CAC Circulates Draft Rules on the Protection of CII Security

On 11 July 2017, the Cyberspace Administration of China (“CAC”) circulated for public comment the Rules on the Protection of Critical Information Infrastructure Security (Draft for Comments).

The draft rules flesh out the provisions of the Cybersecurity Law of the People's Republic of China 2016 that deal with the security of critical information infrastructure (“CII”).

Under the draft rules, the scope of protection for CII is more clearly defined to include any of the following entities that operate and manage network facilities and information systems, and where any damage, loss of functionality or data leakage of their facilities and systems could threaten national security, the people's livelihood or the public interest:

  • Government institutions and businesses in the energy, finance, transportation, water conservancy, health care, education, social security, environmental protection and public utilities industries.
  • Telecommunications networks, radio and television networks, internet and other information networks.
  • Scientific research and production units in fields related to national defence, large-scale equipment, chemicals, food and pharmaceuticals.
  • News units and other "key units".

Under the draft rules, CII operators are required (among others) to:

  • Formulate internal security administration systems and operating procedures and prevent viruses, attacks and other network intrusions.
  • Carry out regular network security training and assessment for employees and develop contingency plans for security incidents.
  • Entrust a network security service organisation to conduct at least one annual inspection of security system and rectify any problems.
  • Conduct a security assessment before exporting personal information and important data collected and generated in China.

Comments on the draft may be submitted to the CAC until 10 August 2017.

Market Reaction

Paul McKenzie, Partner, Morrison & Foerster, Beijing and Shanghai

"Perhaps the most vexing questions raised by the Cybersecurity Law are what "critical information infrastructure" is and whether a company's networks will be subject to the data localisation and other provisions governing CII. With the law having come into effect almost two months ago, the CAC and other authorities are scrambling to provide meaningful guidance. The draft rules provide only limited help, but they do tend to confirm the importance of sector-specific standards both as to what CII is and what specific protective measures are required of CII operators."

Action Items

General Counsel for companies likely to be regarded as CII operators will want to work with government relations colleagues, industry regulators and external counsel, and watch for publication of sector-specific guidelines, to determine if they will be subject to the final version of the draft rules and, if so, what specific steps to take to ensure compliance.