To the communication administration bureaus of all provinces, autonomous regions and directly governed municipalities; to the China Academy of Information and Communications Technology; the China Telecommunications Corporation; China Mobile Communications Corporation; China United Network Communications Group Co., Ltd.; China Radio and Television Network Co., Ltd.; CITIC Networks Co., Ltd.; and to all operators of Internet data centers, operators of Internet access services, and operators of content distribution networks:
In recent years, network information technology has been rapidly changing, and development of applications in areas such as cloud computing and big data is thriving, and China's Internet access service market is facing rare opportunities for development, but signs of disorderly development are also emerging, urgently requiring rectification and regulation. In order to further regulate market order, strengthen online information security management, and promote the healthy and orderly development of the Internet sector, the Ministry of Industry and Information Technology has decided to carry out nationwide efforts to cleanup and regulate the Internet access service market from now until March 31, 2018. Notice on the relevant matters is given as follows:
To investigate and penalize illegal activities in the Internet datacenter (IDC), Internet access service (ISP) and content distribution network (CDN) markets, including business without permit, business beyond permitted scope, layer-by-layer subletting, etc.; to strengthen the management of business permits and access resources, and harden the management of cybersecurity; to maintain a fair and orderly market, and promote the healthy development of the sector.
II. Focuses of Work
(I) Strengthening qualification management, investigating and penalizing illegal businesses
1. All communications administration bureaus are to perform background investigations on enterprises providing IDC, ISP and CDN businesses within their jurisdiction, so as to eliminate following illegal business activities:
(1) Businesses without permits, i. e. enterprises, without having acquired the corresponding telecommunication business permits, conducting unauthorized IDC, ISP and CDN businesses in the jurisdiction.
(2) Business beyond geographical scope, i. e. enterprises holding corresponding telecommunication business permits that geographically does not cover the jurisdiction in question, nonetheless deploying IDCs and servers, and conducting ISP services.
(3) Business beyond business scope, i. e. enterprises holding certain telecommunication business permits, but conducting IDC, ISP and CDN services that go beyond the kinds of businesses specified in the permits.
(4) Subletting or transferring business permits, i. e. enterprises holding corresponding telecommunication business permits, using the notion of technical cooperation or something similar, providing qualifications or resources against regulation to enterprises without permits to conduct illegal telecommunication businesses.
2. Enterprises that have held IDC permits prior to the enactment of the Catalog of Telecommunication Businesses (Version 2015), in case they have started conducting Internet resource sharing (cloud computing) service or CDN businesses, should issue written assurance to the original permit issuing authority about fulfilling the requirements for the corresponding permits before the end of 2017, and acquire the corresponding telecommunication business permits no later than 31 March 2017.
Those who have not issued assurance in time, should, starting 1 April 2017, conduct business activities strictly within the business scope specified in their business permits, and must not conduct unpermitted business. Those who have not acquired the corresponding telecommunication business permits in time, as assured, must, starting 1 January 2018, no longer conduct the corresponding businesses.
(II) Hardening resource management, eliminating irregular usage
All enterprises providing basic telecommunication services and Internet access services are to comprehensively self-investigate their basic network infrastructure, as well as the usage of network access resources such as IP addresses and network bandwidth, so as to rectify the following issues:
1. Insufficient management of network access resources. All enterprises providing basic telecommunication services should strengthen the management of network channel resources, strictly inspect the qualifications of and the intended use by the leasing party, and must not provide basic network infrastructure for conducting IDC, ISP and CDN businesses, or network access resources such as IP addresses and network bandwidth, to enterprises and individuals with no corresponding telecommunication business permits.
2. Self-creation or usage of illegal resources against regulations. Enterprises providing IDC, ISP and CDN services must not create telecommunication equipment on their own, and must not use basic network infrastructure and network access resources such as IP addresses and network bandwidth that are provided by institutions or individuals who do not have the corresponding telecommunication business permits.
3. Layer-by-layer subletting. Enterprises providing IDC and ISP services must not sublet network access resources they has acquired, such as IP addresses and network bandwidth, to other enterprises to be used to conduct IDC and ISP services by themselves.
(III) Implementing relevant ordinances, consolidating ground for management
Requirements specified in the "Notification by the Ministry of Industry and Information Technology on Further Standardizing the Market Entry Permit Process for Internet Datacenter (IDC) and Internet Access Service (ISP) Businesses" (MIIT Infocom. Dept. Doc. No.  552, herein after "The Notification") regarding funds, employees, sites, equipment, technical solutions and information security management are to be implemented, and management of the complete process before, during and after events are to be strengthened.
1. Enterprises that have acquired IDC and ISP permits prior to 1 December 2012 should, in reference to the requirements specified in The Notification regarding funds, employees, sites, equipment, technical solutions and information security management, create relevant systems, pass reviews and tests, and wrap-up the system docking process.
Enterprises who do not yet meet the requirements should issue written assurance to the original permit issuing authority about fulfilling the requirements before the end of 2017, pass reviews and tests, and wrap-up the system docking process no later than 31 March 2017. Those who have not issued assurance in time, and those who have not passed reviews and tests, and wrapped-up the system docking process in time, as assured, should be urged by the communications administration bureaus to rectify.
Specifically, all relevant enterprises should wrap-up the creation, reviews and tests, and system docking process of their cybersecurity management system, in accordance with the "Notice on Doing Good Work to Create and Dock Cybersecuriy Management Systems", the "Letter to Report the Situation of Docking the Cybersecurity Management Systems of Value-Added IDC and ISP Enterprises in the Country", and the "Regulation on Using and Operating Cybersecurity Management Systems (Trial)" (MIIT General Office Cybersec. Doc. No.  135). Enterprises who have not fulfilled the requirement in time will not pass the annual test for their telecommunication business permits.
2. Enterprises applying for new IDC (including cloud computing) business permit need to create a record system for Internet content providers (ICP), IP addresses, and domain names, a management platform for network access resources and a cybersecurity management system; implement requirements on IDC operational security and information security, and pass relevant reviews and tests.
3. Enterprises applying for new CDN business permit need to create a record system for Internet content providers (ICP), IP addresses, and domain names, a management platform for network access resources and a cybersecurity management system; implement requirements on information security, and pass relevant reviews and tests.
4. Enterprises holding existing IDC permit who apply for extending their scope of business, or adding new server rooms and operation stations within their existing scope of business, need to fulfill the requirements specified in The Notification regarding IDC operational security and information security, and pass relevant reviews and tests.
5. Enterprises holding existing ISP (including website hosting) permit who apply for extending their scope of business, need to fulfill the requirements specified in The Notification regarding information security, and pass relevant reviews and tests.
6. Enterprises holding existing CDN permits who apply for extending their scope of business, or adding new bandwidth and operation stations within their existing scope of business, need to fulfill the requirements specified in The Notification regarding information security, and pass relevant reviews and tests.
III. Safeguard Measures
(I) Providing policy communication and guidance, performing consultation services
(II) Initiating comprehensive self-inspection, cleaning up and rectifying on one's own initiative
(III) Strengthening supervision and inspection, strictly investigating irregular activities
各通信管理局加强对企业落实情况的监督检查，发现违规问题要督促企业及时整改，对拒不整改的企业要依法严肃查处；情节严重的，应在年检工作中认定为年检不合格，将其行为依法列入企业不良信用记录，经营许可证到期时依法不予续期，并且基础电信企业在与其开展合作、提供接入服务时应当重点考虑其信用记录。 The department will combine situations such as petitions, reports, and public opinion feedback, to organize and carry out supervision sampling at appropriate times.
(IV) Improving exit mechanisms, performing wrap-up work
对未达到相关许可要求或被列入因存在违规行为被列入不良信用记录的企业，不得继续发展新用户。 发证机关督促相关企业在此期间按照《电信业务经营许可管理办法》有关规定做好用户善后工作。 向发证机关提交经营许可证注销申请的，发证机关应依法注销该企业的IDC、ISP经营许可证。
(V) Improving credit management, strengthening personnel training
Actively give play to third party organization advantages, study the establishment of IDC/ISP/CDN enterprise credit appraisal mechanisms, and starting with comprehensive, multi-faceted evaluation of infrastructure, service quality, capacity of network and information security safeguards, and forth, to lead enterprises to emphasize their credit status, improve the construction of management systems, and regulate market business conduct. All communications administration bureaus should strengthen technical training of relevant industry personnel, continuously raising the professional competence and capacity of industry personnel.
IV. Work Requirements
(I) Heightening awareness, strengthening organizational leadership
(II) Division of labor and cooperation, implementing of all responsibilities
Each Communications Administration Bureau, basic telecommunications operations companies, and Internet network access service enterprises, are to implement the responsibility, and on the basis the requirements of this Notification draft a work plan, clarifying tasks and the division of labor, work schedules and responsibility; specifying work with responsibility reaching the individual, to ensure that all tasks of this effort on cleaning up and standardization are completed on time.
(III) Strengthening communication, regularly delivering summaries and reports
Each Communications Administration Bureau, all basic telecommunications business group to strengthen communication and cooperation, sum up experience, to the end of each quarter section (Information and Communication Authority) submitted to the work progress, major problems at any Ministry reported. Departments (Information Communications Administration Bureaus) are to establish a reporting system, and periodically announce progress in the standardization and cleaning-up
Ministry of Industry and Information Technology