New regulations on the security and protection of critical information infrastructure in China will come into force starting September 1. We look at which companies are most likely to be designated as critical information infrastructure operators, what are their compliance obligations, and the new opportunities that may arise from the additional requirements.
On August 17, China’s State Council unveiled the Regulations on the Security and Protection of Critical Information Infrastructure (‘the regulations’), formulated on the basis of China’s Cybersecurity Law. These regulations shed new light on how the government plans to regulate strict data security requirements among critical information infrastructure (CII) operators but leaves unanswered some questions that have worried companies since the Cybersecurity Law was passed in 2017.
Under the Cybersecurity Law, companies designated as CII operators are subject to tighter data security requirements and a higher level of government oversight. The new regulations offer a more specific set of guidelines for the responsibilities and obligations of both the CII operators themselves and the regulatory departments in charge of supervising compliance. It also outlines specific punishments for activities that violate the security of critical information infrastructure.
The regulations also create a top-down system of oversight and regulations, in which CII operators are required to report any anomalies, issues, or changes to the systems to regulatory departments. These departments in turn are required to report any serious issues, threats, or changes to the infrastructure to central government bodies, the Cyberspace Administration of China (CAC), and the National Security Bureau (NSB).
However, the regulations remain unclear on exactly which type of company or business scope will fall under the category of CII, leaving many companies who sit in the grey area uncertain of which rules will apply to them.
With the regulations taking effect on September 1 this year, we take this opportunity to look at which companies are most likely to be designated as CII operators, what obligations they must fulfill to comply with the law, and finally what new opportunities may arise from the new requirements.
The regulations define CII as companies engaged in “important industries or fields”, including:
Companies that operate in certain sectors are clearly regarded as CII operators – power grids, public transport operators, military suppliers, and so on – and many of the sectors largely overlap with similar classifications in other countries’ legislation, such as the U.S.’ Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21).
For other sectors, the designation is less clear. The “any other important network facilities or information systems” could be interpreted to include major online service companies, such as Tencent’s WeChat or ride-hailing platform Didi.
In fact, Didi is currently under investigation by the CAC, in part due to its failure to act upon a request to conduct a data security assessment. Meanwhile, in early July, WeChat suspended new user registrations in order to upgrade security protocols to meet regulatory requirements. These recent occurrences suggest the companies may have been designated as CII operators, although this remains disputed.
To decide which companies will be designated as a CII operator, the regulations place the burden of responsibility on government regulatory departments. The departments must base the designation on the following:
DE-RISK YOUR INVESTMENTS IN CHINA WITH OUR LEGAL, FINANCIAL, AND HR DUE DILIGENCE SERVICES
Although it remains unclear exactly which companies will be categorized as CII operators, the regulations stipulate that the regulatory departments in charge of designating CII operators are required to inform the companies and the State Council when they identify a company as such. In a press conference on the new regulations, Deputy Director of the CAC Sheng Ronghua made it clear that foreign companies can also be designated as CII operators and will have to comply with the same rules as domestic companies.
The government is expected to formulate more specific guidelines on designating CII operators for companies and government departments, but it is still uncertain when such guidelines will be released.
The CAC has emphasized the principle of “who operates, bears responsibility” for protecting and maintaining CII. In this spirit, the regulations place the onus on the operators themselves to take action. The regulations stipulate that CII operators must take the necessary measures and implement the required technology to prevent attacks on networks and other illegal activity, ensure the secure and stable operation of critical information infrastructure, and maintain the integrity, secrecy, and usability of data.
A few notes on the above requirements:
If a CII operator fails on any of these responsibilities, they will first receive a warning from the regulatory authorities and be ordered to correct the situation. If the operator refuses to make the necessary changes or if the infraction causes serious harm to the networks’ security, it will be liable for a fine of RMB 100,000 (US$15,425) to RMB 1 million (US$154,250). The person directly in charge of the situation will also be personally liable for a fine of RMB 10,000 (US$1,543) to RMB 100,000.
Complying with these strict regulations is likely to be a headache for companies designated as CII operators. As such, these regulations, along with other data legislation, such as the Personal Information Protection Law (PIPL) and the Data Security Law, are likely to create a surge in demand for cybersecurity products and related services.
In July of this year, the Ministry of Industry and Information Technology (MIIT) began soliciting opinions on an action plan for developing the cybersecurity industry over the next three years. The plan aims to grow the industry at a compound annual growth rate (CAGR) of above 15 percent over the next three years to exceed RMB 250 billion (US$38.6 billion) in 2023.
To do this, the MIIT aims to “unleash demand” by requiring telecommunications and other key industries to invest 10 percent of their digitization spending on cybersecurity. The plan also indicates the government will encourage collaboration with foreign companies, and provide policy support for developing technology and talent in the industry in the future.
It is therefore likely we will see new incentives and preferential policies designed to attract investment in the industry in the near future. Players in this field are urged to watch policy updates closely, in particular, in regions with a strong base for the technology and internet industries, such as Shanghai, and Hangzhou, and the Greater Bay Area.
The new regulations on CII operators have been a long time coming, but their necessity has also become more urgent. As businesses and infrastructure digitize and rely more heavily upon online resources and data for operations, they also make themselves vulnerable to attack or manipulation, with the potential for far-reaching negative consequences.
The Chinese government is acutely aware of the threats to and vulnerabilities in China’s current system. These regulations are the next step in the country’s long-term plan to strengthen the protection of data and networks that are of consequence to both national security and the rights of individual citizens.
Given the critical importance of shoring up cybersecurity, we expect the new regulations to be strictly enforced and for companies who fail to comply to be penalized to the full extent of the law. Companies whose operations could encroach upon CII are therefore urged to keep a close eye on developments and maintain close communication with relevant authorities whenever possible.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China and Kyrgyzstan: Bilateral Trade and Future Outlook
Next Article Chongqing’s Growing Focus on the Electronics Industry and Digital Economy »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
An Introduction to Doing Business in Hong Kong 2021 is designed to introduce the fundamentals of investing in ...
Since the formulation of the GBA Initiative in 2017, business communities have placed high expectation on the ...
Doing Business in China 2021 is designed to introduce the fundamentals of investing in China. Compiled by the ...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.