This document was translated jointly by Graham Webster, Paul Triolo and Rogier Creemers
CAC Notice concerning the Public Solicitation of Opinions on the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”
In order to guarantee the security of critical information infrastructure, based on the “Cybersecurity Law of the People’s Republic of China”, our Administration, jointly with relevant departments, has drafted the “Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)”, which is now made public for open solicitation of opinions. Relevant work units and individuals from all circles may, before 10 August, put forward opinions through the following ways:
1, Sending opinions in a letter form to: Beijing Xicheng Chegongzhuang Avenue 11, CAC Cybersecurity Coordination Bureau, Post Code 100044, and clearly indicate “opinion solicitation” on the envelope
2, Sending an e-mail to: email@example.com.
10 July 2017
Critical Information Infrastructure Security Protection Regulations
Chapter 1: General principles
Article 1: In order to ensure the security of CII, on the basis of the “Cybersecurity Law of the People’s Republic of China”, these Regulations are formulated.
Article 2: These Regulations apply to the planning, construction, operation, maintenance and use of CII within the territory of the People’s Republic of China, as well as carrying out CII security protection.
Article 3: CII security protection shall uphold the principles of top-level design, overall defense and protection, comprehensive coordination, and division of work and responsibilities, fully give rein to the dominant role of operations, with vigorous participation from all sides of society, to jointly protect the security of CII.
Article 4: National sectoral controlling or supervising departments are, according to the division of work and responsibilities stipulated by the State Council, responsible for guiding and supervising CII security work in their sectors and their areas.
The national cybersecurity and informatization department is responsible for comprehensively coordinating CII security protection work and related supervision and management work. The State Council departments for public security, state security, administrative management of state secret protection, management of state encryption, etc., are, within the scope of their respective duties, responsible for related cybersecurity protection, supervision and management work.
Relevant departments of county-level or higher local People’s Governments conduct CII security protection work according to relevant national regulations.
Article 5: CII operators (hereafter simply named operators) are primarily responsible for the security of that work unit’s CII, they implement cybersecurity protection duties, accept governmental and societal supervision, and bear social responsibility.
The State encourages network operators outside of CII to voluntarily participate in the CII protection system.
Article 6: Focus protection is implemented for CII based on the multi-level protection system for cybersecurity.
Article 7: Any individual and organization has the right, when discovering activities endangering the security of CII, to report the matter to cybersecurity and informatization, telecommunications or public security departments, as well as sectoral controlling or supervising departments.
Departments receiving reports shall timely deal with them according to the law; where they do not fall under the responsibilities of the department in question, they shall be timely submitted to the department empowered to deal with them.
Relevant departments shall keep relevant information concerning the reporting person secret, and protect the lawful rights and interests of the reporting person.
Chapter 2: Support and protection
Article 8: The State adopts measures to monitor, defend against, and deal with cybersecurity risks and threats originating from inside and outside the territory of the People’s Republic of China, to protect CII from attack, intrusion, interference and destruction, and will lawfully punish unlawful and criminal cyber activities.
Article 9: The State will formulate industrial, fiscal, financial and talent policies to support the innovation of technologies, products and services related to CII security, it will popularize secure and trustworthy network products and services, foster and promote cybersecurity talents, and raise the security levels of CII.
Article 10: The State establishes and perfects a cybersecurity standards system, to use standards to guide and standardize CII security protection work.
Article 11: District or city-level or higher People’s Governments shall enter CII security protection work into the overall planning for economic and social development within their locality, expand input, and conduct work outcome assessments and evaluations.
Article 12: The State encourages government departments, operators, scientific research bodies, cybersecurity service bodies, sectoral organizations, network products and service providers to engage in CII security cooperation.
Article 13: National sectoral controlling or supervising departments shall establish or determine bodies and personnel specially responsible for CII security protection work within that sector or that area, draft and organize the implementation of cybersecurity plans within that sector or that area, and establish and complete work outlay guarantee mechanisms and supervise their implementation.
Article 14: The energy, telecommunications and transportation sectors shall provide focus protection and support in areas such as the power supply, network telecommunications, traffic and transportation concerning CII cybersecurity incident response, handling and network function recovery.
Article 15: Public security bodies and other such departments shall lawfully investigate and attack unlawful and criminal activities aimed at and using CII.
Article 16: No individual or organization may engage in the following acts harming CII:
(1) attacking, intruding into, interfering with or destroying CII;
(2) illegally obtaining, selling or providing to other persons without authorization technological data and other such information that may be specially used to harm CII security;
(3) conducting penetrative or offensive scans and surveys of CII without authorization;
(4) where they clearly know other persons are engaging in acts harming CII, and still provide them with assistance concerning Internet access, server entrustment, network storage, communication transmissions, advertising and marketing, payment, etc.;
(5) other acts and activities that harm CII.
Article 17: The State stands on an open environment in safeguarding cybersecurity, and vigorously engages in international exchange and cooperation in the area of CII protection.
Chapter 3: the scope of CII
Article 18: The network infrastructure and information systems operated or managed by the following work units, which whenever destroyed, cease functioning or leak data may gravely harm national security, the national economy, the people’s livelihood and the public interest, shall be brought into the scope of CII protection:
(1) governmental bodies and work units in sectors and areas such as energy, finance, transportation, irrigation, sanitation and healthcare, education, social security, environmental protection, public utilities, etc.;
(2) telecommunications networks, radio and television networks, the Internet and other such information networks, as well as work units providing cloud computing, big data and other such large-scale public information network services;
(3) research and production work units in sectors and areas such as national defense science and industry, large-scale equipment, chemistry, food, drugs, etc.;
(4) radio stations, television stations, news agencies and other such news work units;
(5) other focus work units.
Article 19: The national cybersecurity and informatization department will, jointly with the national telecommunications management department and public security department, formulate identification guidelines for CII.
National sectoral controlling or supervision departments will, according to the CII identification guidelines, organize the identification of CII within those sectors and those areas, and report the identification results according to procedure.
In the process of CII identification and determination, full rein shall be given to the role of relevant experts, to increase the accuracy, rationality and scientific nature of CII identification and determination.
Article 20: Where CII is newly built or ceases operation, or major changes occur in CII, operators shall timely report relevant circumstances to the national sectoral controlling or supervision department.
National sectoral controlling or supervision departments shall, based on the circumstances reported by operators, timely adjust identifications, and report the adjusted matters according to procedure.
Chapter 4: Operators’ security protection
Article 21: When CII is constructed, it shall be ensured that it possesses functions to support its business stability and sustained operation, and guaranteed that security technology measures are planned, constructed and used simultaneously.
Article 22: Operators’ main responsible persons are the first responsible person for CII security protection within a work unit, they are responsible for the establishment and completion of cybersecurity responsibility systems and the organization of their implementation, and they are completely responsible for CII security protection work within their work units.
Article 23: Operators shall, according to the requirements of the multi-level cybersecurity protection system, carry out the following security protection duties, ensure that CII is not interfered with, destroyed or accessed without authorization, and prevent that network data leaks or is stolen or altered:
(1) formulating internal security management structures and operational rules, and straiten identity authentication and management of [individual] powers;
(2) adopting technological measures to prevent computer viruses and cyber attacks, cyber intrusions and other such acts harming cybersecurity;
(3) adopting technological measures to survey and record network operation states and cybersecurity incidents, and preserve relevant network diaries according to regulations, for a period of not less than 6 months;
(4) adopting data categorization, important data back-up, encryption and authorization measures.
Article 24: Apart from Article 23 of these Regulations, operators shall also carry out the following security protection duties according to the provisions of national laws and regulations, and the mandatory requirement of relevant national standards:
(1) setting up specialized cybersecurity management bodies and cybersecurity management responsible personnel, and conducting security background checks of said responsible persons and personnel in critical positions;
(2) regularly conducting cybersecurity education, technical training and skills assessment for employees,
(3) creating disaster-proof back-ups of important systems and databases, and timely adopting remedial measures against system leaks and other such security risks;
(4) formulating cybersecurity incident emergency response plans and regularly conducting exercises;
(5) other duties as determined in laws and administrative regulations.
Article 25: Operators’ cybersecurity management responsible persons shall carry out the following duties:
(1) organizing the formulation of cybersecurity rules and structures, as well as operating rules, and supervising their implementation;
(2) organizing skills assessment of personnel in critical positions;
(3) organizing the formulation and implementation of cybersecurity education and training plans for their work units;
(4) organizing cybersecurity inspections and emergency response exercises, and responding to and dealing with cybersecurity incidents;
(5) reporting important cybersecurity matters and incidents to relevant State departments according to regulations.
Article 26: Operators implement a qualification-based appointment system for specialist technical personnel in critical cybersecurity positions.
Concrete regulations for qualification-based appointments are formulated by the State Council department for human resources and social security together with departments such as the national cybersecurity and informatization department.
Article 27: Operators shall organize cybersecurity education and training for employees, the education and training time per person per year shall not be less than one working day, for specialist technical personnel in critical positions, the education and training time per person per year shall not be less than three working days.
Article 28: Operators shall establish and complete CII security monitoring and assessment structures, before CII goes online and starts operating, or when major changes occur, security monitoring and assessment shall be carried out.
Operators shall conduct monitoring and assessment of the security and risks and hidden dangers that may exist once annually themselves, or entrust a cybersecurity service body to do so, discovered problems shall be timely corrected, and the relevant circumstances shall be reported to the national sectoral controlling or supervisory department.
Article 29: Operators shall store personal data and important data collected and produced through operations within the territory of the People’s Republic of China within the territory. Where it is actually required to provide them abroad for business reasons, the matter shall be assessed according to the assessment rules for the export of personal information and important data; where laws or administrative regulations provide otherwise, those provisions are followed.
Chapter 5: Security of Products and Services
Article 30: Critical network infrastructure and cybersecurity products purchased or used by providers shall conform to the mandatory requirements of law, rules of administrative regulations, and relevant national standards.
Article 31: Network products and services, purchased by operators, that may influence national security shall undergo cybersecurity review according to the requirements of the “Security Review Measures for Network Products and Services” and sign a security protection agreement with the provider.
Article 32: Before bringing online and into use outsourced systems or software or donated network products, Operators shall carry out security examination.
Article 33: If Operators discover risks such as security flaws, leaks, etc., in network products or services they use, they shall promptly take measures to eliminate risks and, if the risk is major, shall report to relevant departments according to rules.
Article 34: Operation and maintenance of CII shall be implemented in mainland China. If business requirements truly require remote maintenance from outside mainland China, the national sectoral controlling or supervising department and the State Council public security department shall be informed in advance.
Article 35: In developing security examination and evaluation regarding threat information concerning CII and publishing system vulnerabilities, computer viruses, network attacks, etc., organizations providing cloud computing, IT outsourcing, and other such, services shall follow relevant requirements.
Specific requirements shall be jointly developed by the national cybersecurity and informatization department and relevant departments of the State Council.
Chapter 6: Monitoring Early Warning, Emergency Response, and Evaluation
Article 36: The national cybersecurity and informatization departments shall establish the overall CII cybersecurity monitoring and early warning system and information notification system; organize and guide relevant organizations to develop cybersecurity information gathering, analysis, and notification work; and according to rules publish unified cybersecurity monitoring and early warning information.
Article 37: National sectoral controlling or supervising departments shall establish and perfect their respective sector or field’s CII cybersecurity monitoring and early warning and information notification system, promptly grasp their respective sector or field’s CII operational situation and security risks, and notify relevant operators of risks and related work information.
National sectoral controlling or supervising departments shall organize determinations on security monitoring information, and if it is necessary to take immediate responsive measures, they shall promptly notify relevant operators of early warning information and advice on emergency response measures, as well as reporting to relevant departments according to national cybersecurity incident emergency response requirements.
Article 38: National cybersecurity and informatization departments coordinate overall the relevant departments and operators and relevant research organizations, cybersecurity service organizations to establish a CII cybersecurity information sharing system and promote cybersecurity information sharing.
Article 39: National cybersecurity and informatization departments, according to national cybersecurity incident emergency response plan requirements, overall plan to set up and perfect a CII cybersecurity emergency response coordination system, strengthen cybersecurity emergency response capacity, guide and coordinate relevant departments to organize cross-sectoral and cross-regional cybersecurity emergency response drills.
National sectoral controlling or supervising departments shall organize and establish their respective sector or area’s cybersecurity incident emergency response plan, periodically organize drills, and improve cybersecurity incident response and disaster recovery capacity. After a major cybersecurity incident occurs or on receiving cybersecurity and informatization departments’ early warning information, emergency response plans implementation shall begin promptly and relevant status shall be promptly reported.
Article 40: National sectoral controlling or supervising departments shall, in their respective sector or area, periodically check and evaluate CII security risks and operators’ performance of security protection obligations, propose improvement measures, guide and supervise operators’ prompt rectification and reform of issues discovered during evaluation.
National cybersecurity and informatization departments overall coordinate checking and evaluation work of relevant departments in order to avoid overlapping evaluation.
Article 41: The relevant departments shall organize the assessment and evaluation of critical information infrastructure security, and shall adhere to the principles of objectivity, impartiality, and transparency, adopt scientific methods of testing and evaluation, standardize the inspection and evaluation process and control the risks of testing and evaluation.
The implementation of the assessments and rectification of the problems found should be carried out in a timely manner by the operators and relevant departments.
Article 42: Where the relevant departments organize the assessment of critical information infrastructure security, the following measures may be taken:
(A) requiring the relevant personnel of the operator to make statements on the examination and evaluation;
(B) having access to, doing retrieval and reproduction, and security protection of the relevant documents, and records;
(C) observing the cybersecurity management system development, implementation and planning, construction, and operation of cybersecurity technical measures;
(D) using testing tools or entrusting cybersecurity service organizations to do technical testing;
(E) other necessary means agreed to by the operator.
Article 43: The information obtained by the relevant departments and network security service organizations in the assessment of critical information infrastructure security inspection and evaluation can only be used for the maintenance of cybersecurity, and shall not be used for other purposes.
Article 44: The relevant departments shall organize the assessment of the security of critical information infrastructure, and shall not charge the units to be tested, and shall not require the persons to be tested and evaluated to purchase a designated brand or products and services of designated production and sales units.
Chapter 7 Legal Liability
Article 45: Where an operator fails to perform the provisions of Article 20, Paragraph 1, Article 21, Article 23, Article 24, Article 26, Article 27, Article 2 18, Article 30, Article 32, Article 33, or Article 34 of the network security protection obligations, it shall be given a warning by the relevant authorities in accordance with their duties and be ordered to correct this situation; if the operator refuses to correct the situation or it results in harm to the network and other consequences, there shall be a fine of more than 100,000 Yuan but less than one million Yuan, and the person in charge directly responsible shall receive a fine of more than 10,000 Yuan and less than 100,000 Yuan.
Article 46: Where an operator violates the provisions of Article 29 of these Regulations, he or she shall, in accordance with his/her duties, make corrections, and given a warning, and illegal income will be confiscated. The operator shall be ordered to suspend the relevant business, suspend the business for rectification, close websites, and relevant business licenses shall be revoked; the person in charge and directly responsible and other directly responsible persons shall be fined between 10,000-100,000 Yuan.
Article 47: Where an operator violates the provisions of Article 31 of these Regulations, and uses a network product or service that has not gone through a security examination or security assessment, he shall be ordered by the relevant competent national departments to cease using the product or service, and the fine shall be ten times the purchase price; the person in charge directly responsible and other directly responsible persons shall be fined between 10,000-100,000 Yuan.
Article 48: Where an individual violates the provisions of Article 16 of these Regulations and but this does not constitute a crime, public security organs shall confiscate the illegal gains and the individual shall be detained for less than five days and public security organs may impose a fine of not less than 50,000 Yuan but not more than 500,000 Yuan; a fine shall be imposed of not less than 100,000 Yuan but not more than one million Yuan; if the case constitutes a crime, criminal responsibility shall be investigated according to law.
Where a unit engages in any of the actions mentioned in the preceding paragraph, public security organs shall confiscate the illegal gains and impose a fine of not less than 100,000 Yuan but not more than one million Yuan and impose penalties on the directly responsible person in charge and other directly responsible persons in accordance with the provisions of the preceding paragraph.
Where individuals are in violation of the provisions of Article 16 of these Regulations, personnel who are subject to criminal punishment shall face a lifetime ban on working in critical information infrastructure security management and network operations key positions.
Article 49: Where an operator of critical information infrastructure of a state organ fails to perform the obligations for network security protection provided for in these Regulations, a superior organ or the relevant organs shall order it to make corrections, and the directly responsible person in charge and other directly responsible persons shall be punished according to law.
Article 50: Where any of the following departments and their staff members commits any of the following acts, the directly responsible person in charge and other directly responsible persons shall be punished according to law; if a crime is constituted, criminal responsibility shall be investigated according to law:
(A) in the course of work, using authority to obtain or accept bribes;
(B) neglect of duty, abuse of authority;
(C) unauthorized disclosure of information or data files of key information infrastructure;
(D) other acts that violate statutory duties.
Article 51: Where a major cyber security incident occurs within critical information infrastructure, the responsibility for the investigation shall be identified, and the responsibility of the relevant network security service organization and relevant departments shall be identified, as well as the responsibility of the operating unit and the investigation of the operating unit. For dereliction of duty and other violations, those individuals shall be held accountable.
Article 52: Where an organization, organization or individual engages in an attack, intrusion, interference or destruction of critical information infrastructure that is harmful to the People’s Republic of China, and causes serious consequences, they shall be investigated for legal responsibility according to law; the public security departments of the State Council, the state security organs and relevant departments may decide to impose measures such as freezing property or other necessary sanctions on the institution, organization or individual.
Chapter 8: Supplementary Provisions
Article 53: The storage and handling of the security protection of critical information infrastructure involving state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.
Critical information infrastructure in terms of the use and management of encryption, should also comply with the provisions of the encryption laws and administrative regulations.
Article 54: The security protection of military key information infrastructures shall be separately regulared by the Central Military Commission.
Article 55: These Regulations shall enter into force on (date, month, year)