Regulation on Protecting the Security of Critical Information Infrastructure

Regulation on Protecting the Security of Critical Information Infrastructure 关键信息基础设施安全保护条例 Order of the State Council of the People's Republic of China (No. 745) The Regulation on Protecting the Security of Critical Information Infrastructure, as adopted at the 133rd executive meeting of the State Council on April 27, 2021, is hereby issued and shall come into force on September 1, 2021. Premier: Li Keqiang July 30, 2021 Regulation on Protecting the Security of Critical Information Infrastructure Chapter I General Provisions Article 1 This Regulation is formulated in accordance with the Cybersecurity Law of the People's Republic of China in order to ensure the security of critical information infrastructure (hereinafter referred to as “CII”) and maintain cybersecurity. Article 2 For the purposes of this Regulation, “CII” means any of network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense—that may seriously endanger national security, national economy and people's livelihood, and public interests in the event that they are damaged or lose their functions or their data are leaked. Article 3 Under the overall coordination of the national cyberspace administration, the public security department under the State Council shall be responsible for guiding and supervising the CII security protection. The telecommunications department and other relevant departments under the State Council shall be responsible for the security protection, supervision, and administration in respect of CII within their respective responsibilities in accordance with the provisions of this Regulation and relevant laws and administrative regulations. The relevant departments of the provincial people's government shall implement security protection, supervision, and administration in respect of CII according to their respective responsibilities. Article 4 The CII security protection shall adhere to overall coordination, division of responsibilities, and law-based protection. CII operators (hereinafter referred to as “CIIO”) shall be required to assume primary responsibilities, and the role of the people's governments and non-government sectors shall be fully leveraged, so as to jointly protect the CII security. Article 5 The state shall give priority to the protection of CII specifically by taking measures to monitor, defend against, and handle cyber security risks and threats originating inside and outside the People's Republic of China so as to protect the CII from attack, intrusion, interference, and sabotage, and punishing in accordance with the law illegal and criminal activities endangering the CII security. No individual or organization may engage in any activity of illegally hacking into, interfering with, or damaging any CII or endanger the CII security. Article 6 A CIIO shall, in accordance with the provisions of this Regulation, applicable laws, and administrative regulations, as well as the mandatory requirements of national standards, and on the basis of the classified cybersecurity protection, take technical protection and other necessary measures to cope with cybersecurity events, guard against cyber-attacks and illegal and criminal activities, ensure the safe and stable operation of the CII, and maintain data integrity, confidentiality, and availability. Article 7 Entities and individuals that have made outstanding achievements or contributions in the CII security protection shall be commended in accordance with the relevant provisions of the state. Chapter II The determination of CII Article 8 The competent authorities and supervision and administration departments of important industries and fields set forth in Article 2 of this Regulation are the departments responsible for the CII security protection (hereinafter referred to as the “protection departments”). Article 9 The protection department shall develop the rules for the determination of CII according to the actual conditions of the industry and field concerned, and file them with the public security department under the State Council. In developing the rules for the determination of CII, the following factors shall be taken into account: (1) The importance of, among others, network facilities and information systems to key core businesses in the industry and field concerned; (2) The extent of possible damage, among others, to network facilities and information systems, once they are damaged or lose their functions or their data are leaked; and (3) Relevance to other industries and fields. Article 10 The protection department shall be responsible for organizing the determination of CII in the industry and field concerned according to the determination rules, and inform the CIIO of the determination results in a timely manner and notify the public security department under the State Council of the same. Article 11 If any CII has undergone a major change, which may affect its determination results, the CIIO shall report the relevant information to the protection department in a timely manner. The protection department shall complete the re-determination within three months of receipt of such report, inform the CIIO of the determination results, and notify the public security department under the State Council of the same. Chapter III Responsibilities and Obligations of CIIOs Article 12 Security protection measures shall be planned, constructed, and used in tandem with the planning, construction, and use of CII. Article 13 A CIIO shall establish and improve a cybersecurity protection system and a responsibility system to ensure the input of human, financial, and material resources. The head of a CIIO shall assume overall responsibility for the CII security protection, lead the CII security protection and the handling of major cybersecurity events, and make arrangements for research into and solution of major cybersecurity problems. Article 14 A CIIO shall set up a special security management organization, and conduct security background check on the head of such organization and the personnel in key positions. Public security organs and state security organs shall provide assistance in such check. Article 15 The special security management organization shall be responsible for the CII security protection of the entity to which it belongs, and perform the following responsibilities: (1) Establishing and improving a cybersecurity management and evaluation system, and drawing up a CII security protection plan; (2) Organizing the improvement of cybersecurity protection capacity, and carrying out cybersecurity monitoring, testing, and risk assessment; (3) Developing the contingency plans of the entity based on the national and industry contingency plans for cybersecurity events, regularly carrying out emergency drills, and handling cybersecurity events; (4) Determining key positions in respect of cybersecurity, organizing the evaluation of cybersecurity-related work, and putting forward suggestions for rewards and punishments; (5) Organizing education and training in cybersecurity; (6) Fulfilling the responsibility for protecting the......