On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.
The Draft Regulations provide further details on the scope of what will constitute “key information infrastructure.” According to the Draft Regulations, this will include network facilities and information systems operated and managed by (1) government agencies and entities in the energy, finance, transportation, water conservation, health care, education, social insurance, environmental protection and public utilities sectors; (2) information networks, such as telecommunications networks, broadcast television networks and the Internet, and entities providing cloud computing, big data and other large-scale public information network services; (3) research and manufacturing entities in industry sectors such as science and technology for national defense, large equipment manufacturing and the chemical industry and food and drug sectors; and (4) news organizations, such as broadcasting stations, television stations and news agencies.
The Draft Regulations reiterate the cybersecurity compliance obligations originally imposed under the Cybersecurity Law, such as obligations to formulate internal security management systems and operating protocols; to adopt technological measures to prevent against computer viruses and attacks and intrusions on networks; to monitor and record network operations and cybersecurity incidents; and to adopt security measures such as data classification, back-up and encryption of important data. At the same time, the Draft Regulations impose further cybersecurity obligations on operators of key information infrastructure, including obligations to: (1) designate a specific cybersecurity administrative department and persons responsible for cybersecurity, and conduct background reviews of these responsible persons; (2) conduct cybersecurity education, technology training and evaluation of the skills of relevant staff on a regular basis; (3) implement disaster recovery backup for important systems and databases, and adopt remedial measures to promptly address security risks such as system vulnerabilities; and (4) establish contingency plans for cybersecurity incidents and conduct regular rehearsals of these plans.
According to the Draft Regulations, operators of key information infrastructure should establish a system to inspect their key information infrastructure and evaluate its security aspects and possible risks. They may conduct this inspection and evaluation on their own behalf, or engage third-party cybersecurity service providers. They must conduct this inspection and evaluation at least once a year.
The Draft Regulations reiterate the original data localization requirements on the operators of key information infrastructure under the Cybersecurity Law, as well as related requirements under the Measures for Security Reviews of Network Products and Services. The Draft Regulations also require that the operation and maintenance of key information infrastructure should be performed within the territory of China. If overseas long-distance maintenance of key information infrastructure is truly necessary for business reasons, the operator should report in advance to both the relevant government agency that has the authority over the industry sector and the public security department.