This post has been updated.
On July 10, 2017, the Cyberspace Administration of China published a new draft of its Regulations on Protecting the Security of Key Information Infrastructure (the “Draft Regulations”), and invited comment from the general public. The Cybersecurity Law of China establishes a new category of information infrastructure, called “key [or critical] information infrastructure,” and imposes certain cybersecurity obligations on enterprises that operate such infrastructure. The Draft Regulations will remain open for comment through August 10, 2017.
The Draft Regulations provide further details on the scope of what will constitute “key information infrastructure.” According to the Draft Regulations, this may include network facilities and information systems operated and managed by (1) government agencies and entities in the energy, finance, transportation, water conservation, health care, education, social insurance, environmental protection and public utilities sectors; (2) information networks, such as telecommunications networks, broadcast television networks and the Internet, and entities providing cloud computing, big data and other large-scale public information network services; (3) research and manufacturing entities in industry sectors such as science and technology for national defense, large equipment manufacturing and the chemical industry and food and drug sectors; and (4) news organizations, such as broadcasting stations, television stations and news agencies. To be counted as “key information infrastructure,” however, the infrastructure must still meet the criterion that severe endangerment of national security, the national economy and the people’s livelihood and the public interest would result if the infrastructure suffers destruction, loss of functionality or leakage of data. The Cyberspace Administration of China will work together with relevant government agencies to formulate materials for the identification of “key information infrastructure” in their respective industry sectors and fields.
The Draft Regulations reiterate the cybersecurity compliance obligations originally imposed under the Cybersecurity Law, such as obligations to formulate internal security management systems and operating protocols; to adopt technological measures to prevent against computer viruses and attacks and intrusions on networks; to monitor and record network operations and cybersecurity incidents; and to adopt security measures such as data classification, back-up and encryption of important data. At the same time, the Draft Regulations impose further cybersecurity obligations on operators of key information infrastructure, including obligations to: (1) designate a specific cybersecurity administrative department and persons responsible for cybersecurity, and conduct background reviews of these responsible persons; (2) conduct cybersecurity education, technology training and evaluation of the skills of relevant staff on a regular basis; (3) implement disaster recovery backup for important systems and databases, and adopt remedial measures to promptly address security risks such as system vulnerabilities; and (4) establish contingency plans for cybersecurity incidents and conduct regular rehearsals of these plans.
According to the Draft Regulations, operators of key information infrastructure should establish a system to inspect their key information infrastructure and evaluate its security aspects and possible risks. They may conduct this inspection and evaluation on their own behalf, or engage third-party cybersecurity service providers. They must conduct this inspection and evaluation at least once a year.
The Draft Regulations reiterate the original data localization requirements on the operators of key information infrastructure under the Cybersecurity Law, as well as related requirements under the Measures for Security Reviews of Network Products and Services. The Draft Regulations also require that the operation and maintenance of key information infrastructure should be performed within the territory of China. If overseas long-distance maintenance of key information infrastructure is truly necessary for business reasons, the operator should report in advance to both the relevant government agency that has the authority over the industry sector and the public security department.