The Regulation on Security and Protection of Critical Information Infrastructure (“Regulation”) was promulgated on April 27 and is to enter into force as of September 1, 2021.

As usual, we may get panic once again.  However, before getting panic, we should get to know if the Regulation would be applicable to us.  From the name of the Regulation, we should check if our company could fall within the category of critical information infrastructure (“CII”).

What is CII Category?

The CII mentioned in the Regulation refers to important industries and fields such as:

-Public communication and information services

-Energy

-Transportation

-Water conservancy

-Finance

-Public services

-E-government

-National defense science and technology industry

-Other important network facilities

And

If the infrastructure may seriously endanger national security, national economy, people's livelihood and public interests in case of damage, loss of function or data leakage Information system, etc.

Who decides if you are a CII?

The competent departments and supervision and administration departments of the important industries and fields where CIIs could be are the departments responsible for the security and protection of CIIs (“Protection Departments”).

The Protection Departments shall formulate rules for the identification of CIIs in combination with the actual situation of the industry and field, and report them to the Public Security Department of the State Council for the record.

What are the factors to consider?

The following factors shall be considered in determination of CII, such as:

-The importance of network facilities and information systems to the key core businesses of the industry and the field;

-The degree of harm that may be caused by network facilities, information systems, etc. once damaged, lost function or data leakage;

-Relevance impact on other industries and fields.

What is the procedure to determine CII?

The Protection Department shall, in accordance with the identification rules, be responsible for organizing the identification of CIIs in its own industry and field, timely notifying the operators of the identification results, and notifying the Public Security Department of the State Council.

As such, don’t panic until you receive a notice that your entity is identified as a CII.

Certainly, there are some other provisions you should know.  You may refer to the translation as follows:

Order of the State Council of the people's Republic of China

No. 745

The Regulation on Security and Protection of Critical Information Infrastructure, which was adopted at the 133rd executive meeting of the State Council on April 27, 2021, is hereby promulgated and shall enter into force as of September 1, 2021.

                                                                                                    Premier Li Keqiang

                                                                                                          July 30, 2021

The Regulation on Security and Protection of Critical Information Infrastructure

Chapter I General Provisions

Article 1 The Regulation is formulated in accordance with the Cybersecurity Law of the People's Republic of China in order to ensure the security of critical information infrastructure and maintain cybersecurity.

Article 2 The critical information infrastructure mentioned in the Regulation refers to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, as well as other important network facilities that may seriously endanger national security, national economy, people's livelihood and public interests in case of damage, loss of function or data leakage Information system, etc.

Article 3 Under the overall coordination of the national network and information department, the Public Security Department of the State Council shall be responsible for guiding and supervising the security and protection of critical information infrastructure. The competent telecommunications department under the State Council and other relevant departments shall be responsible for the security protection, supervision and administration of critical information infrastructure within their respective functions and responsibilities in accordance with the provisions of these regulations and relevant laws and administrative regulations.

Relevant departments of provincial people's governments shall implement security protection, supervision and management of critical information infrastructure according to their respective responsibilities.

Article 4 The security and protection of critical information infrastructure shall adhere to comprehensive coordination, division of responsibilities and protection according to law, strengthen and implement the main responsibilities of critical information infrastructure operators (hereinafter referred to as operators), give full play to the role of the government and all sectors of society, and jointly protect the security of critical information infrastructure.

Article 5 The State shall focus on the protection of critical information infrastructure, take measures to monitor, defend and deal with network security risks and threats from inside and outside the People's Republic of China, protect critical information infrastructure from attack, intrusion, interference and destruction, and punish illegal and criminal activities endangering the security of critical information infrastructure according to law.

No individual or organization shall illegally invade, interfere with or destroy the critical information infrastructure, and shall not endanger the security of the critical information infrastructure.

Article 6 The operators shall, in accordance with the provisions of these regulations, relevant laws and administrative regulations and the mandatory requirements of national standards, take technical protection measures and other necessary measures on the basis of network security level protection, deal with network security incidents, prevent network attacks and illegal and criminal activities, ensure the safe and stable operation of critical information infrastructure, and maintain the integrity and integrity of data confidentiality and availability.

Article 7 Units and individuals that have made remarkable achievements or made outstanding contributions in the security protection of critical information infrastructure shall be commended in accordance with the relevant provisions of the state.

Chapter II Identification of critical information infrastructure

Article 8 The competent departments and supervision and administration departments of the important industries and fields involved in Article 2 of the Regulation are the departments responsible for the security and protection of critical information infrastructure (hereinafter referred to as the “Protection Departments”).

Article 9 The Protection Departments shall formulate rules for the identification of critical information infrastructure in combination with the actual situation of the industry and field, and report them to the Public Security Department of the State Council for the record.

The following factors shall be mainly considered in formulating the recognition rules:

（1） The importance of network facilities and information systems to the key core businesses of the industry and the field;

（2） The degree of harm that may be caused by network facilities, information systems, etc. once damaged, lost function or data leakage;

（3） Relevance impact on other industries and fields.

Article 10 The Protection Department shall, in accordance with the identification rules, be responsible for organizing the identification of critical information infrastructure in its own industry and field, timely notifying the operators of the identification results, and notifying the Public Security Department of the State Council.

Article 11 In case of major changes in critical information infrastructure that may affect the identification results, the operator shall timely report the relevant information to the protection department. The Protection Department shall complete the re-identification within 3 months from the date of receiving the report, notify the operator of the identification results, and notify the Public Security Department of the State Council.

Chapter III Responsibilities and Obligations of the Operator

Article 12 Security and protection measures shall be planned, constructed and used simultaneously with critical information infrastructure.

Article 13 The operator shall establish and improve the cybersecurity protection system and responsibility system to ensure the investment of human, financial and material resources. The main person in charge of the operator shall take overall responsibility for the security and protection of critical information infrastructure, lead the security and protection of critical information infrastructure and the disposal of major network security events, and organize research and solve major network security problems.

Article 14 an operator shall set up a special safety management organization and conduct safety background examination on the heads of the special safety management organization and the personnel in key positions. The public security organ and the state security organ shall assist in the examination.

Article 15 The special security management organization shall be specifically responsible for the security and protection of the critical information infrastructure of the unit, and perform the following duties:

（1） Establish and improve the network security management, evaluation and assessment system, and formulate the security protection plan for critical information infrastructure;

（2） Organize and promote the construction of network security protection capacity, and carry out network security monitoring, detection and risk assessment;

（3） Formulate the emergency plan of the unit according to the national and industrial emergency plan for network security incidents, regularly carry out emergency drills and deal with network security incidents;

（4） Identify the key posts of network security, organize the assessment of network security work, and put forward reward and punishment suggestions;

（5） Organize network security education and training;

（6） Fulfill the responsibility of personal information and data security protection, and establish and improve the personal information and data security protection system;

（7） Implement security management for critical information infrastructure design, construction, operation, maintenance and other services;

（8） Report network security incidents and important matters as required.

Article 16 The operator shall guarantee the operation funds of the special security management organization and allocate corresponding personnel, and the personnel of the special security management organization shall participate in the decision-making related to network security and informatization.

Article 17 An operator shall, on its own or by entrusting a network security service institution, conduct network security detection and risk assessment on critical information infrastructure at least once a year, timely rectify the security problems found, and report the situation in accordance with the requirements of the protection department.

Article 18 When a major network security incident occurs or a major network security threat is found in the critical information infrastructure, the operator shall report to the Protection Department and the public security organ in accordance with relevant regulations.

In the event of a particularly major network security incident such as the overall interruption of the operation of critical information infrastructure or major functional failure, the leakage of national basic information and other important data, the leakage of large-scale personal information, causing large economic losses, the wide spread of illegal information and other particularly major network security threats, the Protection Department shall, after receiving the report, timely report to the national network information department and the Public Security Department of the State Council.

Article 19 Operators shall give priority to purchasing safe and reliable network products and services. If the procurement of network products and services may affect national security, they shall pass the security review in accordance with the national network security regulations.

Article 20 When purchasing network products and services, operators shall sign security and confidentiality agreements with network products and service providers in accordance with relevant state regulations, clarify the technical support and security and confidentiality obligations and responsibilities of providers, and supervise the performance of obligations and responsibilities.

Article 21 In case of merger, division or dissolution, the operator shall timely report to the Protection Department, and dispose of the critical information infrastructure according to the requirements of the Protection Department to ensure security.

Chapter IV Undertaking and Promotion

Article 22 The Protection Department shall formulate the security plan for the critical information infrastructure of the industry and field, and clarify the protection objectives, basic requirements, work tasks and specific measures.

Article 23 The national network information department shall coordinate with relevant departments to establish a network security information sharing mechanism, timely summarize, judge, share and release network security threats, vulnerabilities, events and other information, and promote the sharing of network security information among relevant departments, protection departments, operators and network security service institutions.

Article 24 Phe protection department shall establish and improve the network security monitoring and early warning system of the critical information infrastructure in the industry and field, timely grasp the operation status and security situation of the critical information infrastructure in the industry and field, early warning, notify the network security threats and hidden dangers, and guide the security prevention work.

Article 25 The Protection Department shall, in accordance with the requirements of the national emergency plan for network security incidents, establish and improve the emergency plan for network security incidents in its own industry and field, and regularly organize emergency drills; guide the operators to deal with network security incidents, and organize to provide technical support and assistance as needed.

Article 26 The Protection Department shall regularly organize the network security inspection and detection of critical information infrastructure in the industry and field, guide and supervise the operators to rectify potential safety hazards and improve safety measures in time.

Article 27 The national network information department shall coordinate the public security department and the Protection Department of the State Council to conduct network security inspection and detection of critical information infrastructure and put forward improvement measures.

When carrying out network security inspection of critical information infrastructure, relevant departments shall strengthen coordination and information communication to avoid unnecessary inspection and cross and repeated inspection. No fee shall be charged for the inspection work, and the inspected unit shall not be required to purchase the products and services of the designated brand or the designated production and sales unit.

Article 28 The operator shall cooperate with the critical information infrastructure network security inspection and detection carried out by the protection department and the critical information infrastructure network security inspection carried out by the public security, national security, confidentiality administration, password management and other relevant departments according to law.

Article 29 In the security protection of critical information infrastructure, the state network and information department, the competent telecommunications department under the State Council and the public security department under the State Council shall provide technical support and assistance in a timely manner according to the needs of the protection department.

Article 30 The information obtained from the network information department, public security organ, protection department and other relevant departments, network security service institutions and their staff in the security protection of critical information infrastructure can only be used to maintain network security, ensure information security in strict accordance with the requirements of relevant laws and administrative regulations, and shall not be disclosed, sold or illegally provided to others.

Article 31 Without the approval of the national network information department, the public security department under the State Council or the authorization of the protection department and the operator, no individual or organization may carry out loophole detection, permeability test and other activities that may affect or endanger the security of critical information infrastructure. The implementation of loophole detection, permeability testing and other activities on basic telecommunications networks shall be reported to the competent telecommunications department under the State Council in advance.

Article 32 The State shall take measures to give priority to ensuring the safe operation of critical information infrastructure such as energy and telecommunications.

The energy and telecommunications industries shall take measures to provide key guarantees for the safe operation of critical information infrastructure in other industries and fields.

Article 33 Public security organs and state security organs shall, in accordance with their respective duties, strengthen the security of critical information infrastructure according to law, prevent and crack down on illegal and criminal activities against and using critical information infrastructure.

Article 34 The State formulates and improves the security standards for critical information infrastructure, and guides and standardizes the security protection of critical information infrastructure.

Article 35 The State takes measures to encourage network security professionals to engage in the security protection of critical information infrastructure; The training of operators' safety management personnel and safety technicians will be incorporated into the national continuing education system.

Article 36 The State supports technological innovation and industrial development in the security protection of critical information infrastructure, and organizes forces to tackle key technical problems in the security of critical information infrastructure.

Article 37 The State shall strengthen the construction and management of network security service institutions, formulate management requirements and strengthen supervision and guidance, continuously improve the capacity level of service institutions, and give full play to their role in the security protection of critical information infrastructure.

Article 38 The state strengthens network security, military civilian integration, and military civilian coordination to protect the security of critical information infrastructure.

Chapter V Legal Liability

Article 39 Where an operator is under any of the following circumstances, the relevant competent department shall order it to make corrections and give a warning according to its duties. Those who refuse to make corrections or cause consequences such as endangering network security shall be fined not less than 100,000 yuan but not more than 1 million yuan, and the person in charge directly responsible shall be fined not less than 10000 yuan but not more than 100,000 yuan:

（1） Failing to report the relevant situation to the protection department in time when major changes in the critical information infrastructure may affect the identification results;

（2） The security protection measures are not planned, constructed and used synchronously with the critical information infrastructure;

（3） Failing to establish and improve the network security protection system and responsibility system;

（4） There is no special safety management organization;

（5） Failing to review the safety background of the person in charge of the special safety management organization and the personnel in key positions;

（6） Carrying out decisions related to network security and informatization without the participation of personnel of special security management institutions;

（7） The special safety management organization fails to perform the duties specified in Article 15 of these regulations;

（8） Failing to conduct network security detection and risk assessment on critical information infrastructure at least once a year, failing to rectify the security problems found in time, or failing to report the situation in accordance with the requirements of the protection department;

（9） Purchasing network products and services without signing security and confidentiality agreements with network products and service providers in accordance with relevant state regulations;

（10） In case of merger, division, dissolution, etc., it fails to report to the protection department in time, or fails to dispose of the critical information infrastructure in accordance with the requirements of the protection department.

Article 40 Where an operator fails to report to the protection department or public security organ in accordance with relevant regulations when a major network security event occurs or a major network security threat is found in the critical information infrastructure, the protection department or public security organ shall order it to make corrections and give a warning according to its duties; Those who refuse to make corrections or cause consequences such as endangering network security shall be fined not less than 100000 yuan but not more than 1 million yuan, and the person in charge directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 41 Where an operator purchases network products and services that may affect national security and fails to conduct security review in accordance with national network security regulations, the state network information department and other relevant competent departments shall order it to make corrections according to its duties, impose a fine of not less than 1 time but not more than 10 times the purchase amount, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the directly responsible person in charge and other directly responsible persons.

Article 42 If an operator fails to cooperate with the network security inspection and detection of critical information infrastructure carried out by the protection department and the network security inspection of critical information infrastructure carried out by relevant departments such as public security, national security, confidentiality administration and password management according to law, the relevant competent department shall order it to make corrections; If it refuses to make corrections, it shall be fined not less than 50,000 yuan but not more than 500,000 yuan, and the person in charge and other persons directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan. If the circumstances are serious, the corresponding legal responsibilities shall be investigated according to law.

Article 43 If the activities of illegally invading, interfering with or destroying critical information infrastructure and endangering its security do not constitute a crime, the public security organ shall confiscate the illegal income, detain it for not more than five days and may also impose a fine of not less than 50,000 yuan but not more than 500,000 yuan in accordance with the relevant provisions of the network security law of the People's Republic of China. If the circumstances are serious, he shall be detained for not less than 5 days but not more than 15 days and may also be fined not less than 100,000 yuan but not more than 1 million yuan.

If a unit commits the act mentioned in the preceding paragraph, the public security organ shall confiscate its illegal income and impose a fine of not less than 100,000 yuan but not more than 1 million yuan, and the persons directly in charge and other persons directly responsible shall be punished in accordance with the provisions of the preceding paragraph.

Those who violate the provisions of paragraph 2 of Article 5 and Article 31 of these regulations and are punished by public security administration shall not engage in the work of key posts of network security management and network operation within 5 years. Personnel subject to criminal punishment shall not engage in key posts of network security management and network operation for life.

Article 44 Where the network information department, public security organ, protection department, other relevant departments and their staff fail to perform their duties of security protection, supervision and management of critical information infrastructure, or neglect their duties, abuse their powers, and engage in malpractices for personal gain, the person in charge and other persons directly responsible shall be punished according to law.

Article 45 Where public security organs, protection departments and other relevant departments collect fees in carrying out network security inspection of critical information infrastructure, or require the inspected unit to purchase products and services of designated brands or designated production and sales units, their superior organs shall order them to make corrections and refund the fees collected. If the circumstances are serious, the persons directly in charge and other persons directly responsible shall be given sanctions according to law.

Article 46 Where the network information department, public security organ, protection department and other relevant departments, network security service institutions and their staff use the information obtained in the security protection of critical information infrastructure for other purposes, or disclose, sell or illegally provide it to others, the person in charge and other persons directly responsible shall be punished according to law.

Article 47 Where a major or particularly major network security incident occurs in a critical information infrastructure and is determined as a responsibility accident after investigation, in addition to finding out the responsibility of the operator and investigating it according to law, it shall also find out the responsibility of relevant network security service institutions and relevant departments, and investigate the responsibility for dereliction of duty, dereliction of duty and other illegal acts according to law.

Article 48 If the operator of the critical information infrastructure of e-government fails to perform the obligations of network security protection stipulated in these regulations, it shall be dealt with in accordance with the relevant provisions of the network security law of the people's Republic of China.

Article 49 Whoever violates the provisions of these regulations and causes damage to others shall bear civil liability according to law.

Whoever violates the provisions of these regulations and constitutes a violation of the administration of public security shall be punished for the administration of public security according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.

Chapter VI Supplementary Provisions

Article 50 The security protection of critical information infrastructure for storing and processing state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.

The use and management of passwords in critical information infrastructure shall also comply with the provisions of relevant laws and administrative regulations.

Article 51 The Regulation shall enter into force as of September 1, 2021.

________

The author, Henry Chen, licensed to practice law in China and New York, is a senior partner at the Dentons office in Shanghai. Before joining Dentons, Henry was AP Compliance Director of Ford.  Henry Chen is also Certified Information Security Personnel (CISP) and Critical Information Infrastructure Personnel (CIIP).

Henry Chen is a drafter of China national standard (draft) Information security technology-Cyber-data process security specification  (信息安全技术 网络数据处理安全规范).

Henry's practice areas include cyber security and data governance, FCPA, anti-bribery and fraud investigations, economic sanctions and trade controls, compliance management systems, corporate matters and dispute resolution. You can reach Henry by sending an email to henry.chen@dentons.cn. Henry is the author of the book Risk Management on Commercial Bribery in China and the book Compliance Risks of Enterprises in Globalization: Outbreak and Control.