正文
the government above the prefectural level will incorporate CII protection into the overall local economic and social development plan and will carry out performance evaluations of CII protection;
the regulatory and supervision departments for various sectors will develop cybersecurity programs for their respective sectors and will establish and implement a working expense guarantee system;
the energy, telecommunications and transportation industries are to be primarily responsible for providing support and protection with respect to the CII cybersecurity emergency response and the network function recovery, and the public security departments will combat relevant criminal activities in accordance with law.
Although the above provisions only set forth general principles related to CII protection, they impose compulsory obligations on relevant subjects by stipulating relevant subjects “shall” undertake certain responsibilities. This tone reflects the government’s determination to guarantee CII protection and its intent to strictly regulate this sector.
b. Further expanding the definition of CII
Similar to the Cybersecurity Law, the Draft Regulations define CII by giving a non-exhaustive list of named industries. However, the coverage scope of CII under the Draft Regulations has clearly been expanded compared to the Cybersecurity Law.
In addition to the seven important industries or areas listed in the Cybersecurity Law, the Draft Regulations set forth that information infrastructure used in the healthcare, education, environmental protection, national defense, science and technology, large-scale equipment, chemical, food and medicine and news industries, as well as information infrastructure used to provide large public information network services such as cloud computing and big data services should also be regarded as CII. Specifically, CII operators include:
-
Government organizations and energy, finance, transportation, water resources, healthcare, education, social security, environmental protection and public utility industry units;
-
Information networks such as telecommunications networks, radio and television networks and the Internet, as well as units providing cloud computing, big data and other large public information network services;
-
Scientific research and production units in the industries of national defense, science and technology, large-scale equipment, chemicals and food and drugs, etc.;
-
News units such as radio stations, television stations, news agencies, etc.;
-
Other key units.
In addition to industries and sectors listed above, Article 19 of the Draft Regulations stipulate that CAC and other regulatory departments will later jointly formulate and promulgate the CII identification guidelines, according to which the regulatory or supervision departments of various industries identify CIIs in their respective sectors and will report such findings.
Although further detailed rules such as the identification guidelines have not yet been promulgated, enterprises in the industries and sectors listed in the Draft Regulations should be sufficiently aware of developments in this area and make advance preparations. Currently, we recommend such enterprises to preliminarily determine whether their business may be regarded as a CII by referring to the
National Network Security Inspection and Operation Guidelines
, promulgated in June 2016, through considering the full nature of industries to which their business belongs, the level of dependence on the network facilities or information systems, and the influence of security risks related to the network facilities or information systems that they operate, which are assessed on a "qualitative + quantitative" basis.
