critical infrastructure

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020.

Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security.  To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors.  On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures.  The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.

Highlights of the final version of the Measures appear below.
Continue Reading China Issues New Measures on Cybersecurity Review of Network Products and Services

On July 5, 2019, China’s Standing Committee of the National People’s Congress (NPC) published a new draft Encryption Law (“the draft Law”) for public comment.  The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.

The State Cryptography Administration (“SCA”) previously issued an initial draft of this law for public comment on April 13, 2017 (“the 2017 Draft”) (see Covington’s alert on the previous version here).  After the release of the 2017 draft, the regulatory regime in China for commercial encryption products was revamped significantly (see Covington’s previous alert here).  The State Council removed certain approval requirements for the production, sale, and use of commercial encryption products in late September 2017, and the SCA issued further notices reducing the burden imposed on manufacturers, distributors and users of commercial encryption products.  The draft Law proposes further changes to this revamped regime, including for example introducing different categories of encryption, and establishing license requirements for certain imports and exports, while carving out items in “general use.”

The comment period ends on September 2, 2019.


Continue Reading China Releases Updated Draft Encryption Law for Public Comment

The Federal Energy Regulatory Commission (“FERC”) released a final rule approving three new Critical Infrastructure Protection (“CIP”) standards which address supply chain risk management for bulk electric systems (“BES”) operations.  The new standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which directed NERC to create new CIP standards to address risks associated with the supply chain for grid-related cyber systems.  The final rule will take effect sixty days after it is published in the Federal Register.  The new standards must be implemented in eighteen months.  More details regarding the new CIP standards, which may be of interest to entities that develop, implement, or maintain hardware or software for industrial control systems associated with bulk electric systems (“BES”), are provided below.

Continue Reading FERC Approves New Cybersecurity Standards for Supply Chain Risk Management

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017.

The issuance of the long-anticipated Draft Measures is another critical step toward implementing China’s Cybersecurity Law (“the Law”), which is set to take effect on June 1, 2017 (see our alert on the Law here).  Importantly, the Draft Measures, if enacted in its current form, would mandate all “network operators” to self-assess the security of their cross-border data transfers and significantly broaden the scope of entities that potentially need to undergo security assessments for such transfers by the Chinese government.  Companies that fall into the scope of “network operators,” but may not qualify for “operators of Critical Information Infrastructure” (“CII”), could see their cross-border data transfers regulated under the Draft Measures.  
Continue Reading China Seeks Public Comments on Draft Regulation on Cross-Border Data Transfer

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directed the Secretary of Homeland Security to identify “critical infrastructure at greatest risk” within 150 days after issuance of the Order on February 12, 2013.  Section 9 of the Order specified that the Secretary, in consultation with sector-specific agencies, should “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  The Order further directed the Secretary to provide the list of identified critical infrastructure to the President, confidentially notify owners and operators of identified critical infrastructure, and establish a process for such owners and operators to request reconsideration of their identification.

On April 17, the Department of Homeland Security (“DHS”) issued a Federal Register notice regarding its actions pursuant to Section 9 of the Executive Order.  The Notice reports that after consulting with  “sector stakeholders,” including critical infrastructure owners and operators, sector-specific agencies, and subject-matter experts, the Secretary of Homeland Security provided an initial list of identified critical infrastructure to the President on July 19, 2013.  DHS explained that it has completed the process of notifying owners and operators of critical infrastructure that has been identified as “at greatest risk,” and therefore “[i]f critical infrastructure owners and operators have not been contacted by DHS in connection with their status on the initial list, then such infrastructure has not been included on the initial list.”  The list of critical infrastructure at greatest risk will be updated annually going forward.


Continue Reading DHS Announces Reconsideration Process for “Critical Infrastructure at Greatest Risk”

By Susan B. Cassidy

On March 12, 2014, General Services Administration (“GSA”) issued a Request for Information (“RFI”) to obtain stakeholder input on implementing the recommendations contained in the joint GSA and Department of Defense (“DOD”) report, Improving Cybersecurity and Resilience through Acquisition (“Joint Report”), issued on January 23, 2014.

The Joint Report and, in turn, the RFI from GSA were issued in furtherance of Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity, which called for GSA and DOD, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”  The Joint Report responded to this request with six recommendations for strengthening the federal government’s cyber resilience:

  1. Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
  2. Address cybersecurity in relevant training;
  3. Develop common cybersecurity definitions for federal acquisitions;
  4. Institute a federal acquisition cyber risk management strategy;
  5. Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources, whenever available, in appropriate acquisitions; and
  6. Increase government accountability for cyber risk management.

Through the RFI issued on March 12, GSA has requested stakeholder input on how to implement the Joint Report’s recommendations.  To this end, GSA provided a draft Implementation Plan, which addresses the implementation of the Joint Report’s fourth recommendation, “institute a Federal acquisition cyber risk management strategy.”  The Implementation Plan explains that GSA will implement the Joint Report’s fourth recommendation first because “the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented.”


Continue Reading GSA Seeks Comments on Implementation of GSA/DOD Cybersecurity Joint Report Recommendations

It has been an eventful week in the European Parliament in relation to data privacy and security matters.  Having already voted in favor of the General Data Protection Regulation (“GDPR”) and endorsed a controversial report into allegations of mass surveillance, the European Parliament voted yesterday on the proposed Network and Information Security (“NIS”) Directive.  In line with previous committee reports, the Parliament vote ensures that the Proposed Network and Information Security Directive focuses on protecting critical infrastructure in the energy, transport, financial services and health sectors. 

The EU legislative bodies will now enter into negotiations to agree a final text.  Commissioner Kroes called earlier this week for this work to be completed this year, but this timeframe seems ambitious.


Continue Reading European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure