From 22 June to 2 July 2021, the Ministry of Industry and Information Technology (MIIT) called for public comments on the Notice on Enhancing the Network Security of Internet of Vehicles (IoV) (Intelligent Connected Vehicles) (Draft for Comments).

The Draft outlines systematic requirements for multiple actors, including local departments of industry and information technology, bureaus of communication management, China’s three leading telecom operators, IoV enterprises, and intelligent automotive manufacturing enterprises.

Specifically, for IoV companies, the Draft outlines five main requirements, namely to:

  1. Implement enterprises’ main responsibilities on network security, formulate IoV network security management system and operational procedures, appoint personnel responsible for network security, and conduct regular compliance evaluation and risk assessment.
  2. Establish enterprises’ IoV identity authentication and security trust mechanisms, enhance the application of business passwords, and conduct security assessments.
  3. Develop network security monitoring mechanisms and technical means, regularly monitor and analyse operational security, traffic and behavior of intelligent connected vehicles, networking systems, etc. In addition, relevant network logs should be kept for at least six months in accordance with relevant regulations.
  4. Establish network security emergency response mechanisms, formulate emergency pre-proposals for network security incidents, and carry out regular emergency drills.
  5. Carry out network security defense ratings for the affiliated network facilities and systems in accordance with relevant standards, and file them with provincial-level telecommunication departments.

For IoV platforms, the Draft outlines three main requirements, namely to:

  1. Obtain the operating permission for any telecom services involving online data processing, transaction processing and information services; implement relevant national regulations on the security protection of critical information infrastructure.
  2. Conduct network security inspection for Over-the-Air (OTA) service and Software Package and discover service and product security vulnerabilities in time.
  3. Establish IoV security management systems covering APP development, launch, usage and update, etc., and enhance the security capabilities, such as identity authentication, communication security and critical data protection.

In terms of data security, the Draft outlines four main requirements, namely to:

  1. Establish the data asset management ledger, implement data classification and rating management, improve the protection of personal information and important data, and conduct on a regular basis data security risk assessments.
  2. Insist on the principle of ‘Least Privileged’ in data collection, taking effective technical measures to protect the entire data lifecycle. Timely respond to data security incidents, report to provincial-level departments of telecommunication and of industry and information, cooperate with relevant supervision and provide necessary technical support.
  3. Clarify the security management and responsibility requirements relating to data sharing and utilization, assess the qualifications and capabilities of data partners, and conduct supervision as well as management on the use of data sharing.
  4. If it is necessary to provide data overseas for operational reasons, data should first pass the data outbound security assessment, and should be reported to provincial-level authorities of telecommunication, industry and information.

It is noteworthy that the Draft was released one day after MIIT published a call for public comments on the Guidelines for the Establishment of the IoVs Online Security Standards System (Draft for Comments). The Guidelines, which are in turn based on the National Guidelines for the Establishment of Industry Standards System for IoVs as well as the actual requirements of online security, aim to establish a unified and coordinated framework for the standards system.

This Guidelines outline the standards framework of IoV online security, based on six pillars: (i) general and basic commonality, (ii) terminal and facility security, (iii) network communication security, (iv) data security, (v) application service security, and (vi) security assurance. The Guidelines also put forward 97 standardization plan – which are yet to be implemented. In addition, the document also emphasizes the need to strengthen exchanges and cooperation with the International Organization for Standardization (ISO), and to actively participate in the development of international standardization activities of international organizations, such as the 3rd Generation Partnership Project (3GPP), the European Telecommunications Standards Institute (ESTI), and the European Committee for Standardization (CEN). Such efforts will contribute to the conversion and consequent integration of Chinese domestic standards with international ones.

In short, both documents, the Draft and the Guidelines, reflect the intention of the Chinese government to systematically advance the establishment of the IoVs network security supervision system. This is even more evident when combined with the Regulations on Automobile Data Security Management (Draft for Comments) issued by Cyberspace Administration of China (CAC). These regulatory requirements will bring new compliance requirements to related enterprises. Overseas stakeholders should pay close attention to the progress of the IoVs network security supervision system, not hesitating to provide feedback on their concerns.