Regulations on Critical Information Infrastructure Security Protections

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS –THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS. PAGES WITHOUT IMAGES ARE WORKS IN PROGRESS.

English中文(简体)

Promulgation Date: 2021-7-30
Title: Regulations on Critical Information Infrastructure Security Protections
Document Number:令第745号
Promulgating Entities:State Council
Source of text: http://www.gov.cn/zhengce/content/2021-08/17/content_5631671.htm

Article 1: These Regulations are drafted in accordance with the ”Cybersecurity Law of the People's Republic of China“ so as to protect the security of critical information infrastructure and preserve cybersecurity.

Article 2: "Critical information infrastructure" as used in these Regulations refers to public communication and information services, power, traffic, water, finance, public services, electronic governance, the national defense technology industry and other important industries and sectors, as well as other important network facilities and information systems for which the destruction, loss of function, or data leakage might seriously endanger national security, national welfare and the people's livelihood, or the public interest.

Article 3: the Department for public security under the State Council is responsible for guiding and overseeing efforts to protect the security of critical information infrastructure under the overall plan of the State Internet Information Department, The State Council Departments for telecommunications and other relevant departments, are responsible for efforts to protect the security of critical information infrastructure and for oversight and management within the scope of their responsibilities, in accordance with the provisions of this Law, relevant laws and administrative regulations.

The relevant departments of provincial level people's governments are to carry out protections for the security of critical information infrastructure and oversight and management within the scope of their respective duties.

Article 4: Security protections for critical information infrastructure are to persist in overall coordination, divisions of labor and responsibility, and lawful protections to strengthen and implement entity responsibility for critical information infrastructure operators (hereinafter "operators"), giving full play to the role of government and all parts of society, to jointly protect the security of critical information infrastructure.

Article 5: The State is to implement key protections for critical information infrastructure, employing measures to monitor, defend against, and handle risks and threats to cybersecurity from inside and outside the People's Republic of China, protecting critical information infrastructure from attack, intrusion, disruption, and destruction, and lawfully punishing unlawful and criminal activities that endanger the security of critical information infrastructure.

No individual or organization may carry out unlawful activities that intrude on, disrupt, or destroy critical information infrastructure, and they must not endanger the security of critical information infrastructure.

Article 6: In accordance with these Regulations and relevant laws, administrative regulations, and the mandatory requirements of national standards, and on the foundation of the multi-level cybersecurity protection scheme, operators are to employ technical measures and other necessary measures to respond to cybersecurity incidents, prevent network attacks and illegal and criminal activities, safeguard the secure and stable operation of critical information infrastructure, and preserve the integrity and, confidentiality, and usability of data.

Article 7: Units and individuals that achieve notable success in effort to protect the security of critical information infrastructure or that make outstanding contributions are to be given commendations in accordance with relevant state provisions.

Section 2: Designation of Critical Information Infrastructure

Article 8: The regulatory departments and oversight and management departments for the important industries and sectors in article 2 of these Regulations are the departments responsible for the protection of critical information infrastructure security (hereinafter Protection Work Departments).

Article 9: The Protection Work Departments are to consider the actual conditions in the corresponding industry or sector to draft rules for the designation of critical information infrastructure and report these for filing to the State Council public security department.

The drafting of designation standards shall primarily consider the following factors:

(1) The degree of importance of the network facilities and information systems to the corresponding industry or sector's core operations;

(2) The degree of harm that might be brought on by the network facility or information system's destruction, loss of function, or data leakage;

(3) The related impact on other industries and sectors.

Article 10: The Protection Work Departments are responsible for organizing determinations of critical information infrastructure in the corresponding industry or sector on the basis of the designation rules, and are to promptly notify operators of the results of designations and report to the State Council public security department.

Article 11: Where there are larger changes to critical information infrastructure that impact the results of a determination, the operators shall promptly report the relevant circumstances to the Protection Work Departments. The Protection Work Departments are to complete a new determination within 3 months of receiving the report and are to notify operators of the results of designations and report to the State Council public security department.

Chapter III: Legal Responsibility and Obligations of Operators

Article 12: Security protection measures shall be planned, constructed, and used in sync with critical information infrastructure.

Article 13: Operators shall establish and complete systems for the cybersecurity protections and responsibility, ensuring the investment of human, financial, and material resources. The principal responsible persons for operators have the overall responsibility for the protection of critical information infrastructure security, lead efforts on the protection of critical information infrastructure and on the handling of major cybersecurity incidents, and organize research into resolving major issues in cybersecurity.

Article 14: Operators shall set up specialized bodies for security management and conduct security background checks for the persons in charge of the specialized security management bodies and for persons in critical positions. When conducting reviews, the public security organs and state security organs shall assist.

Article 15: The specialized security management bodies are specifically responsible for that unit's efforts on the protection of critical information infrastructure security, performing the following duties:

(1) Establishing and completing systems for cybersecurity management, appraisals, and evaluation, and drawing up critical information infrastructure security protection plans;

(2) Organizing and promoting the establishment of cybersecurity defense capabilities, carrying out cybersecurity monitoring, testing, and risk assessment;

(3) Drafting an emergency response plan for that unit in accordance with the national and industry emergency response plans for cybersecurity incidents, periodically carrying out drills, and handling cybersecurity incidents.

(4) Designating critical positions for cybersecurity, organizing and carrying out evaluations of cybersecurity work, and submitting recommendations for awards and punishments;

(5) Organizing education and training on cybersecurity;

(6) Performing responsibilities for the protection of personal information and data security; establishing and completing systems for the protection of personal information and data security;

(7) Managing the security of critical information infrastructure planning, construction, operations, maintenance, and other such services;

(8) Reporting cybersecurity incidents and important matters as provided.

Article 16: Operators shall ensure the operating expenses and allot corresponding personnel for specialized security management bodies, and personnel for the specialized security management bodies shall participate in carrying out decision-making related to cybersecurity and informatization.

Article 17: Operators shall carry out cybersecurity testing and risk assessment of critical information infrastructure at least once per year either on their own or by retaining a cybersecurity service body, and promptly correct any security issues that are discovered and report the circumstances in accordance with the requirements of the Production Work Departments.

Article 18: When major cybersecurity incidents occur in critical information infrastructure or major cybersecurity threats are discovered, operators shall report to the Protection Work Departments and public security organs in accordance with relevant provisions.

Where especially serious cybersecurity incidents occur or especially major cybersecurity threats are discovered such as overall interruption of operations or primary function failures, leaks of basic state information and other important data, larger leaks of personal information, causing larger economic losses, or illegally transmitting a larger scope of information, the Protection Work Departments shall promptly report to the State Internet Information Department and the State Council public security department after receiving the report.

Article 19: Operators shall give priority to purchasing network products and services that are secure and reliable; and where purchasing network products or services that might impact national security, is shall be through a security review in accordance with national cybersecurity provisions.

Article 20: Operators purchasing network products and services shall sign security and confidentiality agreements with network product and service providers in accordance with relevant state provisions, clarifying the providers' technical support, security, and confidentiality obligations and responsibility, and conduct oversight of the performance of obligations and responsibilities.

Article 21: Where circumstances such as mergers, division, or disbanding of operators occur, they shall promptly report to the Protection Work Departments and handle critical information infrastructure in accordance with the requirements of the Protection Work Departments to ensure security.

Chapter IV: Safeguards and Promotion

Article 22: The Protection Work Departments shall draft critical information infrastructure security plans for the corresponding industry or sector, clarifying the goals, basic requirements, work responsibility, and specific measures for protection.

Article 23: The State internet information departments are to coordinate relevant departments in establishing mechanisms for cybersecurity information sharing, promptly aggregating, assessing, sharing, and publishing cybersecurity threats, vulnerabilities, incidents, and other information, promoting the sharing of cybersecurity information between relevant departments, Protection Work Departments, operators, and cybersecurity service bodies.

Article 24: The Protection Work Departments shall establish and complete cybersecurity monitoring and alert systems for the corresponding industry or sector, promptly getting a grip on the operations status and security situation for critical information infrastructure in that industry or sector, giving alerts and notification of cybersecurity threats and risks, and guiding the completion of prevention efforts.

Article 25: In accordance with the requirements of the national cybersecurity incident emergency response plan, the Protection Work Departments are to establish and complete emergency response plans for the corresponding industry or sector and periodically organize drills; guiding operators to do good a job in handling cybersecurity incidents and organizing the provision of technical support and assistance as needed.

Article 26: The Protection Work Departments shall periodically organize and carry out inspections and testing of cybersecurity of critical information infrastructure, guiding and overseeing operators' prompt correction of security risks and improvement of security measures.

Article 27: The state internet information department is to plan and coordinate the State Council public security departments' and Protection Work Departments' conducting of inspections and testing of cybersecurity for critical information infrastructure, and submit corrective measures.

When carrying out inspections of cybersecurity for critical information infrastructure, relevant organs shall strengthen coordination and cooperation, and communication of information, to avoid unnecessary inspections and overlapping inspections. Fees must not be collected in inspection work, and the unit being inspected must not be required to buy specific brands of products or services, or those produced or sold by specific units.

Article 28: Operators shall cooperate with efforts of the Protection Work Departments on the inspection and testing of cybersecurity for critical information infrastructure, as well as inspection work on cybersecurity for critical information infrastructure carried out by relevant departments such as for public security, state security, administration of secrets, and password management in accordance with law.

Article 29: In efforts on protecting the security of critical information infrastructure, the state internet information department and the State Council departments for telecommunications, public security, and so forth shall promptly provide technical support and assistance as needed by the Protection Work Departments.

Article 30: Information obtained during efforts on the protection of critical information infrastructure security by internet information departments, public security organs, Protection Work Departments, and other relevant departments, as well as cybersecurity service bodies and their staffs is to be used only for the preservation of cybersecurity, and must not be leaked, sold, or illegally provided to others.

Article 31: Without the permission of the state internet information department and the State Council public security department or authorization from the Protection Work Departments or operators, no individual or organization may carry out vulnerability detection or permeability testing of critical information infrastructure or other activities that might endanger the security of critical information infrastructure. Vulnerability detection and permeability testing of foundational telecommunication networks shall be reported in advance to the State Council department in charge of telecommunications.

Article 32: The state is to employ measures to prioritize safeguarding the secure operation of critical information infrastructure such as for energy and telecommunications.

The energy and telecommunications industries shall employ measures to provide key safeguards for the secure operation of critical information infrastructure of other industries and sectors.

Article 33: Based on their respective duties, the public security organs and state security organs are to strengthen the protection of critical information infrastructure in accordance with law, to prevent attacks targetting critical information infrastructure or using it to commit illegal and criminal activities.

Article 34: The state is to draft and improve standards for critical information infrastructure security, guiding and regulating efforts on the protection of security for critical information infrastructure.

Article 35: The state is to employ measures to encourage specialized cybersecurity personnel to engage in efforts to protect the security of critical information infrastructure, and include operators' security management personnel and security technical personnel in the national continuing education system.

Article 36: The state supports technical innovation and product development for critical information infrastructure security, and is to organize forces to carry out technical breakthroughs for critical information infrastructure security.

Article 37: The state is to strengthen the establishment and management of cybersecurity service bodies, drafting management requirements and strengthening oversight and guidance to continuously increase the capacity of service bodies and give full play to their role in protecting the security of critical information infrastructure.

Article 38: The state is to strengthen military-civilian integration in cybersecurity, with the military and local governments working together to protect critical information infrastructure security.

Chapter V: Legal Responsibility

Article 39:Where operators have any of the following circumstances,, the relevant competent departments are to order corrections and give warnings based on their duties; where corrections are refused or it causes endangerment of cybersecurity or other consequences, a fine of between RMB 100,000 and 1,000,000 is to be given; and the persons who are directly in charge are fined between RMB 10,000 and 100,000:

(1) There are larger changes to critical information infrastructure that impact the results of a determination, and the operators do not promptly report the relevant circumstances to the Protection Work Departments.

(2) Security protection measures are not synchronized with the planning, construction, and use of critical information infrastructure;

(3) Systems for cybersecurity protection and responsibility are not established and completed;

(4) Specialized security management bodies were not set up;

(5) Failure to conduct security background checks for the persons in charge of the specialized security management bodies and for persons in critical positions;

(6) Not having specialized security management bodies participate in carrying out decision-making related to cybersecurity and informatization;

(7) Specialized security management bodies failing to perform the duties provided in article 15 of these Regulations;

(8) Failure to carry out cybersecurity testing and risk assessment of critical information infrastructure at least once per year either on their own or by retaining a cybersecurity service body, failure to promptly correct any security issues that are discovered, or failure to report the circumstances in accordance with the requirements of the Production Work Departments.

(9) Purchasing network products and services without signing security and confidentiality agreements with network product and service providers in accordance with relevant state provisions;

(10) Where circumstances such as mergers, division, or disbanding occur, and they do not promptly report to the Protection Work Departments and handle critical information infrastructure in accordance with the requirements of the Protection Work Departments.

Article 40: When operators fail to report to the Protection Work Departments and public security organs as provided when major cybersecurity incidents occur in critical information infrastructure or major threats are discovered, the Protection Work Departments and public security organs are to order corrections and give warnings based on their duties; where corrections are refused or it causes endangerment of cybersecurity or other consequences, a fine of between RMB 100,000 and 1,000,000 is to be given; and the persons who are directly in charge are fined between RMB 10,000 and 100,000.

Article 41: Where operators purchasing network products or services that might impact national security fail to conduct security reviews in accordance with state provisions on cybersecurity, the state internet information departments and other competent departments are to order corrections on the basis of their duties and give fines of between 1 and 10 times the value, and fine directly responsible managers and other directly responsible personnel between 10,000 and 100,000 RMB.

Article 42: Where operators do not cooperate with efforts of the Protection Work Departments on the inspection and testing of cybersecurity for critical information infrastructure, as well as inspection work on cybersecurity for critical information infrastructure carried out by relevant departments such as for public security, state security, administration of secrets, and password management in accordance with law. the relevant departments are to order corrections; where the corrections are refused a fine of between 50,000 and 500,000 RMB is to be given, the directly responsible managers and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB; and where the circumstances are serious corresponding legal responsibility is to be pursued in accordance with law.

Article 43: Where critical information infrastructure is illegally intruded upon, disrupted, or destroyed, or other activities endangering national security are carried out, but it does not constitute a crime, the public security organs are to confiscate unlawful gains, give up to 5 days detention, and may give a concurrent fine of between 50,000 and 500,000 RMB; where the circumstances are serious, between 5 and 15 days detention are to be given, and a concurrent fine of between 100,000 and 1,000,000 RMB.

Where units exhibit the conduct of the preceding paragraph, the public security organs are to confiscate the unlawful gains and give a fine of between 100,000 and 1,000,000 RMB, and the directly responsible persons in charge and other directly responsible personnel are to be fined in accordance with the preceding paragraph.

Where the second paragraph of Article 5 or Article 31 of these Regulations is violated, persons who receive public security administrative sanctions must not engage in key cybersecurity management or network operations positions for 5 years; those receiving criminal punishments must not take on work in key cybersecurity management and network operations positions for their lifetimes.

Article 44:Where the state internet information department, public security organs, and other relevant departments and their staffs fail to perform duties to protect the security of critical information infrastructure and of oversight and management, or derelict their duties, abuse their authority, or twist the law for personal gain, the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.

Article 45:Where public security organs, Protection Work Departments, and other relevant departments collect fees during cybersecurity inspections of critical information infrastructure, or request that the units being inspected purchase certain brands of product or designate products and services produced or sold by a certain unit, the higher level organ is to order corrections and the return of the collected fees; and where the circumstances are serious, they are to give sanctions to the directly responsible managers and other directly responsible personnel in accordance with law.

Article 46:Where information obtained during efforts on the protection of critical information infrastructure security by nternet information departments, public security organs, Protection Work Departments, and other relevant departments, as well as cybersecurity service bodies and their staffs is used for other purposes or leaked, sold, or illegally provided to others. the directly responsible managers and other directly responsible personnel are to be given sanctions in accordance with law.

Article 47:Where major or especially major cybersecurity incidents occur in critical information infrastructure, and it is determined to be a human error accident upon investigation, in addition to ascertaining and pursuing operators' responsibility, the responsibility of relevant cybersecurity service institutions and relevant departments should be ascertained, and where there is unlawful conduct such as dereliction of duty or malfeasance, responsibility shall be pursued in accordance with law.

Article 48:Where the operators of critical information infrastructure for e-governance do not perform the cybersecurity obligations in these Regulations, punishment is to be given in accordance with the relevant provisions of the Cybersecurity Law of the PRC.

Article 49: Where violations of the provisions of these Regulations cause harm to others, civil liability is to be borne in accordance with law.

Where violations of provisions of these Regulations constitute a violation of public security administration, the public security organs will give public security administrative punishments in accordance with law; and where a crime is constituted, criminal responsibility is pursued in accordance with law.

Chapter VI: Supplementary Provisions

Article 50:The security protections for critical information infrastructures that are storing or handling information involving state secret information shall further comply with the provisions of laws and administrative regulations on secrecy.

The use and management of passwords in critical information infrastructure shall further comply with the provisions of laws and administrative regulations on passwords.

Article 51:These Regulations will take effect on September 1, 2021.

 

About China Law Translate 1135 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*