China Issues CII Security Protection Regulations

On 17 August 2021, the State Council of the People’s Republic of China promulgated the Critical Information Infrastructure Security Protection Regulations (“CII Security Regulations”), which will take effect from 1 September 2021, along with the Data Security Law.[1] Since first beginning to solicit public comments back in July 2017, it has taken almost 4 years for PRC authorities to finally settle on the soon-to-be binding version of the CII Security Regulations. On one hand, as an important supplement to the Cybersecurity Law,[2] these new CII Security Regulations provide detailed implementation rules concerning the security of so-called “critical information infrastructure” (“CII”), and provide heightened requirements regarding how CII must be protected in China. On the other hand, other key details concerning the treatment of CII still remain outstanding under the new CII Security Regulations, such as the exact security assessment requirements that must be conducted by operators of CII (“CIIOs”) prior to transferring personal information or important data outside of China.

Regulatory Authorities involved in CII Protection

The CII Security Regulations specify that the competent authorities, supervision departments and administrative authorities that are tasked with regulating specific industries are ultimately also responsible for overseeing the security of CII in their relevant industries. In particular, these industrial regulators will be responsible for formulating rules on the determination of what constitutes CII in their industries, and in carrying out such determinations. Meanwhile, the PRC Ministry of Public Security (MPS) is tasked with supervising CII security protection work under the general coordination of the Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and other applicable departments (such as regulators that oversee security and encryption). Industry regulators must report their determination rules and relevant CII determination results to MPS.  

Standards for CII Determination  

The CII Security Regulations do not further specify nor clarify the definition and determination standards of CII. Instead, the CII Security Regulations follow the same general definition under the  Cybersecurity Law, defining CII as “…critical information infrastructure used in connection with public communications and information services, energy, transport, water conservancy, finance, public services, e-government affairs, state defense technology and other important industries and fields, as well as any other critical information infrastructure that would result in serious damage to national security, the national economy or people's livelihood and public interests if such infrastructure were to be destroyed, functionally impaired, or subject to data leaks”. Compared to this longstanding definition under the Cybersecurity Law, the only new addition under the CII Security Regulations is a new direct reference to “the state defense technology industry” in terms of the covered industries that are likely to implicate CII.

Having said the above, while the CII Security Regulations have not materially modified the definition of CII, they have laid a legal foundation for the promulgation of further detailed determination rules and have clarified certain operator information rights. Specifically, the CII Security Regulations require relevant industrial regulators to consider the following factors when formulating CII determination rules applicable to their industries: (a) the degree of importance of network facilities and information systems to the core businesses of the industry; (b) the degree of damage that could potentially be caused if the network facilities and information systems in that industry were to become subject to destruction, loss of function or data leaks; and (c) the correlative impact on other industries that could be caused by any damage/impairment of such infrastructure. The industrial regulators are required to notify the CIIOs of relevant determination results in a timely manner.

Secure and Trusted Network Products

The CII Security Regulations require CIIOs to prioritize the purchase of secure and trusted network products and services. In the event that the purchase of such network products and services may potentially affect state security, then such operators are also required to pass certain “cybersecurity review” procedures set out in the Cybersecurity Review Measures jointly promulgated by twelve Chinese government departments (led by the CAC) back in April 2020. Notably, the CII Security Regulations do not yet provide a detailed and specific description of which products constitute “secure and trusted” products, and it is not yet known whether there will even be a publicly available list of such products and services in the future.

Primary Obligations of CIIOs

In addition to the existing obligations applicable to CIIOs under the Cybersecurity Law, the CII Security Regulations stipulate additional special obligations and corresponding legal responsibilities that CIIOs must perform in their operations, including primarily the following:

Investment of Human, Financial and Material Resources

• CIIOs must establish and improve cybersecurity protection systems and responsibility systems, and ensure sufficient investment in human, financial and material resources aimed at these purposes. The individual in charge of a CIIO should ultimately bear overall responsibility for the security protection of such CII, and are responsible for leading security protection efforts and the handling of major cybersecurity incidents, and for organizing investigations and resolution of major cybersecurity issues.
• CIIOs must establish special security management departments and conduct security background checks on the persons in charge of such activities, as well as on any other critical personnel of such security management departments.
• CIIOs must guarantee that such security management departments are provided sufficient operating funds and allocated sufficient personnel. Decision-making related to matters of network security and information/data issues must involve personnel from the security management department.

Procurement of Network Products and Services

• In addition to procuring secure and trusted products and completing the cybersecurity review procedures mentioned above, when purchasing network products and services, CIIOs are required to enter into security confidentiality agreements with relevant network product/service providers.

Reporting Responsibilities

• CIIOs must promptly report to relevant industrial authorities any major changes to their CII that could affect the certain determinations regarding their CII.
• CIIOs must report to relevant industrial authorities and MPS regarding any large-scale cybersecurity incidents, or upon the discovery of major cybersecurity threats.
• CIIOs must also conduct cybersecurity testing and risk assessment procedures at least once a year, either independently or via a third-party cybersecurity service organization. CIIOs must promptly correct any security issues identified in such testing and report certain results to relevant authorities.
• In the event of a merger, division, dissolution, etc. of a CIIO, the parties to the transaction must promptly report such transaction to relevant industrial authorities, and ensure that the relevant CII remains to be handled in accordance with relevant requirements imposed by such industrial authorities.

Legal Liabilities

• If a CIIO violates the above-mentioned obligations, then the competent authorities may order rectification measures and provide warnings reiterating relevant responsibilities. In the event that a CIIO refuses to undertake rectification measures or continues to endanger network security, the CIIO will be fined no less than RMB 100,000 up to RMB 1 million, and the directly responsible person in charge will be fined no less than RMB 10,000 up to RMB 100,000. A CIIO which fails to conduct mandatory security review procedures when purchasing network products and services which may have an impact on national security will face a fine of 1x to 10x the amount of the purchase price of such network products and services.

Conclusion

The CII Security Regulations provide detailed implementing rules regarding the protection of CII security, and are consistent with current trends across the wider PRC cybersecurity regime. That said, these regulations do not by themselves dramatically expand the systems currently proposed under the PRC cybersecurity regime, instead leaving most critical concerns unaddressed or subject to decentralized legislative efforts that will need to be clarified by relevant industry regulators (e.g., the exact determination factors that will constitute CII in relevant industries). Notably, it is uncertain when and how these industry-specific rules will be made and implemented among China’s various industries.

[1] The PRC Data Security Law (《中华人民共和国数据安全法》), issued by the Standing Committee of the National People's Congress on 10 June 2021 and effective on 1 September 2021.

[2] The PRC Cybersecurity Law (《中华人民共和国网络安全法》), issued by the Standing Committee of the National People's Congress on 7 November 2016 and effective on 1 June 2017.