China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same key question by our clients who do business in China: “Am I a CII operator?”. Now, a new regulation provides more clarity on this.
On 17 August 2021, the State Council of China published the Regulation on Protection of Security of Critical Information Infrastructure (CII Security Regulation). Four years have passed since the draft of this regulation was initially published for public comment in July 2017. Compared with the 2017 draft, the final version has improved upon several aspects and responded to concerns voiced by the market over the past few years.
Scope and identification of CII
Consistently with the CSL, the CII Security Regulation defines CII as:
“important network facilities, information systems etc. in important industries and fields such as public communications and information services, energy, transportation, water, finance, public services, e-government affairs and defense technologies, which, in the event of damage thereto, loss of function thereof or leak of data therefrom, could seriously jeopardize national security, national economy and people’s livelihoods, or the public interest.”
However, this new regulation specifies that the regulators or administrative and supervisory authorities of the important industries and fields underlined above (the Protecting Authorities) will:
- formulate their own rules for identifying CIIs within their respective purviews (the Identification Rules), taking into consideration the following factors:
- the importance of the network facilities, information systems etc. to the key businesses of the relevant industry or field;
- the harm that may be caused by the damage to, loss of function of or leak of data from the network facilities, information systems, etc.; and
- associated impact to other industries and fields;
2. be responsible for identifying the CIIs in their respective purviews in accordance with the Identification Rules.
This means that the Protecting Authorities will identify and notify operators in their industries that are designated CIIs, thus giving operators clarity as to whether they are required to comply with the requirements applicable to CIIs.
Obligations of CII operators
The CII Security Regulation imposes various security obligations on CII operators in addition to those set out in the CSL, including to:
- plan, deploy and implement security protection measures simultaneously with the CII itself;
- establish a special security management institution and conduct security background checks on the person in charge and the key staff of such institution;
- formulate an emergency response plan and organize regular emergency exercises;
- report cyber security incidents and other important affairs to the authorities;
- conduct cyber security testing and risk assessment at least once per year, rectify the security issues uncovered in the testing or assessment, and make reports in accordance with the requirements of the Protecting Authorities;
- prioritize secure and reliable network products and services in procurement; if national security may be concerned by the procurement of network products or services by the CII operator, a security review must be passed; and
- notify the Protecting Authorities in the event of merger, division or dissolution of the CII operator, and dispose of the CII in accordance with the requirements of the Protecting Authorities.
CII operators may be subject to various penalties for failure to comply with the security obligations, including orders for rectification, warnings, administrative fines of up to RMB 1 million or 10 times the price of the product or service procured by it. The person-in-charge and other directly responsible individuals may also be personally liable. The penalties prescribed by the CII Security Regulation are in addition to those set out in other laws such as the CSL or the Criminal Law.
The CII Security Regulation confirms the unwritten approach adopted by Chinese authorities with respect to CIIs (i.e., companies can expect to receive a notice from the relevant authorities before they are officially designated as CII operators). This should give more certainty to companies doing business in China, allowing them to identify which security requirements are applicable and ease the concerns around being sanctioned for breaches of the CII security obligations without knowing that they are applicable.
However, some uncertainties remain. Firstly, there is currently no timeline for the issuance of the Identification Rules, and until the issuance of the Identification Rules by the Protecting Authorities, the exact scope of CIIs remains uncertain. In addition, some companies have received an official notice that it is a CII, but we expect more to come so companies operating in sensitive or highly regulated sectors like energy, financial services, and telecoms should be aware that the issuance of a notice still remains a possibility. It is also unclear how much time a company will be given to become fully compliant after being designated as a CII operator. Thus, we recommend that companies keep a watch on future developments and take proactive measures which are appropriate taking into account their industry and the sensitivity of the data they handle.