China’s New Measures for Cybersecurity in the Power Industry

On 16 November 2022, the National Energy Administration (NEA) released Measures for the Administration of the Classified Protection of Cybersecurity in the Power Industry (hereinafter referred to as “Measures”). The aim is to further regulate and improve the administration of cybersecurity in the power industry.

Classified cybersecurity protection is a fundamental management system in China, at the same time being the foundation for protecting critical information infrastructure. Before the release of the Measures, previous regulation played an important role in guiding power companies to implement classified cybersecurity protection as required by national policies and regulations; however, it felt short in coping with the new situation – namely an increasingly complex power system and structure, a broader expansion of the cyberspace into various sectors, and consequentially mounting risks. More importantly, from a top-down perspective, China’s recent release of new laws, regulations and standards put forward higher requirements for the classified protection of cybersecurity. The newly-revised Measures therefore provide an updated framework and process for the classified cybersecurity protection in the power industry. There are 6 chapters, including general provisions, classification and protection, implementation and management of classified protection, cryptography management for the classified protection of cybersecurity, legal liability, and supplemental provisions. In general, the Measures further specify:

1. the purpose, application scope and relevant terminology of classified cybersecurity protection;
2. grading and corresponding protection principles;
3. the responsibilities of NEA, its agencies, the power industry and evaluation bodies in grading, auditing, evaluation and cryptography management;
4. liabilities

In line with national laws and regulations, the Measures adjusted the main principle of classified cybersecurity protection in the power industry, from “independent classification, and independent protection” to “classified protection, emphasis on priorities, proactive defense, and comprehensive prevention”. In addition, the Measures adjusted the title of the document and relevant terminology, refined the requirements on classification and evaluation cycles, standardized the audit process of grading, optimized filing procedures of classification outcomes and evaluation reports, and improved requirements for corresponding evaluation bodies.

In the following months, NEA’s efforts will be dedicated to policy publicity and coordination. As to individual power companies, they are required to carefully study and comply with the Measures. It is expected that the Measures will contribute to an overall improvement of the classified protection of cybersecurity in the whole industry.