On 17 August 2021, the State Council released the Regulations on Security and Protection of Critical Information Infrastructure, which will become effective starting from 1 September 2021. This is the first official regulation to protect the China’s critical information infrastructure (CII), reflecting China’s mounting efforts to strengthen data security protection amid a series of growing risks. It is noteworthy that, the first call for comments on the draft Regulations was published by the Cyberspace Administration of China (CAC) in 2017.

What is CII?

The Regulations define ‘CII’ as important network facilities and information systems used in sectors including:

  • Public communication and information services
  • Energy
  • Transportation
  • Water conservancy
  • Finance
  • Public services
  • E-government services
  • Science and technology for national defense
  • And those may seriously endanger national security, national economy, people’s livelihood and public interests in case of damage, loss of function or data leakage.

How are CIIs identified?

The competent government departments and administrative departments in each of the above-mentioned sectors are considered as the ultimate protectors of CII, and therefore they are responsible for the security and protection of CIIs in their fields. These departments shall formulate ad hoc rules for the identification of CIIs in their respective fields, and file them with the Public Security Department of the State Council.

Once CIIs have been identified, the same competent departments will notify the CII operators (CIIOs), and file records with the Public Security Department of the State Council.

How are CIIs protected and safeguarded?

CIIOs

All CIIOs should set up designated administrative groups specifically to deal with any issues concerning the security of CIIs. When making cybersecurity-related decisions, all CIIOs shall take in full considerations the opinions of the designated administrative groups. In addition, all CIIOs should conduct (or assign cybersecurity service agencies to conduct) cybersecurity testing and risk evaluation, at least once a year.

Government

In addition to the formulating ad hoc rules for the identification of CIIs, the competent departments shall (i) develop security plans, (ii) establish cybersecurity monitoring systems, (iii) draw up emergency plans on cybersecurity incidents, and (iv) regularly carry out testing and inspection for CIIs.

Conclusions

Compared with the first draft of the Regulations circulated for public comments in 2017, the Regulations clearly stipulate that the competent government departments of CIIs will notify the operators on whether their network facilities and information systems are considered as CIIs or not. In this way, enterprises do not need to worry until a written notice is received. Still, it is recommended that enterprises that expect their systems to likely fall into the CII category, should start preparing in advance for the security testing and for the establishment of the designated administrative group.