On July 11, 2017, the Cyberspace Administration of China (CAC) released the draft Regulation on the Protection of the Critical Information Infrastructure (“Draft Regulation”) for public comment (official Chinese version available here). The comment period ends on August 10, 2017.
Aiming to add greater clarification to the Cybersecurity Law, which took effect on June 1, 2017, the Draft Regulation clarifies the scope of Critical Information Infrastructure (“CII”) and elaborates on how CII operators are supposed to protect their networks against cyber threats. The Draft Regulation also sets out additional obligations CII operators face, including allowing officials to perform cybersecurity inspections, among others.
The Draft Regulation may help reduce some of the confusion surrounding the key phrase “critical information infrastructure,” which constitutes a crucial part of China’s fast-evolving cybersecurity regulatory framework. But many important questions remain unanswered in the current draft. Companies that either operate in the sectors identified in the Draft Regulation or that supply operators in those sectors should be mindful of the requirements relating to cybersecurity, especially relating to cybersecurity reviews and procurement of network services and products, and closely monitor the regulatory developments.
Some highlights of the Draft Regulation are summarized below.
Classification of CII and CII Operators
China’s Cybersecurity law contains a list of “key sectors” that may be considered CII, namely: telecommunications, energy, transportation, water conservation, financial services, utility, and e-government. The Draft Regulation further clarifies the scope of CII, enumerating additional sectors that may be considered CII. These include:
- Governmental agencies, and entities in the sectors of energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection, utilities and so on;
- Information network operators such as operators of telecommunication, broadcasting networks, and the Internet, as well as service providers of cloud computing, big data, and other large-scale public information services;
- “Manufacturing and research and development entities” in sectors such as national defense, large-scale equipment, chemical engineering, and food and drugs;
- “News units,” including broadcasting stations, TV stations, and news agencies; and
- “Other key sectors.”
Even if a company operates in one of these sectors, however, it remains to be seen whether the company will be considered a CII operator. The Draft Regulations state that more guidance is forthcoming on this issue.
Cybersecurity Requirements for CII Operators
If a particular company is identified as a CII operator, the Draft Regulation elaborates on some of the requirements it will face in the following areas:
- Cybersecurity governance and leadership, including appointing dedicated cybersecurity personnel and assigning responsibility for protecting CII;
- Cybersecurity measures (both internal and external) to safeguard networks; and
- Annual security assessments required under the Cybersecurity Law.
Security of Products and Services Used
The Draft Regulation builds on the requirements imposed by the Cybersecurity Law (see Covington’s blog post on these requirements here) and introduces several new supply chain requirements. These include, for example, assessing third-party-developed systems and software and performing maintenance of CII within China.
Cybersecurity Threat Monitoring, Incident Response, and Cybersecurity Inspections
The Draft Regulation also provides more guidance on how CII operators should interact with agencies on cybersecurity issues, including information sharing, threat monitoring, and cybersecurity inspections. These cybersecurity inspections include allowing regulators to access, retrieve, and reproduce relevant documents or records and conduct technical assessments.
* * *
Companies active in China should continue to follow these legislative developments and be watchful for future guidelines that explain how to determine whether a company operating in the enumerated sectors discussed above will be deemed as a CII operator. Moreover, companies that supply network products and services to entities in key sectors should be aware of how the Draft Regulation may affect their sales and post-sale activities in China, if their customers are deemed to be CII operators.