China Issues New Regulations to Protect the Critical Information Infrastructure

By Latham & Watkins on September 1, 2021

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security Law. The Regulations are the first set of administrative regulations promulgated by the State Counsel on the critical information infrastructure (the CII) after the concept of the CII was initially introduced in the Network Security Law in 2016.

The Regulations are designed to provide clarification and guidance on:

Scope and designation of the CII. The Regulations offer a more detailed definition of the CII than that in the Network Security Law, and add “national defense and technology industries” to the scope of the important industries and sectors. For a more specific identification of the CII, the Regulation delegates the competent industry regulators the authority to formulate the implementing rules to designate the CII for their industries and sectors.
Compliance obligations for critical information infrastructure operators (CIIOs). The Regulations further impose the compliance obligations of CIIOs as: (1) establishing comprehensive network security protection systems and accountability systems; (2) setting up a specified security management function to security protection works; (3) carrying out network security inspections and risk assessments; (4) undertaking network security reviews and entering into confidentiality agreements when purchasing network products and services; and (5) reporting network security incidents or threats to authorities.
Regulatory requirements on the protection of the CII. The Regulations outline responsibilities and duties for related governmental authorities to carry out the security protection of the CII, including the Protection Departments of relevant industries, the Cybersecurity Administration of China, the Public Security Bureaus, the National Security Bureaus, and relevant authorities at provincial levels.
Penalties (including high fines and severe consequences) on CIIOs that fail to fulfill the compliance obligations and to meet regulatory requirements. The Regulations are generally consistent with the Network Security Law on penalties for CIIOs that breach their obligations. Non-compliant CIIOs may be required to rectify damage caused by violations and may receive a warning from competent authorities, and may face monetary penalties up to CNY1 million (~US$154,000), and responsible personnel may be subject to fines up to CNY100,000 (~US$15,000).

Read the full Client Alert.