Security Assessment and Management Regulations concerning New Technologies and New Applications in Internet News Information Services

Article 1: In order to standardize security assessment and management work concerning new technologies and new applications in Internet news information services, safeguard national security and the public interest, protect the lawful rights and interests of citizens, legal persons and other organizations, on the basis of the “Cybersecurity Law of the People’s Republic of China”, and the “Internet News Information Service Management Regulations”, these Regulations are formulated.

Article 2: These Regulations apply to national, provincial, autonomous region and municipal Internet information offices’ organization and execution of security assessments of new technologies and new applications concerning Internet news information services.

New technologies and new applications concerning Internet news information services as mentioned in these Regulations (hereafter shortly named “new technologies and new applications”), refers to innovative applications (including in their functioning and in the form of the application) and corresponding supporting technology used in providing Internet news information services.

Security assessment of new technologies and new applications concerning Internet news information services as mentioned in these Regulations (hereafter simply named “new technology and new application security assessment), refers to determining the assessment level on the basis of the news and public opinion nature and social mobilization capacity of the new technology or new application, as well as the information content security risks that might emerge from this, examining and evaluating their information security management structures and technological protection measures.

Article 3: Internet news information service providers adjusting or adding new technologies and new applications shall establish and complete information security management structures and secure and controllable technical protection measures, they may not publish or disseminate information content prohibited by laws and regulations.

Article 4: The State Internet Information Office (CAC) is responsible for security assessment work of new technologies and new applications nationwide. Provincial, autonomous region and municipal Internet information offices are responsible for security assessment work of new technologies and new applications within their administrative areas, on the basis of their duties.

The State and provincial, autonomous and municipal Internet information offices may entrust third-party bodies with concrete implementation work of new technology and new application security assessment.

Article 5: Corresponding organizations and specialist bodies are encouraged and supported to strengthen self-discipline concerning new technology and new application security assessment, to establish and complete security assessment service quality appraisal, credit and capability disclosure structures, in order to stimulate the development of sectoral standards.

Article 6: Internet information service providers shall establish and complete management systems and protection systems for new technology and new application security assessment, organize and execute security assessment themselves according to the requirements of these Regulations, provide the necessary cooperation to the State and provincial, autonomous region and municipal Internet information offices, and timely complete rectification and improvement.

Article 7: Where one of the following circumstances is present, an Internet news information service provider shall, organize and execute a new technology and new application security assessment themselves, compile a written security assessment report, and bear responsibility over the assessment outcome:

(1) where they apply new technology, or adjust or add application functions with a news or public opinion nature or social mobilization capabilities;

(2) where a change in user scope, nature of functions, technical realization methods, or basic resource allocation through new technologies or new application functions leads to a major change in the news and public opinion nature or social mobilization capacity.

The State Internet information office will, at a suitable time, issue a security assessment catalogue for new technologies and new applications, for reference to Internet news information service providers organizing and executing security assessment themselves.

Article 8: Internet news information service providers shall, where they organize and execute a new technology and new application security assessment themselves according to Article 7 of these Regulations, and discover the existence of security risks, timely rectify the matter, and eliminate the corresponding security risk.

Those organizing and executing a security assessment themselves according to the provisions of Article 7 of these Rules, shall complete the assessment before using the new technology, or adjusting or adding application functions.

Article 9: Internet news information service providers shall, after organizing and executing a new technology and new application security assessment themselves according to Article 8 of these Regulations,  request the State or provincial, autonomous region or municipal Internet information office to organize and execute a security assessment with within 10 working days after the completion of the security assessment.

Article 10: Where the State or provincial, autonomous region or municipal Internet information offices are requested to organize and execute a new technology and new application security assessment, and the reporting subject is a Central news work unit or a work unit under the charge of a Central news and propaganda department, the State Internet Information Office will organize and execute the security assessment; where the reporting subject is a local news work unit or a work unit under the charge of local news and propaganda departments, the provincial, autonomous region or municipal Internet information office will organize and execute security assessment; where the reporting subject is another work unit, the local provincial, autonomous region or municipal Internet information office will organize and execute a security assessment, report the assessment materials and opinions to the State Internet Information Office for examination and verification, and afterwards create a security assessment report.

Article 11: Internet news information service providers requesting the State or provincial, autonomous region or provincial Internet information office to organize and execute a new technology and new application security assessment, shall provide the following materials, and bear responsibility for the veracity of the provided materials:

(1) service plan (including service items, service methods, business models, service scope, etc.);

(2) the main functions and main workflows of the product (service), systems composition (including the kind, brand, version, location of deployment of the main hardware and software, and other such summaries);

(3) the information security management structures and technical protection measures supplementing the product (service);

(4) the report of the security assessment they organized, executed and completed themselves;

(5) other necessary materials required for the execution of a security assessment.

Article 12: The State and provincial, autonomous region and municipal Internet information offices shall, within 45 working days after completion of the materials, organize and complete a new technology and new application security assessment.

The State and provincial, autonomous region and municipal Internet information offices may adopt written confirmations, on-the-spot inspections, online supervision and other such measures to further examine and verify the submitted materials, service providers shall cooperate.

After the State or provincial, autonomous region and municipal Internet information officers organize and complete a security assessment, they shall compile a security assessment report themselves, or entrust a third-party body to do so.

Article 13: Where the opinions indicated in the security assessment report for new technologies and new applications state information security risks and hazards exist in the new technology or new application, and it is not possible to supplement the necessary security protection measures, the Internet news information service provider shall timely rectify the situation, including conforming to the relevant requirements of laws, regulations, rules and mandatory national standards. Until the rectification is complete, the new technology or new application that is planned to be adjusted or added may not be used to provide Internet news information services.

Where a service provider refuses to rectify the matter, or after rectification, the relevant requirements of laws, regulations, rules and mandatory national standards are not met, with the consequence they no longer conform to licensing conditions, the State, provincial, autonomous region or municipal Internet information will order the service provider to rectify the matter within a limited time, according to the provisions of Article 23 of the “Internet News Information Management Regulations”; where they still do not meet licensing conditions after the expiry of the time limit, news information updates will be provisionally halted; where they still do not meet licensing conditions after the period of validity of the “Internet News Information Service Permit” expires, they will not be issued with a new licence.

Article 14: Work units and personnel relevant to the organization and execution of security assessments of new technologies and new applications shall maintain the strict secrecy of state secrets, commercial secrets and personal information they learn during the fulfilment of their duties, they may not leak, sell or illegally provide it to others.

Article 15: The State and provincial, autonomous region and municipal Internet information offices shall establish active supervision and management structures, strengthen supervision and inspection rounds over new technologies and new applications, strengthen information security risk management, and supervise the implementation of the principal responsibilities of enterprises.

Article 16: Where Internet news information service providers violate the “Internet News Information Service Management Regulations” by not having conducted security assessment according to these Regulations, the State and local Internet information offices will impose punishment.

Article 17: These regulations shall be referenced and apply to applications for the provision of Internet news information service services, where the State or a provincial, autonomous region or municipal Internet information office is petitioned to organize and execute a new technology and new application security assessment.

Article 18: These Regulations take effect on 1 December 2017.

互联网新闻信息服务新技术新应用

安全评估管理规定

第一条为规范开展互联网新闻信息服务新技术新应用安全评估工作，维护国家安全和公共利益，保护公民、法人和其他组织的合法权益，根据《中华人民共和国网络安全法》《互联网新闻信息服务管理规定》，制定本规定。

第二条国家和省、自治区、直辖市互联网信息办公室组织开展互联网新闻信息服务新技术新应用安全评估，适用本规定。

本规定所称互联网新闻信息服务新技术新应用（以下简称“新技术新应用”），是指用于提供互联网新闻信息服务的创新性应用（包括功能及应用形式）及相关支撑技术。

本规定所称互联网新闻信息服务新技术新应用安全评估（以下简称“新技术新应用安全评估”），是指根据新技术新应用的新闻舆论属性、社会动员能力及由此产生的信息内容安全风险确定评估等级，审查评价其信息安全管理制度和技术保障措施的活动。

第三条互联网新闻信息服务提供者调整增设新技术新应用，应当建立健全信息安全管理制度和安全可控的技术保障措施，不得发布、传播法律法规禁止的信息内容。

第四条国家互联网信息办公室负责全国新技术新应用安全评估工作。省、自治区、直辖市互联网信息办公室依据职责负责本行政区域内新技术新应用安全评估工作。

国家和省、自治区、直辖市互联网信息办公室可以委托第三方机构承担新技术新应用安全评估的具体实施工作。

第五条鼓励支持新技术新应用安全评估相关行业组织和专业机构加强自律，建立健全安全评估服务质量评议和信用、能力公示制度，促进行业规范发展。

第六条互联网新闻信息服务提供者应当建立健全新技术新应用安全评估管理制度和保障制度，按照本规定要求自行组织开展安全评估，为国家和省、自治区、直辖市互联网信息办公室组织开展安全评估提供必要的配合，并及时完成整改。

第七条有下列情形之一的，互联网新闻信息服务提供者应当自行组织开展新技术新应用安全评估，编制书面安全评估报告，并对评估结果负责：

（一）应用新技术、调整增设具有新闻舆论属性或社会动员能力的应用功能的；

（二）新技术、新应用功能在用户规模、功能属性、技术实现方式、基础资源配置等方面的改变导致新闻舆论属性或社会动员能力发生重大变化的。

国家互联网信息办公室适时发布新技术新应用安全评估目录，供互联网新闻信息服务提供者自行组织开展安全评估参考。

第八条互联网新闻信息服务提供者按照本规定第七条自行组织开展新技术新应用安全评估，发现存在安全风险的，应当及时整改，直至消除相关安全风险。

按照本规定第七条规定自行组织开展安全评估的，应当在应用新技术、调整增设应用功能前完成评估。

第九条互联网新闻信息服务提供者按照本规定第八条自行组织开展新技术新应用安全评估后，应当自安全评估完成之日起10个工作日内报请国家或者省、自治区、直辖市互联网信息办公室组织开展安全评估。

第十条报请国家或者省、自治区、直辖市互联网信息办公室组织开展新技术新应用安全评估，报请主体为中央新闻单位或者中央新闻宣传部门主管的单位的，由国家互联网信息办公室组织开展安全评估；报请主体为地方新闻单位或者地方新闻宣传部门主管的单位的，由省、自治区、直辖市互联网信息办公室组织开展安全评估；报请主体为其他单位的，经所在地省、自治区、直辖市互联网信息办公室组织开展安全评估后，将评估材料及意见报国家互联网信息办公室审核后形成安全评估报告。

第十一条互联网新闻信息服务提供者报请国家或者省、自治区、直辖市互联网信息办公室组织开展新技术新应用安全评估，应当提供下列材料，并对提供材料的真实性负责：

（一）服务方案（包括服务项目、服务方式、业务形式、服务范围等）；

（二）产品（服务）的主要功能和主要业务流程，系统组成（主要软硬件系统的种类、品牌、版本、部署位置等概要介绍）；

（三）产品（服务）配套的信息安全管理制度和技术保障措施；

（四）自行组织开展并完成的安全评估报告；

（五）其他开展安全评估所需的必要材料。

第十二条国家和省、自治区、直辖市互联网信息办公室应当自材料齐备之日起45个工作日内组织完成新技术新应用安全评估。

国家和省、自治区、直辖市互联网信息办公室可以采取书面确认、实地核查、网络监测等方式对报请材料进行进一步核实，服务提供者应予配合。

国家和省、自治区、直辖市互联网信息办公室组织完成安全评估后，应自行或委托第三方机构编制形成安全评估报告。

第十三条新技术新应用安全评估报告载明的意见认为新技术新应用存在信息安全风险隐患，未能配套必要的安全保障措施手段的，互联网新闻信息服务提供者应当及时进行整改，直至符合法律法规规章等相关规定和国家强制性标准相关要求。在整改完成前，拟调整增设的新技术新应用不得用于提供互联网新闻信息服务。

服务提供者拒绝整改，或整改后未达法律法规规章等相关规定和国家强制性标准相关要求，而导致不再符合许可条件的，由国家和省、自治区、直辖市互联网信息办公室依据《互联网新闻信息服务管理规定》第二十三条的规定，责令服务提供者限期改正；逾期仍不符合许可条件的，暂停新闻信息更新；《互联网新闻信息服务许可证》有效期届满仍不符合许可条件的，不予换发许可证。

第十四条组织开展新技术新应用安全评估的相关单位和人员应当对在履行职责中知悉的国家秘密、商业秘密和个人信息严格保密，不得泄露、出售或者非法向他人提供。

第十五条国家和省、自治区、直辖市互联网信息办公室应当建立主动监测管理制度，对新技术新应用加强监测巡查，强化信息安全风险管理，督导企业主体责任落实。

第十六条互联网新闻信息服务提供者未按照本规定进行安全评估，违反《互联网新闻信息服务管理规定》的，由国家和地方互联网信息办公室依法予以处罚。

第十七条申请提供互联网新闻信息服务，报请国家或者省、自治区、直辖市互联网信息办公室组织开展新技术新应用安全评估的，参照适用本规定。

第十八条本规定自2017年12月1日起施行。