On July 10, 2017, the State Internet Information Office promulgated the Regulations on the Security for Critical Information Infrastructure (Draft for Comments) (the “Security Regulations”) to kick off a one-month period to solicit opinions. Although the Security Regulations are still at the public opinion solicitation stage, as they are the implementation regulations of the critical information infrastructure protection introduced under the Cybersecurity Law, they are key accompanying provisions of the Cybersecurity Law and play a vital role in the cybersecurity of key domains in this country. Therefore, this article highlights the Security Regulations as follows:
First, the Security Protection Regulations further clarify the scope of protection of critical information infrastructure.
Although the Cybersecurity Law and the Security Regulations both contain enumerated and comprehensive definitions, the newly promulgated Security Regulations have enumerated additional items under the scope of critical information infrastructure on top of the industries and domains named as part of the critical information infrastructure under Article 31 of the original Cybersecurity Law, such as public communications, information services, energy, water conservation, finance, public services, and electronic government, with information networks such as telecommunications networks and the Internet, as well as entities that provide cloud computing, big data and other large-scale public information network services, and scientific research and production units for national defense, large equipment, chemical engineering and food and drugs, as well as news units such as radio stations, television stations and news agencies.
In addition, the Security Protection Regulations improve the security assessment and inspection mechanisms of competent authorities.
Article 39 of the Cybersecurity Law only requires relevant agencies to test for security risks in critical information infrastructure. The Security Regulations, however, set up comprehensive inspections and assessment mechanisms for competent authorities. For instance, the entity in charge of security inspections is the competent authority or regulatory authority for the specified industry. Security inspections and assessments should be conducted under the principles of fairness, efficiency and transparency. Relevant personnel may also be requested to provide explanations, as well as examine, retrieve and copy relevant files. It is insisted that information obtained from security inspections and assessments may only be used for safeguarding cybersecurity and should not be used for other purposes.
The Security Regulations further require that, in addition to the security assessment requirement for offshore access to information stored onshore per the Cybersecurity Law, operation and maintenance of critical information infrastructure shall now be conducted onshore. If offshore and remote maintenance is required due to business needs, notification shall be made in advance to the state authority of the specific business, or the regulatory authority and national security authority. Such requirement will more effectively safeguard the security of information in this country.