On 17 August 2021, China’s State Council published Security Protection Measures for Critical Information Infrastructure (CII), which will take effect on 1 September 2021.
CII refers to important network infrastructure and information systems that are used in public communications and information services, energy, transportation, water conservancy, finance, public services, e-government affairs, national defence technology and other important industries and sectors, as well as network infrastructure and information systems that may seriously affect national security, the national economy, people’s livelihood, or the public interests if damaged, impaired or breached.
Sectoral regulators must formulate rules for identifying CII within their respective jurisdictions, notify operators of the identified CII and file records with the Ministry of Public Security. Factors that sector regulators can consider during identification include network infrastructure and information systems that are important to the sector and core businesses in the sector; the degree of harm that may be caused if network infrastructure and information systems are damaged, impaired or breached; and any potential associated impact that these breaches may have on other sectors.
The measures establish high security protection requirements for CII operators that are based on the PRC Cybersecurity Law. CII operators must synchronise the planning, formulation and implementation of CII and security protection measures covering the full lifecycle of the CII. A CII operator must establish a designated security protection department and conduct security background checks on key personnel responsible for security protection matters. At least once a year, it must carry out regular security inspections and risk assessments. If any major cybersecurity threat or incident is discovered, the operator must take remedial measures in accordance with response plans and report to the competent sectoral regulator. If the operator purchases any network products or services that may affect national security, it must conduct security reviews.
The measures emphasise collaboration among government authorities. The Cyberspace Administration of China, the Ministry of Public Security and the Ministry of Industry and Information Technology will establish information sharing mechanisms, avoid duplicated or overlapping inspections, and protect the confidentiality of any information obtained during the enforcement actions.
