Critical Information Infrastructure Security Protection Regulations

This document was translated jointly by Graham Webster, Paul Triolo and Rogier Creemers

CAC Notice concerning the Public Solicitation of Opinions on the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”

http://www.cac.gov.cn/2017-07/11/m_1121294220.htm

In order to guarantee the security of critical information infrastructure, based on the “Cybersecurity Law of the People’s Republic of China”, our Administration, jointly with relevant departments, has drafted the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”, which is now made public for open solicitation of opinions. Relevant work units and individuals from all circles may, before 10 August, put forward opinions through the following ways:

1, Sending opinions in a letter form to: Beijing Xicheng Chegongzhuang Avenue 11, CAC Cybersecurity Coordination Bureau, Post Code 100044, and clearly indicate “opinion solicitation” on the envelope

2, Sending an e-mail to: security@cac.gov.cn.

CAC

10 July 2017

Critical Information Infrastructure Security Protection Regulations

(Opinion-seeking draft)

Chapter 1: General principles

Article 1: In order to ensure the security of CII, on the basis of the “Cybersecurity Law of the People’s Republic of China”, these Regulations are formulated.

Article 2: These Regulations apply to the planning, construction, operation, maintenance and use of CII within the territory of the People’s Republic of China, as well as carrying out CII security protection.

Article 3: CII security protection shall uphold the principles of top-level design, overall defense and protection, comprehensive coordination, and division of work and responsibilities, fully give rein to the dominant role of operations, with vigorous participation from all sides of society, to jointly protect the security of CII.

Article 4: National sectoral controlling or supervising departments are, according to the division of work and responsibilities stipulated by the State Council, responsible for guiding and supervising CII security work in their sectors and their areas.

The national cybersecurity and informatization department is responsible for comprehensively coordinating CII security protection work and related supervision and management work. The State Council departments for public security, state security, administrative management of state secret protection, management of state encryption, etc., are, within the scope of their respective duties, responsible for related cybersecurity protection, supervision and management work.

Relevant departments of county-level or higher local People’s Governments conduct CII security protection work according to relevant national regulations.

Article 5: CII operators (hereafter simply named operators) are primarily responsible for the security of that work unit’s CII, they implement cybersecurity protection duties, accept governmental and societal supervision, and bear social responsibility.

The State encourages network operators outside of CII to voluntarily participate in the CII protection system.

Article 6: Focus protection is implemented for CII based on the multi-level protection system for cybersecurity.

Article 7: Any individual and organization has the right, when discovering activities endangering the security of CII, to report the matter to cybersecurity and informatization, telecommunications or public security departments, as well as sectoral controlling or supervising departments.

Departments receiving reports shall timely deal with them according to the law; where they do not fall under the responsibilities of the department in question, they shall be timely submitted to the department empowered to deal with them.

Relevant departments shall keep relevant information concerning the reporting person secret, and protect the lawful rights and interests of the reporting person.

Chapter 2: Support and protection

Article 8: The State adopts measures to monitor, defend against, and deal with cybersecurity risks and threats originating from inside and outside the territory of the People’s Republic of China, to protect CII from attack, intrusion, interference and destruction, and will lawfully punish unlawful and criminal cyber activities.

Article 9: The State will formulate industrial, fiscal, financial and talent policies to support the innovation of technologies, products and services related to CII security, it will popularize secure and trustworthy network products and services, foster and promote cybersecurity talents, and raise the security levels of CII.

Article 10: The State establishes and perfects a cybersecurity standards system, to use standards to guide and standardize CII security protection work.

Article 11: District or city-level or higher People’s Governments shall enter CII security protection work into the overall planning for economic and social development within their locality, expand input, and conduct work outcome assessments and evaluations.

Article 12: The State encourages government departments, operators, scientific research bodies, cybersecurity service bodies, sectoral organizations, network products and service providers to engage in CII security cooperation.

Article 13: National sectoral controlling or supervising departments shall establish or determine bodies and personnel specially responsible for CII security protection work within that sector or that area, draft and organize the implementation of cybersecurity plans within that sector or that area, and establish and complete work outlay guarantee mechanisms and supervise their implementation.

Article 14: The energy, telecommunications and transportation sectors shall provide focus protection and support in areas such as the power supply, network telecommunications, traffic and transportation concerning CII cybersecurity incident response, handling and network function recovery.

Article 15: Public security bodies and other such departments shall lawfully investigate and attack unlawful and criminal activities aimed at and using CII.

Article 16: No individual or organization may engage in the following acts harming CII:

(1) attacking, intruding into, interfering with or destroying CII;

(2) illegally obtaining, selling or providing to other persons without authorization technological data and other such information that may be specially used to harm CII security;

(3) conducting penetrative or offensive scans and surveys of CII without authorization;

(4) where they clearly know other persons are engaging in acts harming CII, and still provide them with assistance concerning Internet access, server entrustment, network storage, communication transmissions, advertising and marketing, payment, etc.;

(5) other acts and activities that harm CII.

Article 17: The State stands on an open environment in safeguarding cybersecurity, and vigorously engages in international exchange and cooperation in the area of CII protection.

Chapter 3: the scope of CII

Article 18: The network infrastructure and information systems operated or managed by the following work units, which whenever destroyed, cease functioning or leak data may gravely harm national security, the national economy, the people’s livelihood and the public interest, shall be brought into the scope of CII protection:

(1) governmental bodies and work units in sectors and areas such as energy, finance, transportation, irrigation, sanitation and healthcare, education, social security, environmental protection, public utilities, etc.;

(2) telecommunications networks, radio and television networks, the Internet and other such information networks, as well as work units providing cloud computing, big data and other such large-scale public information network services;

(3) research and production work units in sectors and areas such as national defense science and industry, large-scale equipment, chemistry, food, drugs, etc.;

(4) radio stations, television stations, news agencies and other such news work units;

(5) other focus work units.

Article 19: The national cybersecurity and informatization department will, jointly with the national telecommunications management department and public security department, formulate identification guidelines for CII.

National sectoral controlling or supervision departments will, according to the CII identification guidelines, organize the identification of CII within those sectors and those areas, and report the identification results according to procedure.

In the process of CII identification and determination, full rein shall be given to the role of relevant experts, to increase the accuracy, rationality and scientific nature of CII identification and determination.

Article 20: Where CII is newly built or ceases operation, or major changes occur in CII, operators shall timely report relevant circumstances to the national sectoral controlling or supervision department.

National sectoral controlling or supervision departments shall, based on the circumstances reported by operators, timely adjust identifications, and report the adjusted matters according to procedure.

Chapter 4: Operators’ security protection

Article 21: When CII is constructed, it shall be ensured that it possesses functions to support its business stability and sustained operation, and guaranteed that security technology measures are planned, constructed and used simultaneously.

Article 22: Operators’ main responsible persons are the first responsible person for CII security protection within a work unit, they are responsible for the establishment and completion of cybersecurity responsibility systems and the organization of their implementation, and they are completely responsible for CII security protection work within their work units.

Article 23: Operators shall, according to the requirements of the multi-level cybersecurity protection system, carry out the following security protection duties, ensure that CII is not interfered with, destroyed or accessed without authorization, and prevent that network data leaks or is stolen or altered:

(1) formulating internal security management structures and operational rules, and straiten identity authentication and management of [individual] powers;

(2) adopting technological measures to prevent computer viruses and cyber attacks, cyber intrusions and other such acts harming cybersecurity;

(3) adopting technological measures to survey and record network operation states and cybersecurity incidents, and preserve relevant network diaries according to regulations, for a period of not less than 6 months;

(4) adopting data categorization, important data back-up, encryption and authorization measures.

Article 24: Apart from Article 23 of these Regulations, operators shall also carry out the following security protection duties according to the provisions of national laws and regulations, and the mandatory requirement of relevant national standards:

(1) setting up specialized cybersecurity management bodies and cybersecurity management responsible personnel, and conducting security background checks of said responsible persons and personnel in critical positions;

(2) regularly conducting cybersecurity education, technical training and skills assessment for employees,

(3) creating disaster-proof back-ups of important systems and databases, and timely adopting remedial measures against system leaks and other such security risks;

(4) formulating cybersecurity incident emergency response plans and regularly conducting exercises;

(5) other duties as determined in laws and administrative regulations.

Article 25: Operators’ cybersecurity management responsible persons shall carry out the following duties:

(1) organizing the formulation of cybersecurity rules and structures, as well as operating rules, and supervising their implementation;

(2) organizing skills assessment of personnel in critical positions;

(3) organizing the formulation and implementation of cybersecurity education and training plans for their work units;

(4) organizing cybersecurity inspections and emergency response exercises, and responding to and dealing with cybersecurity incidents;

(5) reporting important cybersecurity matters and incidents to relevant State departments according to regulations.

Article 26: Operators implement a qualification-based appointment system for specialist technical personnel in critical cybersecurity positions.

Concrete regulations for qualification-based appointments are formulated by the State Council department for human resources and social security together with departments such as the national cybersecurity and informatization department.

Article 27: Operators shall organize cybersecurity education and training for employees, the education and training time per person per year shall not be less than one working day, for specialist technical personnel in critical positions, the education and training time per person per year shall not be less than three working days.

Article 28: Operators shall establish and complete CII security monitoring and assessment structures, before CII goes online and starts operating, or when major changes occur, security monitoring and assessment shall be carried out.

Operators shall conduct monitoring and assessment of the security and risks and hidden dangers that may exist once annually themselves, or entrust a cybersecurity service body to do so, discovered problems shall be timely corrected, and the relevant circumstances shall be reported to the national sectoral controlling or supervisory department.

Article 29: Operators shall store personal data and important data collected and produced through operations within the territory of the People’s Republic of China within the territory. Where it is actually required to provide them abroad for business reasons, the matter shall be assessed according to the assessment rules for the export of personal information and important data; where laws or administrative regulations provide otherwise, those provisions are followed.

Chapter 5: Security of Products and Services

 

Article 30: Critical network infrastructure and cybersecurity products purchased or used by providers shall conform to the mandatory requirements of law, rules of administrative regulations, and relevant national standards.

 

Article 31: Network products and services, purchased by operators, that may influence national security shall undergo cybersecurity review according to the requirements of the “Security Review Measures for Network Products and Services” and sign a security protection agreement with the provider.

 

Article 32: Before bringing online and into use outsourced systems or software or donated network products, Operators shall carry out security examination.

 

Article 33: If Operators discover risks such as security flaws, leaks, etc., in network products or services they use, they shall promptly take measures to eliminate risks and, if the risk is major, shall report to relevant departments according to rules.

 

Article 34: Operation and maintenance of CII shall be implemented in mainland China. If business requirements truly require remote maintenance from outside mainland China, the national sectoral controlling or supervising department and the State Council public security department shall be informed in advance.

 

Article 35: In developing security examination and evaluation regarding threat information concerning CII and publishing system vulnerabilities, computer viruses, network attacks, etc., organizations providing cloud computing, IT outsourcing, and other such, services shall follow relevant requirements.

 

Specific requirements shall be jointly developed by the national cybersecurity and informatization department and relevant departments of the State Council.

 

Chapter 6:  Monitoring Early Warning, Emergency Response, and Evaluation

 

Article 36: The national cybersecurity and informatization departments shall establish the overall CII cybersecurity monitoring and early warning system and information notification system; organize and guide relevant organizations to develop cybersecurity information gathering, analysis, and notification work; and according to rules publish unified cybersecurity monitoring and early warning information.

 

Article 37: National sectoral controlling or supervising departments shall establish and perfect their respective sector or field’s CII cybersecurity monitoring and early warning and information notification system, promptly grasp their respective sector or field’s CII operational situation and security risks, and notify relevant operators of risks and related work information.

 

National sectoral controlling or supervising departments shall organize determinations on security monitoring information, and if it is necessary to take immediate responsive measures, they shall promptly notify relevant operators of early warning information and advice on emergency response measures, as well as reporting to relevant departments according to national cybersecurity incident emergency response requirements.

 

Article 38: National cybersecurity and informatization departments coordinate overall the relevant departments and operators and relevant research organizations, cybersecurity service organizations to establish a CII cybersecurity information sharing system and promote cybersecurity information sharing.

 

Article 39: National cybersecurity and informatization departments, according to national cybersecurity incident emergency response plan requirements, overall plan to set up and perfect a CII cybersecurity emergency response coordination system, strengthen cybersecurity emergency response capacity, guide and coordinate relevant departments to organize cross-sectoral and cross-regional cybersecurity emergency response drills.

 

National sectoral controlling or supervising departments shall organize and establish their respective sector or area’s cybersecurity incident emergency response plan, periodically organize drills, and improve cybersecurity incident response and disaster recovery capacity.  After a major cybersecurity incident occurs or on receiving cybersecurity and informatization departments’ early warning information, emergency response plans implementation shall begin promptly and relevant status shall be promptly reported.

 

Article 40: National sectoral controlling or supervising departments shall, in their respective sector or area, periodically check and evaluate CII security risks and operators’ performance of security protection obligations, propose improvement measures, guide and supervise operators’ prompt rectification and reform of issues discovered during evaluation.

 

National cybersecurity and informatization departments overall coordinate checking and evaluation work of relevant departments in order to avoid overlapping evaluation.

 

Article 41: The relevant departments shall organize the assessment and evaluation of critical information infrastructure security, and shall adhere to the principles of objectivity, impartiality, and transparency, adopt scientific methods of testing and evaluation, standardize the inspection and evaluation process and control the risks of testing and evaluation.

 

The implementation of the assessments and rectification of the problems found should be carried out in a timely manner by the operators and relevant departments.

 

Article 42: Where the relevant departments organize the assessment of critical information infrastructure security, the following measures may be taken:

 

(A) requiring the relevant personnel of the operator to make statements on the examination and evaluation;

(B) having access to, doing retrieval and reproduction, and security protection of the relevant documents, and records;

(C) observing the cybersecurity management system development, implementation and planning, construction, and operation of cybersecurity technical measures;

(D) using testing tools or entrusting cybersecurity service organizations to do technical testing;

(E) other necessary means agreed to by the operator.

 

Article 43: The information obtained by the relevant departments and network security service organizations in the assessment of critical information infrastructure security inspection and evaluation can only be used for the maintenance of cybersecurity, and shall not be used for other purposes.

 

Article 44: The relevant departments shall organize the assessment of the security of critical information infrastructure, and shall not charge the units to be tested, and shall not require the persons to be tested and evaluated to purchase a designated brand or products and services of designated production and sales units.

 

Chapter 7 Legal Liability

 

Article 45: Where an operator fails to perform the provisions of Article 20, Paragraph 1, Article 21, Article 23, Article 24, Article 26, Article 27, Article 2 18, Article 30, Article 32, Article 33, or Article 34 of the network security protection obligations, it shall be given a warning by the relevant authorities in accordance with their duties and be ordered to correct this situation; if the operator refuses to correct the situation or it results in harm to the network and other consequences, there shall be a fine of more than 100,000 Yuan but less than one million Yuan, and the person in charge directly responsible shall receive a fine of more than 10,000 Yuan and less than 100,000 Yuan.

 

Article 46: Where an operator violates the provisions of Article 29 of these Regulations, he or she shall, in accordance with his/her duties, make corrections, and given a warning, and illegal income will be confiscated. The operator shall be ordered to suspend the relevant business, suspend the business for rectification, close websites, and relevant business licenses shall be revoked; the person in charge and directly responsible and other directly responsible persons shall be fined between 10,000-100,000 Yuan.

 

Article 47: Where an operator violates the provisions of Article 31 of these Regulations, and uses a network product or service that has not gone through a security examination or security assessment, he shall be ordered by the relevant competent national departments to cease using the product or service, and the fine shall be ten times the purchase price; the person in charge directly responsible and other directly responsible persons shall be fined between 10,000-100,000 Yuan.

 

Article 48: Where an individual violates the provisions of Article 16 of these Regulations and but this does not constitute a crime, public security organs shall confiscate the illegal gains and the individual shall be detained for less than five days and public security organs may impose a fine of not less than 50,000 Yuan but not more than 500,000 Yuan; a fine shall be imposed of not less than 100,000 Yuan but not more than one million Yuan; if the case constitutes a crime, criminal responsibility shall be investigated according to law.

 

Where a unit engages in any of the actions mentioned in the preceding paragraph, public security organs shall confiscate the illegal gains and impose a fine of not less than 100,000 Yuan but not more than one million Yuan and impose penalties on the directly responsible person in charge and other directly responsible persons in accordance with the provisions of the preceding paragraph.

 

Where individuals are in violation of the provisions of Article 16 of these Regulations, personnel who are subject to criminal punishment shall face a lifetime ban on working in critical information infrastructure security management and network operations key positions.

 

Article 49: Where an operator of critical information infrastructure of a state organ fails to perform the obligations for network security protection provided for in these Regulations, a superior organ or the relevant organs shall order it to make corrections, and the directly responsible person in charge and other directly responsible persons shall be punished according to law.

 

Article 50: Where any of the following departments and their staff members commits any of the following acts, the directly responsible person in charge and other directly responsible persons shall be punished according to law; if a crime is constituted, criminal responsibility shall be investigated according to law:

 

(A) in the course of work, using authority to obtain or accept bribes;

(B) neglect of duty, abuse of authority;

(C) unauthorized disclosure of information or data files of key information infrastructure;

(D) other acts that violate statutory duties.

 

Article 51: Where a major cyber security incident occurs within critical information infrastructure, the responsibility for the investigation shall be identified, and the responsibility of the relevant network security service organization and relevant departments shall be identified, as well as the responsibility of the operating unit and the investigation of the operating unit. For dereliction of duty and other violations, those individuals shall be held accountable.

 

Article 52: Where an organization, organization or individual engages in an attack, intrusion, interference or destruction of critical information infrastructure that is harmful to the People’s Republic of China, and causes serious consequences, they shall be investigated for legal responsibility according to law; the public security departments of the State Council, the state security organs and relevant departments may decide to impose measures such as freezing property or other necessary sanctions on the institution, organization or individual.

 

Chapter 8: Supplementary Provisions

 

Article 53: The storage and handling of the security protection of critical information infrastructure involving state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.

 

Critical information infrastructure in terms of the use and management of encryption, should also comply with the provisions of the encryption laws and administrative regulations.

 

Article 54: The security protection of military key information infrastructures shall be separately regulared by the Central Military Commission.

 

Article 55: These Regulations shall enter into force on (date, month, year)

国家互联网信息办公室关于《关键信息基础设施安全保护条例（征求意见稿）》公开征求意见的通知
为保障关键信息基础设施安全，根据《中华人民共和国网络安全法》，我办会同相关部门起草了《关键信息基础设施安全保护条例（征求意见稿）》，现向社会公开征求意见。有关单位和各界人士可以在2017年8月10日前，通过以下方式提出意见：
一、通过信函方式将意见寄至：北京市西城区车公庄大街11号国家互联网信息办公室网络安全协调局，邮编100044，并在信封上注明“征求意见”。
二、通过电子邮件方式发送至：security@cac.gov.cn。

附件：关键信息基础设施安全保护条例（征求意见稿）

国家互联网信息办公室
2017年7月10日

关键信息基础设施安全保护条例
(征求意见稿）

第一章 总则
第一条 为了保障关键信息基础设施安全，根据《中华人民共和国网络安全法》，制定本条例。
第二条 在中华人民共和国境内规划、建设、运营、维护、使用关键信息基础设施，以及开展关键信息基础设施的安全保护，适用本条例。
第三条 关键信息基础设施安全保护坚持顶层设计、整体防护，统筹协调、分工负责的原则，充分发挥运营主体作用，社会各方积极参与，共同保护关键信息基础设施安全。
第四条 国家行业主管或监管部门按照国务院规定的职责分工，负责指导和监督本行业、本领域的关键信息基础设施安全保护工作。
国家网信部门负责统筹协调关键信息基础设施安全保护工作和相关监督管理工作。国务院公安、国家安全、国家保密行政管理、国家密码管理等部门在各自职责范围内负责相关网络安全保护和监督管理工作。
县级以上地方人民政府有关部门按照国家有关规定开展关键信息基础设施安全保护工作。
第五条 关键信息基础设施的运营者（以下称运营者）对本单位关键信息基础设施安全负主体责任，履行网络安全保护义务，接受政府和社会监督，承担社会责任。
国家鼓励关键信息基础设施以外的网络运营者自愿参与关键信息基础设施保护体系。
第六条 关键信息基础设施在网络安全等级保护制度基础上，实行重点保护。
第七条 任何个人和组织发现危害关键信息基础设施安全的行为，有权向网信、电信、公安等部门以及行业主管或监管部门举报。
收到举报的部门应当及时依法作出处理；不属于本部门职责的，应当及时移送有权处理的部门。
有关部门应当对举报人的相关信息予以保密，保护举报人的合法权益。

第二章 支持与保障
第八条 国家采取措施，监测、防御、处置来源于中华人民共和国境内外的网络安全风险和威胁，保护关键信息基础设施免受攻击、侵入、干扰和破坏，依法惩治网络违法犯罪活动。
第九条 国家制定产业、财税、金融、人才等政策，支持关键信息基础设施安全相关的技术、产品、服务创新，推广安全可信的网络产品和服务，培养和选拔网络安全人才，提高关键信息基础设施的安全水平。
第十条 国家建立和完善网络安全标准体系，利用标准指导、规范关键信息基础设施安全保护工作。
第十一条 地市级以上人民政府应当将关键信息基础设施安全保护工作纳入地区经济社会发展总体规划，加大投入，开展工作绩效考核评价。
第十二条 国家鼓励政府部门、运营者、科研机构、网络安全服务机构、行业组织、网络产品和服务提供者开展关键信息基础设施安全合作。
第十三条 国家行业主管或监管部门应当设立或明确专门负责本行业、本领域关键信息基础设施安全保护工作的机构和人员，编制并组织实施本行业、本领域的网络安全规划，建立健全工作经费保障机制并督促落实。
第十四条 能源、电信、交通等行业应当为关键信息基础设施网络安全事件应急处置与网络功能恢复提供电力供应、网络通信、交通运输等方面的重点保障和支持。
第十五条 公安机关等部门依法侦查打击针对和利用关键信息基础设施实施的违法犯罪活动。
第十六条 任何个人和组织不得从事下列危害关键信息基础设施的活动和行为：
（一）攻击、侵入、干扰、破坏关键信息基础设施；
（二）非法获取、出售或者未经授权向他人提供可能被专门用于危害关键信息基础设施安全的技术资料等信息；
（三）未经授权对关键信息基础设施开展渗透性、攻击性扫描探测；
（四）明知他人从事危害关键信息基础设施安全的活动，仍然为其提供互联网接入、服务器托管、网络存储、通讯传输、广告推广、支付结算等帮助；
（五）其他危害关键信息基础设施的活动和行为。
第十七条 国家立足开放环境维护网络安全，积极开展关键信息基础设施安全领域的国际交流与合作。

第三章 关键信息基础设施范围
第十八条 下列单位运行、管理的网络设施和信息系统，一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益的，应当纳入关键信息基础设施保护范围：
（一）政府机关和能源、金融、交通、水利、卫生医疗、教育、社保、环境保护、公用事业等行业领域的单位；
（二）电信网、广播电视网、互联网等信息网络，以及提供云计算、大数据和其他大型公共信息网络服务的单位；
（三）国防科工、大型装备、化工、食品药品等行业领域科研生产单位；
（四）广播电台、电视台、通讯社等新闻单位；
（五）其他重点单位。
第十九条 国家网信部门会同国务院电信主管部门、公安部门等部门制定关键信息基础设施识别指南。
国家行业主管或监管部门按照关键信息基础设施识别指南，组织识别本行业、本领域的关键信息基础设施，并按程序报送识别结果。
关键信息基础设施识别认定过程中，应当充分发挥有关专家作用，提高关键信息基础设施识别认定的准确性、合理性和科学性。
第二十条 新建、停运关键信息基础设施，或关键信息基础设施发生重大变化的，运营者应当及时将相关情况报告国家行业主管或监管部门。
国家行业主管或监管部门应当根据运营者报告的情况及时进行识别调整，并按程序报送调整情况。

第四章 运营者安全保护
第二十一条 建设关键信息基础设施应当确保其具有支持业务稳定、持续运行的性能，并保证安全技术措施同步规划、同步建设、同步使用。
第二十二条 运营者主要负责人是本单位关键信息基础设施安全保护工作第一责任人，负责建立健全网络安全责任制并组织落实，对本单位关键信息基础设施安全保护工作全面负责。
第二十三条 运营者应当按照网络安全等级保护制度的要求，履行下列安全保护义务，保障关键信息基础设施免受干扰、破坏或者未经授权的访问，防止网络数据泄漏或者被窃取、篡改：
（一）制定内部安全管理制度和操作规程，严格身份认证和权限管理；
（二）采取技术措施，防范计算机病毒和网络攻击、网络侵入等危害网络安全行为；
（三）采取技术措施，监测、记录网络运行状态、网络安全事件，并按照规定留存相关的网络日志不少于六个月；
（四）采取数据分类、重要数据备份和加密认证等措施。
第二十四条 除本条例第二十三条外，运营者还应当按照国家法律法规的规定和相关国家标准的强制性要求，履行下列安全保护义务：
（一）设置专门网络安全管理机构和网络安全管理负责人，并对该负责人和关键岗位人员进行安全背景审查；
（二）定期对从业人员进行网络安全教育、技术培训和技能考核；
（三）对重要系统和数据库进行容灾备份，及时对系统漏洞等安全风险采取补救措施；
（四）制定网络安全事件应急预案并定期进行演练；
（五）法律、行政法规规定的其他义务。
第二十五条 运营者网络安全管理负责人履行下列职责：
（一） 组织制定网络安全规章制度、操作规程并监督执行；
（二）组织对关键岗位人员的技能考核；
（三）组织制定并实施本单位网络安全教育和培训计划；
（四）组织开展网络安全检查和应急演练，应对处置网络安全事件；
（五）按规定向国家有关部门报告网络安全重要事项、事件。
第二十六条 运营者网络安全关键岗位专业技术人员实行执证上岗制度。
执证上岗具体规定由国务院人力资源社会保障部门会同国家网信部门等部门制定。
第二十七条 运营者应当组织从业人员网络安全教育培训，每人每年教育培训时长不得少于1个工作日，关键岗位专业技术人员每人每年教育培训时长不得少于3个工作日。
第二十八条 运营者应当建立健全关键信息基础设施安全检测评估制度，关键信息基础设施上线运行前或者发生重大变化时应当进行安全检测评估。
运营者应当自行或委托网络安全服务机构对关键信息基础设施的安全性和可能存在的风险隐患每年至少进行一次检测评估，对发现的问题及时进行整改，并将有关情况报国家行业主管或监管部门。
第二十九条 运营者在中华人民共和国境内运营中收集和产生的个人信息和重要数据应当在境内存储。因业务需要，确需向境外提供的，应当按照个人信息和重要数据出境安全评估办法进行评估；法律、行政法规另有规定的，依照其规定。

第五章 产品和服务安全
第三十条 运营者采购、使用的网络关键设备、网络安全专用产品，应当符合法律、行政法规的规定和相关国家标准的强制性要求。
第三十一条 运营者采购网络产品和服务，可能影响国家安全的，应当按照网络产品和服务安全审查办法的要求，通过网络安全审查，并与提供者签订安全保密协议。
第三十二条 运营者应当对外包开发的系统、软件，接受捐赠的网络产品，在其上线应用前进行安全检测。
第三十三条 运营者发现使用的网络产品、服务存在安全缺陷、漏洞等风险的，应当及时采取措施消除风险隐患，涉及重大风险的应当按规定向有关部门报告。
第三十四条 关键信息基础设施的运行维护应当在境内实施。因业务需要，确需进行境外远程维护的，应事先报国家行业主管或监管部门和国务院公安部门。
第三十五条 面向关键信息基础设施开展安全检测评估，发布系统漏洞、计算机病毒、网络攻击等安全威胁信息，提供云计算、信息技术外包等服务的机构，应当符合有关要求。
具体要求由国家网信部门会同国务院有关部门制定。

第六章 监测预警、应急处置和检测评估
第三十六条 国家网信部门统筹建立关键信息基础设施网络安全监测预警体系和信息通报制度，组织指导有关机构开展网络安全信息汇总、分析研判和通报工作，按照规定统一发布网络安全监测预警信息。
第三十七条 国家行业主管或监管部门应当建立健全本行业、本领域的关键信息基础设施网络安全监测预警和信息通报制度，及时掌握本行业、本领域关键信息基础设施运行状况和安全风险，向有关运营者通报安全风险和相关工作信息。
国家行业主管或监管部门应当组织对安全监测信息进行研判，认为需要立即采取防范应对措施的，应当及时向有关运营者发布预警信息和应急防范措施建议，并按照国家网络安全事件应急预案的要求向有关部门报告。
第三十八条 国家网信部门统筹协调有关部门、运营者以及有关研究机构、网络安全服务机构建立关键信息基础设施网络安全信息共享机制，促进网络安全信息共享。
第三十九条 国家网信部门按照国家网络安全事件应急预案的要求，统筹有关部门建立健全关键信息基础设施网络安全应急协作机制，加强网络安全应急力量建设，指导协调有关部门组织跨行业、跨地域网络安全应急演练。
国家行业主管或监管部门应当组织制定本行业、本领域的网络安全事件应急预案，并定期组织演练，提升网络安全事件应对和灾难恢复能力。发生重大网络安全事件或接到网信部门的预警信息后，应立即启动应急预案组织应对，并及时报告有关情况。
第四十条 国家行业主管或监管部门应当定期组织对本行业、本领域关键信息基础设施的安全风险以及运营者履行安全保护义务的情况进行抽查检测，提出改进措施，指导、督促运营者及时整改检测评估中发现的问题。
国家网信部门统筹协调有关部门开展的抽查检测工作，避免交叉重复检测评估。
第四十一条 有关部门组织开展关键信息基础设施安全检测评估，应坚持客观公正、高效透明的原则，采取科学的检测评估方法，规范检测评估流程，控制检测评估风险。
运营者应当对有关部门依法实施的检测评估予以配合，对检测评估发现的问题及时进行整改。
第四十二条 有关部门组织开展关键信息基础设施安全检测评估，可采取下列措施：
（一）要求运营者相关人员就检测评估事项作出说明；
（二）查阅、调取、复制与安全保护有关的文档、记录；
（三）查看网络安全管理制度制订、落实情况以及网络安全技术措施规划、建设、运行情况；
（四）利用检测工具或委托网络安全服务机构进行技术检测；
（五）经运营者同意的其他必要方式。
第四十三条 有关部门以及网络安全服务机构在关键信息基础设施安全检测评估中获取的信息，只能用于维护网络安全的需要，不得用于其他用途。
第四十四条 有关部门组织开展关键信息基础设施安全检测评估，不得向被检测评估单位收取费用，不得要求被检测评估单位购买指定品牌或者指定生产、销售单位的产品和服务。

第七章 法律责任
第四十五条 运营者不履行本条例第二十条第一款、第二十一条、第二十三条、第二十四条、第二十六条、第二十七条、第二十八条、第三十条、第三十二条、第三十三条、第三十四条规定的网络安全保护义务的，由有关主管部门依据职责责令改正，给予警告；拒不改正或者导致危害网络安全等后果的，处十万元以上一百万元以下罚款，对直接负责的主管人员处一万元以上十万元以下罚款。
第四十六条 运营者违反本条例第二十九条规定，在境外存储网络数据，或者向境外提供网络数据的，由国家有关主管部门依据职责责令改正，给予警告，没收违法所得，处五万元以上五十万元以下罚款，并可以责令暂停相关业务、停业整顿、关闭网站、吊销相关业务许可证；对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。
第四十七条 运营者违反本条例第三十一条规定，使用未经安全审查或安全审查未通过的网络产品或者服务的，由国家有关主管部门依据职责责令停止使用，处采购金额一倍以上十倍以下罚款；对直接负责的主管人员和其他直接责任人员处一万元以上十万元以下罚款。
第四十八条 个人违反本条例第十六条规定，尚不构成犯罪的，由公安机关没收违法所得，处五日以下拘留，可以并处五万元以上五十万元以下罚款；情节较重的，处五日以上十五日以下拘留，可以并处十万元以上一百万元以下罚款；构成犯罪的，依法追究刑事责任。
单位有前款行为的，由公安机关没收违法所得，处十万元以上一百万元以下罚款，并对直接负责的主管人员和其他直接责任人员依照前款规定处罚。
违反本条例第十六条规定，受到刑事处罚的人员，终身不得从事关键信息基础设施安全管理和网络运营关键岗位的工作。
第四十九条 国家机关关键信息基础设施的运营者不履行本条例规定的网络安全保护义务的，由其上级机关或者有关机关责令改正；对直接负责的主管人员和其他直接负责人员依法给予处分。
第五十条 有关部门及其工作人员有下列行为之一的，对直接负责的主管人员和其他直接责任人员依法给予处分；构成犯罪的，依法追究刑事责任：
（一）在工作中利用职权索取、收受贿赂；
（二）玩忽职守、滥用职权；
（三）擅自泄露关键信息基础设施有关信息、资料及数据文件；
（四）其他违反法定职责的行为。
第五十一条 关键信息基础设施发生重大网络安全事件，经调查确定为责任事故的，除应当查明运营单位责任并依法予以追究外，还应查明相关网络安全服务机构及有关部门的责任，对有失职、渎职及其他违法行为的，依法追究责任。
第五十二条 境外的机构、组织、个人从事攻击、侵入、干扰、破坏等危害中华人民共和国的关键信息基础设施的活动，造成严重后果的，依法追究法律责任；国务院公安部门、国家安全机关和有关部门并可以决定对该机构、组织、个人采取冻结财产或者其他必要的制裁措施。

第八章 附则
第五十三条 存储、处理涉及国家秘密信息的关键信息基础设施的安全保护，还应当遵守保密法律、行政法规的规定。
关键信息基础设施中的密码使用和管理，还应当遵守密码法律、行政法规的规定。
第五十四条 军事关键信息基础设施的安全保护，由中央军事委员会另行规定。
第五十五条 本条例自****年**月**日起施行。