Critical Information Infrastructure in China – New Cybersecurity Regulations
New regulations on the security and protection of critical information infrastructure in China will come into force starting September 1. We look at which companies are most likely to be designated as critical information infrastructure operators, what are their compliance obligations, and the new opportunities that may arise from the additional requirements.
On August 17, China’s State Council unveiled the Regulations on the Security and Protection of Critical Information Infrastructure (‘the regulations’), formulated on the basis of China’s Cybersecurity Law. These regulations shed new light on how the government plans to regulate strict data security requirements among critical information infrastructure (CII) operators but leaves unanswered some questions that have worried companies since the Cybersecurity Law was passed in 2017.
Under the Cybersecurity Law, companies designated as CII operators are subject to tighter data security requirements and a higher level of government oversight. The new regulations offer a more specific set of guidelines for the responsibilities and obligations of both the CII operators themselves and the regulatory departments in charge of supervising compliance. It also outlines specific punishments for activities that violate the security of critical information infrastructure.
The regulations also create a top-down system of oversight and regulations, in which CII operators are required to report any anomalies, issues, or changes to the systems to regulatory departments. These departments in turn are required to report any serious issues, threats, or changes to the infrastructure to central government bodies, the Cyberspace Administration of China (CAC), and the National Security Bureau (NSB).
However, the regulations remain unclear on exactly which type of company or business scope will fall under the category of CII, leaving many companies who sit in the grey area uncertain of which rules will apply to them.
With the regulations taking effect on September 1 this year, we take this opportunity to look at which companies are most likely to be designated as CII operators, what obligations they must fulfill to comply with the law, and finally what new opportunities may arise from the new requirements.
Who is classified as a critical information infrastructure operator?
The regulations define CII as companies engaged in “important industries or fields”, including:
- Public communication and information services;
- Public services;
- E-government services;
- National defense; and
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.
Companies that operate in certain sectors are clearly regarded as CII operators – power grids, public transport operators, military suppliers, and so on – and many of the sectors largely overlap with similar classifications in other countries’ legislation, such as the U.S.’ Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21).
For other sectors, the designation is less clear. The “any other important network facilities or information systems” could be interpreted to include major online service companies, such as Tencent’s WeChat or ride-hailing platform Didi.
In fact, Didi is currently under investigation by the CAC, in part due to its failure to act upon a request to conduct a data security assessment. Meanwhile, in early July, WeChat suspended new user registrations in order to upgrade security protocols to meet regulatory requirements. These recent occurrences suggest the companies may have been designated as CII operators, although this remains disputed.
To decide which companies will be designated as a CII operator, the regulations place the burden of responsibility on government regulatory departments. The departments must base the designation on the following:
- How important the network equipment or information system is for the core business of the industry or field;
- The level of harm that may be caused in the event of incapacitation, loss, or data leakage; and
- The cross-over impact the data has on other industries or fields.
Although it remains unclear exactly which companies will be categorized as CII operators, the regulations stipulate that the regulatory departments in charge of designating CII operators are required to inform the companies and the State Council when they identify a company as such. In a press conference on the new regulations, Deputy Director of the CAC Sheng Ronghua made it clear that foreign companies can also be designated as CII operators and will have to comply with the same rules as domestic companies.
The government is expected to formulate more specific guidelines on designating CII operators for companies and government departments, but it is still uncertain when such guidelines will be released.
CII operator’s responsibilities to ensure cybersecurity
The CAC has emphasized the principle of “who operates, bears responsibility” for protecting and maintaining CII. In this spirit, the regulations place the onus on the operators themselves to take action. The regulations stipulate that CII operators must take the necessary measures and implement the required technology to prevent attacks on networks and other illegal activity, ensure the secure and stable operation of critical information infrastructure, and maintain the integrity, secrecy, and usability of data.
A few notes on the above requirements:
- Staff members in charge of the dedicated security management mechanism have their own set of obligations they must fulfill. These include:
- Establishing network security management, evaluation, and assessment systems
- Carrying out testing and risk assessments.
- Formulating emergency plans, carrying out regular emergency drills, and addressing cybersecurity incidents.
- Determining key job positions for cybersecurity, organizing work assessments, formulating a rewards and punishment system, and organizing network security education and training.
- Establishing personal information protection and data security systems.
- Reporting any security incidents
- The regulations specifically stipulate that no individual or organization is permitted to conduct vulnerability assessment and penetration testing (VAPT) on CII without the approval from cybersecurity departments or public security departments within the State Council, or the authorization of regulatory departments or the CII operator. These activities must also be reported to the telecommunications authority of the State Council before being implemented.
If a CII operator fails on any of these responsibilities, they will first receive a warning from the regulatory authorities and be ordered to correct the situation. If the operator refuses to make the necessary changes or if the infraction causes serious harm to the networks’ security, it will be liable for a fine of RMB 100,000 (US$15,425) to RMB 1 million (US$154,250). The person directly in charge of the situation will also be personally liable for a fine of RMB 10,000 (US$1,543) to RMB 100,000.
Opportunities for the cybersecurity industry
Complying with these strict regulations is likely to be a headache for companies designated as CII operators. As such, these regulations, along with other data legislation, such as the Personal Information Protection Law (PIPL) and the Data Security Law, are likely to create a surge in demand for cybersecurity products and related services.
In July of this year, the Ministry of Industry and Information Technology (MIIT) began soliciting opinions on an action plan for developing the cybersecurity industry over the next three years. The plan aims to grow the industry at a compound annual growth rate (CAGR) of above 15 percent over the next three years to exceed RMB 250 billion (US$38.6 billion) in 2023.
To do this, the MIIT aims to “unleash demand” by requiring telecommunications and other key industries to invest 10 percent of their digitization spending on cybersecurity. The plan also indicates the government will encourage collaboration with foreign companies, and provide policy support for developing technology and talent in the industry in the future.
It is therefore likely we will see new incentives and preferential policies designed to attract investment in the industry in the near future. Players in this field are urged to watch policy updates closely, in particular, in regions with a strong base for the technology and internet industries, such as Shanghai, and Hangzhou, and the Greater Bay Area.
Protecting critical information infrastructure in the digital era
The new regulations on CII operators have been a long time coming, but their necessity has also become more urgent. As businesses and infrastructure digitize and rely more heavily upon online resources and data for operations, they also make themselves vulnerable to attack or manipulation, with the potential for far-reaching negative consequences.
The Chinese government is acutely aware of the threats to and vulnerabilities in China’s current system. These regulations are the next step in the country’s long-term plan to strengthen the protection of data and networks that are of consequence to both national security and the rights of individual citizens.
Given the critical importance of shoring up cybersecurity, we expect the new regulations to be strictly enforced and for companies who fail to comply to be penalized to the full extent of the law. Companies whose operations could encroach upon CII are therefore urged to keep a close eye on developments and maintain close communication with relevant authorities whenever possible.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.