On 10 July 2017, the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (the Draft Regulation), pursuant to Article 31 of the Cybersecurity Law of China, for public consultation.
What is in the Draft Regulation?
The Draft Regulation provides for a wide sectoral scope of critical information infrastructure (CII), which includes information network, such as telecommunication networks, television broadcast networks and the internet and entities providing cloud computing, big data and other large-scale public information network services; news organisations, such as broadcasting stations, television stations and news agencies; and other critical organisations. Additionally, the CAC will further issue guidelines for the identifications of CII. The wide scope of CII could increase the chances of businesses being categorised as CII operators under the Draft Regulation. Notably, the Draft Regulation provides that network operators that are not operating CII are encouraged to voluntarily participate in the regime.
Under the Draft Regulation, the responsibility of a CII operator includes:
1. Establish specialised network security management departments and persons who bear responsibility for network security management, and carry out security background investigations on such responsible persons and personnel in key positions;
2. Carry out periodic network security education, technological training and skills evaluation for working personnel;
3. Implement disaster recovery backups for important systems and databases, and promptly adopt remedial measures for network risks such as system leakages; and
4. Formulate contingency plans for network security incidents and carry out periodic drills.
Further, the Draft Regulation provides that the person with the primary responsibility over the CII operator is the person bearing the responsibility for the protection of the security of the CII, whose obligations include the following:
1. Formulate regulations, systems and operational procedures for network security, and oversee the implementation;
2. Conduct evaluations of the skills of personnel in key positions;
3. Formulate and implement a program for network security training and education; and
4. Report important network safety issues and incidents to relevant the relevant authorities.
The Draft Regulation also introduces licensing requirements for the technical staff with key positions responsible for the security of CII.
Interestingly, the Draft Regulation empowers the regulators to conduct spot checks on CII operators to assess the status of CII operators’ performance of their obligations to protect security within their own industry sectors and their own fields, to propose corrective measures, and to guide CII operators to rectify and improve problems discovered. As part of those spot checks, the regulator may:
1. Require relevant personnel of the operator to provide explanations of items in the diagnostics and evaluation;
2. Access and review, obtain, and copy documents and records which are relevant to the protection of security;
3. Inspect the status of the formulation and implementation of the network security management system, and the status of the planning, construction and operation of the network security technological measures; and
4. Utilise diagnostic tools or engage a network security services agency to carry out technical diagnostics.
CII to remain within China
Another important feature of the Draft Regulation is that it requires the operation and maintenance of CII to be conducted within the territory of China. If remote maintenance is necessary for business reasons, CII operators must report this to the regulators before conducting such remote maintenance. As it is currently worded, this requirement may be problematic for foreign businesses providing services for the operation of CII because the operation must be conducted within China. However, the scope of this provision is not entirely clear and its implications and effects remain to be seen.
The Draft Regulation has provided more clarity on the cybersecurity obligations in relation to CII operators. Nonetheless, there are still uncertainties in respect of the regulations, such as the wide-scope of CII that is still dependent on CII identification guidelines to be formulated and issued by the Chinese authorities. Further, implementation would likely be delayed until the scope of CII is firmed up.
The Draft Regulation remains open for public consultation and may be subject to further amendments.