On July 11, 2017, the Cyberspace Administration of China (CAC) released the draft Regulation on the Protection of the Critical Information Infrastructure (“Draft Regulation”) for public comment (official Chinese version available here). The comment period ends on August 10, 2017.

Aiming to add greater clarification to the Cybersecurity Law, which took effect on June 1, 2017, the Draft Regulation clarifies the scope of Critical Information Infrastructure (“CII”) and elaborates on how CII operators are supposed to protect their networks against cyber threats. The Draft Regulation also sets out additional obligations CII operators face, including allowing officials to perform cybersecurity inspections, among others.

The Draft Regulation may help reduce some of the confusion surrounding the key phrase “critical information infrastructure,” which constitutes a crucial part of China’s fast-evolving cybersecurity regulatory framework. But many important questions remain unanswered in the current draft. Companies that either operate in the sectors identified in the Draft Regulation or that supply operators in those sectors should be mindful of the requirements relating to cybersecurity, especially relating to cybersecurity reviews and procurement of network services and products, and closely monitor the regulatory developments.

Some highlights of the Draft Regulation are summarized below.

Classification of CII and CII Operators

China’s Cybersecurity law contains a list of “key sectors” that may be considered CII, namely:  telecommunications, energy, transportation, water conservation, financial services, utility, and e-government.  The Draft Regulation further clarifies the scope of CII, enumerating additional sectors that may be considered CII.  These include:

  • Governmental agencies, and entities in the sectors of energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection, utilities and so on;
  • Information network operators such as operators of telecommunication, broadcasting networks, and the Internet, as well as service providers of cloud computing, big data, and other large-scale public information services;
  • “Manufacturing and research and development entities” in sectors such as national defense, large-scale equipment, chemical engineering, and food and drugs;
  • “News units,” including broadcasting stations, TV stations, and news agencies; and
  • “Other key sectors.”

Even if a company operates in one of these sectors, however, it remains to be seen whether the company will be considered a CII operator.  The Draft Regulations state that more guidance is forthcoming on this issue.


Cybersecurity Requirements for CII Operators

If a particular company is identified as a CII operator, the Draft Regulation elaborates on some of the requirements it will face in the following areas:

  • Cybersecurity governance and leadership, including appointing dedicated cybersecurity personnel and assigning responsibility for protecting CII;
  • Cybersecurity measures (both internal and external) to safeguard networks; and
  • Annual security assessments required under the Cybersecurity Law.


Security of Products and Services Used

The Draft Regulation builds on the requirements imposed by the Cybersecurity Law (see Covington’s blog post on these requirements here) and introduces several new supply chain requirements.  These include, for example, assessing third-party-developed systems and software and performing maintenance of CII within China.


Cybersecurity Threat Monitoring, Incident Response, and Cybersecurity Inspections

The Draft Regulation also provides more guidance on how CII operators should interact with agencies on cybersecurity issues, including information sharing, threat monitoring, and cybersecurity inspections.  These cybersecurity inspections include allowing regulators to access, retrieve, and reproduce relevant documents or records and conduct technical assessments.

*          *          *

Companies active in China should continue to follow these legislative developments and be watchful for future guidelines that explain how to determine whether a company operating in the enumerated sectors discussed above will be deemed as a CII operator. Moreover, companies that supply network products and services to entities in key sectors should be aware of how the Draft Regulation may affect their sales and post-sale activities in China, if their customers are deemed to be CII operators.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.