China’s Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive framework for the security classification and grading rules governing the industrial internet. In a notice issued on October 24, 2023, MIIT solicited public opinions on the Administrative Measures for Industrial Internet Security Classification and Grading (Draft for Public Comment). This initiative targets various sectors under MIIT’s purview, encompassing raw materials, equipment, consumer goods, and electronic information manufacturing industries.
The proposed classification and grading system specifically targets industrial internet enterprises, classifying them into three distinct categories: those utilizing industrial internet, industrial internet platform enterprises, and industrial internet identifier resolution enterprises.
Under the proposed measures, industrial internet enterprises must conduct a self-assessment based on specified standards for security classification. Factors considered include the company’s size, business scope, extent of industrial internet application, critical system importance, control over sensitive data, significance for industry development and supply chain security, as well as the potential consequences of cybersecurity incidents. After the self-assessment, enterprises will be assigned a grade, ranging from one to three, with three being the highest.
To formalize this process, industrial internet enterprises are required to register their details on the National Industrial Internet Security Classification and Grading Management Platform. This registration encompasses essential information such as company name, type, grade, contact details, and cybersecurity personnel. Additionally, these enterprises must undergo regular compliance assessments, either independently or through third-party organizations. Grade three enterprises are mandated to conduct annual assessments, while grade two enterprises must do so every two years.
MIIT plans to establish and refine a comprehensive mechanism for security inspection and evaluation of industrial internet enterprises, conducting periodic assessments. Non-compliance with the established measures, failure to fulfill network and data security obligations, posing significant security risks or experiencing security incidents, are cases that may lead to enforcement actions by the MIIT and local supervisory departments, in accordance with relevant laws such as China’s Cybersecurity Law and Data Security Law.
Moreover, the document signals MIIT’s intention to guide internet-connected industrial enterprises in identifying critical industrial control systems. It proposes the inclusion of distributed control systems (DCS) and similar systems in the Catalog of Critical Network Equipment, thereby requiring mandatory testing and certification.
Stakeholders and interested parties may submit comments to the proposed measures until November 22, 2023.
