Article 1: These Provisions are formulated on the basis of the "Cybersecurity Law of the P.R.C.", the "Measures on the Administration of Internet Information Services", and the "Measures on the Administration of Computer Information Network International Network Security Protections" , so as to strengthen security management of internet information services that have a public opinion nature or have capacity for social mobilization, and relevant new technologies and applications; to regulate Internet information service activities, to preserve national security, social order, and the public interest.
Article 2: "Internet information services of a public opinion nature or with capacity for social mobilization" as used in these Provisions, includes the following situations:
(1) Information services or associated functions such as starting forums, blogs, microblogs, chatrooms, communication groups, public accounts, short videos, live-streaming, information sharing, and mini programs;
(2) Starting other Internet information services that provide channels for the expression of public opinion or have the capacity for starting public participation in certain activities.
Article 3: In any one of the following circumstances internet information service providers shall follow these Provisions to carry out security assessments themselves, and take responsibility for the assessment results:
(1) Information services with public opinion properties or capacity for social mobilization go online, or information services add relevant functions;
(2) Where new technology or new applications are used causing major changes to occur in information services' functional attributes, the way the technology manifests, or the allocation of basic resources, leading leading to major changes in public opinion properties or capacity for social mobilization;
(3) The scale of users increases significantly, leading to major changes in the public opinion properties or capacity for social mobilization;
(4) Illegal and harmful transmission or dissemination occurs, showing that existing measures have difficulty in effectively preventing network security risks;
(5) Other situations where an internet information department or public security organ of the prefecture-level or higher give written notice of the need to conduct security assessment.
Article 4: Internet information service providers may carry out security assessments themselves and may also retain third-party security assessment bodies to conduct them.
Article 5: Internet information service providers carrying out security assessments shall conduct comprehensive assessments of the legality of information services and new technologies and applications; the efficacy of security measures put in place as provided by laws, administrative regulations, departmental rules, and standards; the efficacy of security risk prevention and controls, and so forth; emphasizing assessment of the following:
(1) Determining persons responsible for security management and information review, or for establishing security management bodies, corresponding to the services provided;
(2) Measures for verifying users true identities as well as storing registration information;
(3) Log information for user accounts, operation times, operation types, network source and destination addresses, network source ports, client terminal hardware specifications, and so forth, as well as measures for retaining records of user published information;
(4)Measures for prevention and handling of illegal and harmful information in service functions such as user account and communication group names, nicknames, introductions, notes, or logos; and in the publication, forwarding, commenting, and communication groups; and measures for storing relevant records;
(5) Technical measures for protection of personal information and prevention of the transmission and dissemination of illegal and harmful information, and uncontrolled risks with the capacity for social mobilization;
(6) The establishment of complaint and reporting systems, and public disclosure of information such as the methods for making complaints or reports, and promptly accepting and handling complaints and report;
(7) The establishment of working mechanisms for providing technical and data support and assistance to internet information departments lawfully performing oversight and management duties over Internet information services;
(8) The establishment of work mechanisms for providing technical and data support and assistance to public security organs' and state security organs' lawful activities in preserving national security and investigating crimes.
Article 6: Where internet information service providers discover hidden security threats while performing security assessments, they shall promptly rectify them, until the relevant security threat is extinguished.
Where through security assessments laws, administrative regulations, and departmental rules and standards are complied with, a security assessment report is to be formed. The security assessment report shall include the following:
(1) The functions, scope of service, hardware and software equipment, deployment locations, and other basic information on internet services, and the recept of relevant licenses;
(2) The implementation of security management systems and technical measures, and the efficacy of risk prevention and control;
(3) Security assessment conclusions;
(4) Other situations that need to be explained.
Article 7: Internet information service providers shall submit security assessment reports to the prefecture-level or higher internet information departments and public security organs for their area through the national Internet security management service platform.
In the situations provided for in article 3 (1),(2) of these Provisions, internet information service providers shall submit a security assessment report before information services, new technologies, or new applications go online, or before functions are added; and in the situations provided for in article 3 (3)-(5) of these Provisions, they shall submit a security assessment report within 30 working days of the relevant circumstance occurring.
Article 8: Internet information departments and public security organs at the prefecture-level and hire shall conduct a written review of the security assessment reports on the basis of their individual duties.
Where there are deficiencies in the security assessment reports' content or programs, or the security assessment methods are clearly improper, the internet information service providers shall be ordered to make a new assessment in a set period of time.
Where the security assessment reports' content is unclear, the internet information service providers may be ordered to make supplemental explanations.
Article 9: Where based on the written review of the security assessment reports, internet information departments and public security organs find that it is necessary, they shall carry out onsight inspections of internet information service providers on the basis of their individual duties.
Onsite inspections by internet information offices and public security organs shall be conducted jointly in principal, and must not disrupt the odinary operations of internet information service providers.
Article 10: For internet services where there are larger security risks that might impact national security, social order, or the public interest, the provincial-level internet information departments and public security organs shall organize experts to conduct a review, and when necessary may carry out onsite inspections in conjunction with the relevant local departments.
Article 11: Internet information departments and public security organs carrying out onsite inspections shall conduct them in accordance with the relevant laws, administrative regulations, and departmental rules.
Article 12: Internet information departments and public security organs shall establish systems for monitoring and oversight, strengthen network security risk management, and urge internet information service providers to lawfully perform their network security obligations.
Where it is discovered that internet information service providers that have public opinion properties or the capacity for social mobilization have not carried out security assessments in accordance with these Provisions, the Internet information departments and public security organs shall notify them to carry out a security assessment in accordance with these Provisions.
Article 13: Internet information departments and public security organs discovering internet information service providers that have public opinoin properties or the capacity for social mobilization and that refust to conduct security assessments in accordance with these Provisions, shall go through the national internet security management platform to inform the public that the internet information service has security threats, and conduct oversight inspections of the internet service in accordance with their individual duties; and where discovering illegal conduct, shall correct it in accordance with law.
Article 14: Internet information departments do overall coordination for security assessment work on internet information services that have public opinion properties or the capacity for social mobilizations. Public security organs will regularly report security assessment work conditions to Internet information departments.
Article 15: Internet information departments, public security organs and their staffs, shall keep state secrets, commercial secrets, and personal information which they learn of in performing their duties, strictly confidential, and must not leak, sell, or unlawfully provide it to others.
Article 16: The security assessment of Internet news information services new technology and and new applications is to be implemented in accordance with the "Provisions on the Management of Internet News Information Services Security Assessment of New Technologies and Applications".
Article 17: These Provisions take effect on November 30, 2018.