Chapter I: General Provisions
Article 1: These Regulations are drafted in accordance with the "Cybersecurity law of the People's Republic of China" so as to protect the security of critical information infrastructure.
Article 2: These Regulations apply to the planning, construction, operation, maintenance and use of critical information infrastructure within the territory of the People's Republic of China, as well as to carrying out the security and protection of critical information infrastructures.
Article 3: Security of critical information infrastructure protection adheres to the principles of top-level design, total protection, overall coordination, and division of labor and responsibility; giving full play to the role of operating entities, actively participation by all parts of society, and common protection of critical information infrastructure security.
Article 4: The state departments for industry supervision and management divide labor in accordance with relevant State Council provisions, and are responsible for directing and supervising that industry or field's critical information infrastructure security protection efforts.
The State internet information department is responsible for overall coordination of efforts on critical information infrastructure security protection the safety protection work and related supervision and management efforts. The departments Public Security, state security, state secrecy administration, the state cryptography administration and other such departments are responsible for relevant network security protection and oversight management work within the scope of their own duties.
The relevant departments of local people's governments at the county level or above are to carry out efforts on the protection of critical information infrastructure security in accordance with relevant state provisions.
Article 5: The operators of critical information infrastructure (hereinafter 'operators') bear the entity responsibility for that unit's critical information infrastructure security, perform network security protection duties, accept the supervision of the government and society, and bear social responsibility.
The State encourages operators of networks outside the critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.
Article 6: Key protection of critical information infrastructure is carried out on the foundation of the hierarchic system of network security protections.
Article 7: Any individual or organization who discovers conduct endangering the security of critical information infrastructure has the right to report to departments such as for networks, telecommunications, or public security, or to report to the department managing or supervising the industry.
Departments receiving reports shall promptly process them in accordance with law; where these do not fall within the responsibilities of that department, they shall promptly transfer the matters to the department empowered to handle them.
Relevant departments shall preserve the confidentiality of the informants' information and protect the lawful rights and interests of the informant.
Chapter II: Support and Safeguards
Article 8: The State will take measures to monitor, defend against, and handle risks and threats to national security from inside and outside the People's Republic of China, and protect critical information infrastructure from attack, intrusion, disruption and destruction, and punish unlawful and criminal network activities in accordance with law.
Article 9: The State is to formulate policies for industry, taxation, finance, personnel and so forth; support innovation in technologies, products, and services related to the security of critical information infrastructure; spread safe and reliable network products and services; cultivate and select network security personnel; and improve the security level of critical information infrastructure.
Article 10: The State is to establish and improve the system of network security standards, and use standards to guide and regulate the efforts on the protection of critical information infrastructure security.
Article 11: The people's governments at or above the municipal level shall include critical information infrastructure security protection efforts in the region's overall plan for economic and social development, increase investment, and conduct performance evaluations and assessments on this work.
Article 12: The State encourages government departments, operators, scientific research institutions, network security service institutions, industry organizations, and network product or service providers, to carry out cooperation on critical information infrastructure security.
Article 13: The competent State departments for management or oversight of an industry shall set up, or make clear, the body and personnel responsible for critical information infrastructure security protection work in that industry or field, and draft and organize the implementation of network security plans for the industry or field, establishing and completing working mechanisms to ensure funding and supervise their implementation.
Article 14: Industries such as energy, telecommunications, and transportation shall provide power supply, network communications, transportation and transport, and other key assurances and supports for critical information infrastructure network incident emergency responses and restoration of network functions.
Article 15: The public security organs and other departments are to investigate and combat on illegal and criminal activities aimed at and utilizing the critical information infrastructure.
Article 16: The following activities and conduct that endanger critical information infrastructure must not be engaged in by any individual or organization:
(1) attacking, invading, interfering with or destroying critical information infrastructure;
(2) illegally acquiring, selling or providing others, without authorization, information such as technical materials, which may be used specially to endanger the security of critical information infrastructure;
(3) Carrying out unauthorized, invasive or hostile scanning and detection of critical information infrastructure;
(4) knowing that others are engaged in activities that endanger the security of critical information infrastructure, still providing them with Internet access, server hosting, network storage, communications, advertising, payment and settlement, or other such assistance;
(5) other activities and conduct that endangers critical information infrastructure.
Article 17: The State is committed to an open environment protecting network security, actively carrying out international exchange and cooperation in the area of critical information infrastructure security.
Chapter III: The scope of critical information infrastructure
Article 18: The following units' operation and management of network facilities and information systems, where once disrupted, losing function or leaking data, might create serious harm to national security, the national economy and people's livelihoods, or the public interest; shall be included within the scope of critical information infrastructure protections;
(1) Government organs and units in the industries or fields of energy, finance, transportation, water conservancy, health, education, social security, environmental protection, public utilities, and so forth;
(2) Information networks such as telecommunications networks, radio and television networks, and the Internet; and units providing cloud computing, big data, and other large scale public information network services;
(3) scientific research and production units in fields such as the defense industry, large equipment industry, chemical industry, and food and drug industry;
(4) news units such as radio stations, television stations, and news services;
(5) other key units.
Article 19: The state telecommunications department, in conjunction with the competent departments for telecommunications under the State Council and the public security departments, are to formulate guidelines for the identification of critical information infrastructure.
The state departments for management and supervision of industries are to identify critical information infrastructure in their industry or field in accordance with critical information infrastructure identification guidelines, and report identification results in accordance with procedures.
In the process of critical information infrastructure identification and verification, full play shall be given to the role of relevant experts, improving the accuracy, rationality and scientific nature of the identification and verification of critical information infrastructure.
Article 20: Operators shall promptly report circumstances of newly established or suspended critical information infrastructure, or major changes occurring to critical information infrastructure, to the state department for management or supervision of the industry.
The State departments for management or supervision of industries shall promptly conduct identifications and adjustments on the basis of operators' reports, and report the adjustments according to the procedures.
Chapter IV: Operator Security Protections
Article 21: The construction of critical information infrastructure shall ensure that it has properties for supporting business stability and sustaining operations, and ensure that technical security measures are planned, established and used concurrently.
Article 22: Operators' primary responsible persons are the person with first responsibility for critical information infrastructure security protection efforts in that unit, responsible for establishing and completing the network security responsibility system and organizing its implementation, and fully responsible for the unit's critical information infrastructure security protection work.
Article 23: Operators shall follow the requirements of the hierarchic network security protection system, to fulfill the following security protection obligations, ensuring that critical information infrastructure is not interfered with, destroyed or accessed without authorization, and preventing network data from leaking or being stolen or tampered with:
(1) formulate internal security management systems and operating procedures, and strictly enforce identity authentication and authority management;
(2) Employ technical measures to prevent computer viruses and network attacks, network intrusions, and other acts endangering network security;
(3) Employ technical measures to monitor and record network operation status and network security incidents, and keep relevant network logs for at least six months in accordance with the regulations;
(4) adopt measures such as data classification, backing up important data, and encryption authentication.
Article 24: In addition to Article 23 of these regulations, Operators shall also perform the following security protection obligations in accordance with the mandatory requirements provided by State laws , regulations, and relevant national standards:
(1) set up special network security management bodies and personnel responsible for network safety management , and conduct background security review of those responsible persons and of personnel in key posts;
(2) Periodically conduct network security education, technical training and skills evaluations for employees;
(3) Conduct on the disaster recovery backups of important systems and databases, and promptly employ remedial measures for system vulnerabilities and other security risks;
(4) formulate emergency plans for network security incidents and conduct drills regularly;
(5) Other obligations provided by law or administrative regulations.
Article 25: Operators' personnel responsible for network security management are to perform the following duties:
(1) organizing the formulation of network security rule systems and operating procedures, and supervising their implementation;
(2) organizing skills evaluation of personnel in key positions;
(3) organizing, formulating and implementing that unit's network security education and training program;
(4) organizing and carrying out network security checks and emergency drills to respond to and deal with network security incidents;
(5) reporting relevant important matters and events to the relevant State departments in accordance with provisions.
Article 26: A system of holding credentials before taking a post is implemented for operators' specialist technical personnel in key network security positions.
The specific provisions for the taking positions with credentials are to be formulated by the Department of human resources and social security under the State Council together with other departments such as the state internet information departments.
Article 27: Operators shall organize network security education and training for employees, with education and training lasting at least one working day per person each year, and lasting at least 3 working days each year for professional technical personnel in key posts.
Article 28: Operators shall establish and complete systems for testing and appraising critical information infrastructure security, and shall conduct security testing and assessment before critical information infrastructure operates online or when major changes are made.
Operators shall conduct testing and assessment of critical information infrastructure security and the potential risks, either by themselves, or by retaining a network security service institution, at least once per year; promptly rectifying any issues discovered, and report to the national department for managing or supervising the industry.
Article 29: Personal information and important data collected or produced by operators in the mainland territory of the People's Republic of China shall be stored in the mainland territory. Where due to business needs, it is truly necessary to provide them outside the mainland, an assessment shall be conducted in accordance with the measures on security assessments for personal information and major data exiting the mainland; where laws and administrative regulation provide otherwise, follow those provisions.
Chapter V: Product and service security
Article 30: Operators purchases and use of key network equipment and specialized network security products shall meet the mandatory requirements of laws, administrative regulations and relevant national standards.
Article 31: Where operators purchase of network products and services might impact national security, they shall follow the requirements of the Measures for Security Review of Network Products and services, pass a network security review, and have a security confidentiality agreement signed with the provider.
Article 32: Operators shall conduct security testing of systems and software developed by outsourcing, and of donated network products, before using them online.
Article 33: Where operators find that network products or services they use have risks such as security defects or vulnerabilities, they shall promptly adopt measures to eliminate the threat, and where major risks are involved, they shall report it to the relevant departments in accordance with provisions.
Article 34: The operation and maintenance of critical information infrastructure shall be carried out within the mainland territory. Where it is truly necessary to carry out remote overseas maintenance due to business needs, this should be reported to the state departments for management or supervision of the industry and the public security department under the State Council.
Article 35: Institutions carrying out safety testing and assessment of critical information infrastructure; publishing security threat information such as on system vulnerabilities, computer viruses, or network attacks; or providing services such as cloud computing or outsourced information technology services, shall comply with the relevant requirements.
The specific requirements will be formulated by the State internet Information departments in conjunction with the relevant departments under the state council.
Chapter VI: Monitoring, early warning, emergency response and assessment
Article 36: State internet information departments co-ordinate the establishment of critical information infrastructure network security monitoring and early warning systems and information notification systems, organizing and guiding relevant bodies' effort to summarize, analyse and report network security information, and follow provisions to uniformly release network security monitoring and early warning information.
Article 37: The State departments for management or supervision of industries shall establish and complete monitoring and early warning systems, and systems for reporting information, for critical information infrastructure network security within that industry or field; and promptly get a hold of the operational status and security risks of the critical information infrastructure in that industry or field, and report security risks and related work information to the relevant Operators.
The State departments for managing or supervising industries shall organize review and judgment of security monitoring information, and where finding that preventive response measures must be take immediately, shall promptly issue early warning information and recommend emergency prevention measures to the relevant operators, and report to the relevant departments in accordance with the requirements of the state network security incident emergency response plan.
Article 38: State internet information departments coordinate the relevant departments and operators, as well as relevant research institutions and network security service institutions, to establish network security information sharing mechanisms for critical information infrastructure and promote network security information sharing.
Article 39: State internet information departments, in accordance with the requirements of the national network security incident emergency response plan, are to coordinate relevant departments to establish and improve emergency coordination mechanisms for critical information infrastructure network security, increase the strength of network security information response, guide and coordinate relevant departments in organizing cross industry, cross regional network security emergency drills.
The state departments for industry management or supervision shall organize the formulation of emergency plans for network security incidents in the industry or field, and organize scheduled exercises to enhance network security response and disaster recovery capabilities. After the occurrence of major network security incidents or after receiving early warning information from the internet information departments, the emergency response plan should be started immediately, and the situation promptly reported.
Article 40: The state departments for managing or supervising industries shall conduct spot checks of critical information infrastructure in their industry or field's security risks and operators performance of security protection obligations, propose measures for improvement, and guide or supervise the operators in promptly correcting issues discovered in testing or assessment.
The state internet information department coordinates relevant departments in carrying out spot checks, to avoid conflicting and duplicative testing and assessment.
Article 41: The relevant departments carrying out critical information infrastructure safety testing and assessments, should adhere to the principles of objectivity, fairness, efficacy, and transparency, and employ scientific testing and assessment measures, standardize the testing and assessment process, and control risks in testing and assessment.
Operators shall cooperate with relevant departments carrying out testing and appraisal in accordance with law, and promptly correct issues found in the testing and evaluation.
Article 42: Relevant departments are to organize and carry out the safety testing and assessment of critical information infrastructure, and may employ the following measures:
(1) requiring relevant operators to make explanations of the testing and assessment matters;
(2) Accessing, acquiring or copying files and records related to security protection;
(3) looking at the formulation and implementation of the network security management system, as well as the planning, establishment, and operation of network security technical measures;
(4) using testing tools or retaining network security service institutions for technical testing;
(5) other necessary means agreed to by operators.
Article 43: Information obtained by relevant departments and network security service institutions in the testing and assessment of critical information infrastructure security, can only be used as needed to maintain network security, and must not be used for other purposes.
Article 44: The relevant departments organizing and carrying out critical information infrastructure safety testing and assessment , must not collect fees from the unit being tested or assessed, must not require the unit being tested or evaluated institutions to buy the specific brands of products or services, or those produced or sold by specific units.
Chapter VII: Legal Responsibility
Article 45: Where operator do not perform network security protection obligations as provided for in the first paragraph of article 20 and in articles 21, 24, 24, 26, 27, 28, 30, 32, 33, and 34 rules of thes Regulations, the relevant competent departments are to order corrections and give warnings in accordance with their respective duties; where they refuse to make corrections or cause consequences such as harm to network security, fines of between 100,000 and 1,000,000 RMB are to be given, and the directly responsible persons in charge are to be given fines of between 10,000 and 100,000 RMB.
Article 46: Where operators violate the provisions of article 29 by storing network data outside the mainland territory, or providing network data overseas [outside the mainland], the relevant competent state departments are to order corrections on the basis of their duties, give warnings, confiscate the unlawful gains, give a fine of between 50,000 and 500,000 RMB, and may order a suspension of relevant business, a suspension for internal rectification, the closure of websites, or revocation of relevant business licenses; and the directly responsible personnel in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 RMB.
Article 47: Where operators violate the provisions of article 31 by using network products or services that have not gone through security reviews or that did not pass security reviews, the relevant competent state departments are to order them to stop the use on the basis of their duties, and impose a fine of between 1 and 10 times the purchase value; the directly responsible personnel in charge and other directly responsible personnel are to be given fines of between 10,000 and 100,000 RMB.
Article 48: Where individuals violate the provisions article 16 of these Regulations, but it does not constitute a crime, the public security organs are to confiscate the unlawful gains, give up to 5 days detention, and may impose a concurrent fine of between 50,000 and 500,000 RMB; where the circumstances are serious, detention is to be for between five and fifteen days, and a fine of between 100,000 and 1,000,000 RMB may be concurrently imposed; and where a crime is constituted, criminal responsibility is to be pursued in accordance with law.
Where units exhibit the conduct of the preceding paragraph, the public security organs are to confiscate the unlawful gains and give a fine of between 100,000 and 1,000,000 RMB, and the directly responsible persons in charge and other directly responsible personnel are to be fined in accordance with the preceding paragraph.
Persons who have been subjected to criminal punishment for violating the provisions of article 16 of these Regulations must not engage in critical information infrastructure security management and key posts in network operations for life.
Article 49: Where state organ operators of critical information infrastructure do not perform their network security protection obligations as provided in these Regulations, their superior organs or other relevant organs shall order corrections; the directly responsible personnel in charge and other directly responsible personnel shall be given sanctions in accordance with law.
Article 50: Where any of the relevant departments or their staffs commit any of the following acts, the person directly in charge and other persons directly responsible are to be punished according to law; and where a crime is constituted, criminal responsibility shall be pursued in accordance with law:
(1) using authority to solicit or accept bribes during work;
(2) dereliction of duty or abuse of power;
(3) unauthorized disclosure of information, materials, or data files related to critical information infrastructure;
(4) other conduct in violation of legally-prescribed duties.
Article 51: Where major network security incidents occur in critical information infrastructure, and it is determined to be a human error accident upon investigation, in addition to ascertaining and pursuing operating units' responsibility, the responsibility of relevant network security service institutions and relevant departments should be ascertained, and where there is unlawful conduct such as dereliction of duty or malfeasance, responsibility shall be pursued.
Article 52: Where foreign [including Hong Kong, Macau, Taiwan] institutions, organizations, or individuals engage in attacks, intrusions, disruptions, destruction, or other activities endangering the critical information infrastructure of the P.R.C., causing serious consequences, criminal responsibility is pursued in accordance with law; the department for public security under the State Council, State security organs, and relevant departments may decide to freeze the assets or take other necessary sanctions against those institutions, organizations, or individuals.
Chapter VIII: Supplemental Provisions
Article 53: The storage and handling of the security protections for critical information infrastructures involving state secret information shall also comply with the secrecy provisions of laws and administrative regulations.
The use and management of passwords in critical information infrastructure shall also comply with the provisions of laws and administrative regulations on passwords.
Article 54: The security protection of military critical information infrastructure is to be separately provided for by the Central Military Commission.
Article 55: These Regulations take effect on XX/XX/XXXX.