MIIT notice on Cleaning Up and Regulating the Internet Access Service Market

To the communication administration bureaus of all provinces, autonomous regions and directly governed municipalities; to the China Academy of Information and Communications Technology; the China Telecommunications Corporation; China Mobile Communications Corporation; China United Network Communications Group Co., Ltd.; China Radio and Television Network Co., Ltd.; CITIC Networks Co., Ltd.; and to all operators of Internet data centers, operators of Internet access services, and operators of content distribution networks:

In recent years, network information technology has been constantly changing, with the vigorous development of applications such as cloud computing and big data, China's Internet access service market is facing rare opportunities for development, but signs of disorderly development are also emerging, urgently requiring rectification and regulation. In order to further regulate market order, strengthen online information security management, and promote the healthy and orderly development of the Internet sector, the Ministry of Industry and Information Technology has decided to carry out nationwide efforts to cleanup and regulate the Internet access service market from now until March 31, 2018. Notice on the relevant matters is given as follows:

I. Goals

To investigate and penalize illegal activities in the Internet datacenter (IDC), Internet access service (ISP) and content distribution network (CDN) markets, including unlicensed businesses, business exceeding the scope of permits, layer-by-layer subletting, etc.; to strengthen the management of business permits and access resources, and harden the management of cybersecurity; to maintain a fair and orderly market, and promote the healthy development of the sector.

II. Focuses of Work

(I) Strengthening qualification management, investigating and penalizing illegal businesses

1. All communications administration bureaus are to perform background investigations on enterprises providing IDC, ISP and CDN businesses within their jurisdiction, so as to eliminate following illegal business activities:

(1) Businesses without permits, i. e. enterprises, without having acquired the corresponding telecommunication business permits, conducting unauthorized IDC, ISP and CDN businesses in the jurisdiction.

(2) Business beyond geographical scope, i. e. enterprises holding corresponding telecommunication business permits that geographically does not cover the jurisdiction in question, nonetheless deploying IDCs and servers, and conducting ISP services.

(3) Business beyond business scope, i. e. enterprises holding certain telecommunication business permits, but conducting IDC, ISP and CDN services that go beyond the kinds of businesses specified in the permits.

(4) Subletting or transferring business permits, i. e. enterprises holding corresponding telecommunication business permits, using the notion of technical cooperation or something similar, providing qualifications or resources against regulation to enterprises without permits to conduct illegal telecommunication businesses.

2. Enterprises that have held IDC permits prior to the enactment of the Catalog of Telecommunication Businesses (Version 2015), in case they have started conducting Internet resource sharing (cloud computing) service or CDN businesses, should issue written assurance to the original permit issuing authority about fulfilling the requirements for the corresponding permits before the end of 2017, and acquire the corresponding telecommunication business permits no later than 31 March 2017.

Those who have not issued assurance in time, should, starting 1 April 2017, conduct business activities strictly within the business scope specified in their business permits, and must not conduct unpermitted business. Those who have not acquired the corresponding telecommunication business permits in time, as assured, must, starting 1 January 2018, no longer conduct the corresponding businesses.

(II) Hardening resource management, eliminating irregular usage

All enterprises providing basic telecommunication services and Internet access services are to comprehensively self-investigate their basic network infrastructure, as well as the usage of network access resources such as IP addresses and network bandwidth, so as to rectify the following issues:

1. Insufficient management of network access resources. All enterprises providing basic telecommunication services should strengthen the management of network channel resources, strictly inspect the qualifications of and the intended use by the leasing party, and must not provide basic network infrastructure for conducting IDC, ISP and CDN businesses, or network access resources such as IP addresses and network bandwidth, to enterprises and individuals with no corresponding telecommunication business permits.

2. Self-creation or usage of illegal resources against regulations. Enterprises providing IDC, ISP and CDN services must not create telecommunication equipment on their own, and must not use basic network infrastructure and network access resources such as IP addresses and network bandwidth that are provided by institutions or individuals who do not have the corresponding telecommunication business permits.

3. Layer-by-layer subletting. Enterprises providing IDC and ISP services must not sublet network access resources they have acquired, such as IP addresses and network bandwidth, to other enterprises to be used to conduct IDC and ISP services by themselves.

4. The problem of cross-border operations conducted against regulations. Absent approval by the telecommunication management departments, dedicated lines (including virtual private networks/ VPN) or other information channels must not be created or hired on one's own to conduct cross-border business activities. Basic telecommunication enterprises leasing dedicated international lines to users, should create a centralized user archive, and make clear to the users that the terms of use of those lines are limited to internal office use, and that the lines must not be used to connect to domestic or overseas datacenters or operations platforms to conduct telecommunication operations business activities.

(III) Implementing relevant ordinances, consolidating ground for management

Requirements specified in the "Notification by the Ministry of Industry and Information Technology on Further Standardizing the Market Entry Permit Process for Internet Datacenter (IDC) and Internet Access Service (ISP) Businesses" (MIIT Infocom. Dept. Doc. No. [2012] 552, herein after "The Notification") regarding funds, employees, sites, equipment, technical solutions and information security management are to be implemented, and management of the complete process before, during and after events are to be strengthened.

1. Enterprises that have acquired IDC and ISP permits prior to 1 December 2012 should, in reference to the requirements specified in The Notification regarding funds, employees, sites, equipment, technical solutions and information security management, create relevant systems, pass reviews and tests, and wrap-up the system docking process.

Enterprises who do not yet meet the requirements should issue written assurance to the original permit issuing authority about fulfilling the requirements before the end of 2017, pass reviews and tests, and wrap-up the system docking process no later than 31 March 2017. Those who have not issued assurance in time, and those who have not passed reviews and tests, and wrapped-up the system docking process in time, as assured, should be urged by the communications administration bureaus to rectify.

Specifically, all relevant enterprises should wrap-up the creation, reviews and tests, and system docking process of their cybersecurity management system, in accordance with the "Notice on Doing Good Work to Create and Dock Cybersecuriy Management Systems", the "Letter to Report the Situation of Docking the Cybersecurity Management Systems of Value-Added IDC and ISP Enterprises in the Country", and the "Regulation on Using and Operating Cybersecurity Management Systems (Trial)" (MIIT General Office Cybersec. Doc. No. [2016] 135). Enterprises who have not fulfilled the requirement in time will not pass the annual test for their telecommunication business permits.

2. Enterprises applying for new IDC (including cloud computing) business permit need to create a record system for Internet content providers (ICP), IP addresses, and domain names, a management platform for network access resources and a cybersecurity management system; implement requirements on IDC operational security and information security, and pass relevant reviews and tests.

3. Enterprises applying for new CDN business permit need to create a record system for Internet content providers (ICP), IP addresses, and domain names, a management platform for network access resources and a cybersecurity management system; implement requirements on information security, and pass relevant reviews and tests.

4. Enterprises holding existing IDC permit who apply for extending their scope of business, or adding new server rooms and operation stations within their existing scope of business, need to fulfill the requirements specified in The Notification regarding IDC operational security and information security, and pass relevant reviews and tests.

5. Enterprises holding existing ISP (including website hosting) permit who apply for extending their scope of business, need to fulfill the requirements specified in The Notification regarding information security, and pass relevant reviews and tests.

6. Enterprises holding existing CDN permits who apply for extending their scope of business, or adding new bandwidth and operation stations within their existing scope of business, need to fulfill the requirements specified in The Notification regarding information security, and pass relevant reviews and tests.

III. Safeguard Measures

(I) Providing policy communication and guidance, performing consultation services

Each Communications Management bureau should use all kinds of methods to do a good job of efforts to publicize, implement, and explain policies, announce telephone numbers for receiving relevant reports and answering queries from enterprises, and lead businesses to lawfully carry out business activities in accordance with law. Chinese Academy of Information and Communications Technology should do a good job of related evaluation support work, and assist the Ministry and each communications management bureau in efforts such as publicizing and implementing policies, accepting reports, responding to enterprise questions.

(II) Initiating comprehensive self-inspection, cleaning up and rectifying on one's own initiative

Each basic telecommunications enterprise conglomerate corporation should organize the enterprises under them in comprehensive self-inspections, unifying business operation rules and related requirements, strengthening regulation and management over the full workflow from contract constraints, review of usage, accountability for violations, and so forth, to strictly prevent all kinds of use of entry resources in violation of rules; and immediately correct existing problems, and pursue accountability of those responsible.

Each IDC, ISP, and CDN enterprise should implement entity responsibility, comprehensively self-inspect and cleanse in accordance with the requirements of this notice, promptly correct all kinds of violations, ensure the legality of business licenses, standardize the use of network equipment and circuit resources, and strengthen each the establishment of each element of the management system and carry out reviews.

(III) Strengthening supervision and inspection, strictly investigating irregular activities

Each communications management bureau is to strengthen supervisory inspections of enterprises' implementation situation, and should urge enterprises prompt correction of any violations or issues discovered; enterprises that refuse to make corrections should be strictly dealt with in accordance with law; where the circumstances are serious, they shall be found to be non-compliant in annual inspections, their conduct is to be included in their negative enterprise credit record, their business licenses are not to be continued in accordance with law when they expire, and moreover, their credit record shall be a key consideration when basic telecommunications enterprises carry out cooperation with them or provide access services. The department will combine situations such as petitions, reports, and public opinion feedback, to organize and carry out supervision sampling at appropriate times.

(IV) Improving exit mechanisms, performing wrap-up work

Enterprises that do not meet the requirements of relevant permits or have been listed as having negative credit records due to violations must not continue to add new new accounts. The document issuing organ should urge the relevant enterprises to do a good job of user resolution work in accordance with the "Telecommunications Enterprises Permit Management Measures" Where an application for deregistration of business permits is submitted to the permit issuing organ, that organ should lawfully deregister that enterprise's IDC or ISP business permit.

(V) Improving credit management, strengthening personnel training

Actively give play to third party organization advantages, study the establishment of IDC/ISP/CDN enterprise credit appraisal mechanisms, and starting with comprehensive, multi-faceted evaluation of infrastructure, service quality, capacity of network and information security safeguards, and forth, to lead enterprises to emphasize their credit status, improve the construction of management systems, and regulate market business conduct. All communications administration bureaus should strengthen technical training of relevant industry personnel, continuously raising the professional competence and capacity of industry personnel.

IV. Work Requirements

(I) Heightening awareness, strengthening organizational leadership

Carrying out efforts to regulate and clean up the Internet access services market in an important part of strengthening the management of Internet business and basic management, with great significance for consolidating basic management and promoting the healthy and orderly development of the industry. Each relevant unit should designate relevant leaders to take responsibility for leading the way, strengthen organizational safeguards, and take charge of implementation.

(II) Division of labor and cooperation, implementing of all responsibilities

Each Communications Administration Bureau, basic telecommunications operations companies, and Internet network access service enterprises, are to implement the responsibility, and on the basis the requirements of this Notification draft a work plan, clarifying tasks and the division of labor, work schedules and responsibility; specifying work with responsibility reaching the individual, to ensure that all tasks of this effort on cleaning up and standardization are completed on time.

(III) Strengthening communication, regularly delivering summaries and reports

Each Communications Administration Bureau, all basic telecommunications business group to strengthen communication and cooperation, sum up experience, to the end of each quarter section (Information and Communication Authority) submitted to the work progress, major problems at any Ministry reported. Departments (Information Communications Administration Bureaus) are to establish a reporting system, and periodically announce progress in the standardization and cleaning-up

Ministry of Industry and Information Technology

1/17/2017