set out in the internal document, entitled Cyber Security Inspection Operation Guidelines, issued by the CAC in June 2016.
We understand that only a small proportion of the network facilities in the listed sectors will fall within the scope of CIIs, but it is unclear how such CIIs may be identified until the Identification Guidelines are published.
II. Increased compliance burden
Building on the existing protection obligations under the CSL, the Draft Regulations have created new obligations for CII operators. The mandatory training hours and qualification requirements for cyber security personnel will no doubt result in additional training costs for the companies.
The localisation requirements for maintenance could pose a challenge to CII operators that maintain information systems using technical support centres or teams located outside China.
Further, the requirement that CII operators should carry out pre-commissioning and regular security testing and evaluation will also involve material cost and man hours being devoted to compliance.
Although the Identification Guidelines have not been published yet, companies operating large information system facilities in the sectors listed in the Draft Regulations should be aware of the extended scope of CII and evaluate their current cyber security protection systems against the requirements of the Draft Regulations. In particular, entities affected by the localisation requirement should be prepared to review and adjust their current data storage and system maintenance arrangement to comply with the forthcoming regulations on CII protection.