On 17 August 2021, the State Council of the People's Republic of China published the Regulation on the Protection of the Security of Critical Information Infrastructure (关键信息基础设施安全保护条例, the "CII Regulation"). The CII Regulation came into force on 1 September 2021, providing more clarity on the CII protection regime which was first introduced in China under the 2017 Cybersecurity Law.
Critical Information Infrastructure ("CII") is defined under the CII Regulation as important network facilities and information systems in important industries and sectors, and those whose destruction, loss of function or data leakage could seriously harm national security, the national economy, people's livelihoods, and the public interest. The CII Regulation highlights a few "important industries and sectors" where CIIs will be identified, including public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and the national defence technology industry. For the purpose of identifying CII, the competent regulators of the important industries and sectors are required to develop rules for identifying CII in their industries and sectors ("CII Identification Rules"), determine the CII according to such rules, notify each CII operator of such decisions, and provide a copy of the CII list to the Ministry of Public Security.
Once an operator is identified as an operator of CII ("CIIO"), it should perform a number of specific obligations, including, amongst others, (i) planning, building and using security protection measures; (ii) establishing a cybersecurity protection system and responsibility system; (iii) setting up a special security management organisation; (iv) conducting cybersecurity inspections and risk assessments of its CII at least once a year; (v) reporting major cyber incidents or threats to the relevant authorities (with the particularly significant ones to be reported to the Cyberspace Administration of China and the Ministry of Public Security); and (vi) performing other obligations regarding the procurement of network products or services. CIIOs violating the CII Regulation may be punished by an order for rectification, a warning, and in serious cases a fine of up to RMB 1 million for entities. The responsible personnel of an errant CIIO will also face a monetary fine of up to RMB 100,000 in addition to other penalties including detention, criminal prosecution, and a prohibition from holding key positions in CIIOs in future.
It is especially noteworthy that the head of a CIIO (e.g. the CEO or General Manager of a CIIO) shall assume overall responsibility for the CII security protection. According to the press release on the CII Regulation, the purpose of such provision is to ensure that CIIOs will invest necessary personnel, capital, equipment and facilities, and other resources to protect the security of CII.
Companies, especially those in the important industries and sectors, should keep a close eye on the CII Identification Rules to be released by the competent industry regulators. It is also advisable for the companies to conduct a self-assessment of the possibility of their network facilities and information system being considered as CII.
