Security Protection Regulations for Critical Information Infrastructure

Promulgation Authorities: State Council

Release Date: 2021-07-30

Effective Date: 2021-09-01

Source: http://yn.mof.gov.cn/tongzhitonggao/202203/t20220325_3798221.htm

Original Title: 关键信息基础设施安全保护条例

Security Protection Regulations for Critical Information Infrastructure

Decree No. 745 of the State Council

The Security Protection Regulations for Critical Information Infrastructure, adopted at the 133rd executive meeting of the State Council on April 27, 2021, are hereby promulgated, effective September 1, 2021.

Li Keqiang, Premier

July 30, 2021

Security Protection Regulations for Critical Information Infrastructure

Chapter I General Provisions

Article 1 These Regulations are enacted in accordance with the Cybersecurity Law of the People’s Republic of China for the purposes of protecting the security of critical information infrastructure and maintaining cyber security.

Article 2 For the purpose of these Regulations, critical information infrastructure refer to the important network facilities and information systems in important industries and fields such as public telecommunications, information services, energy, transportation, water conservancy, finance, public services, e-government and national defense science, technology and industry, as well as other important network facilities and information systems which, in case of destruction, loss of function or leak of data, may result in serious damage to national security, the national economy and the people’s livelihood and public interests.

Article 3 Under the overall planning and coordination of the Cyberspace Administration of China (hereinafter referred to as the CAC), the public security department under the State Council is responsible for guiding and supervising the protection of the security of critical information infrastructure. The competent telecommunications department of the State Council and other relevant departments shall, in accordance with provisions of these Regulations and relevant laws and administrative regulations, be responsible for protecting, supervising and administering the security of critical information infrastructure within the scope of their respective duties.Relevant departments of the provincial people’s government shall protect, supervise and administer the security of critical information infrastructure ex officio.

Article 4 For the security protection of critical information infrastructure, it is imperative to the principles of comprehensive coordination, division of responsibilities and legal protection, strengthen and implement the responsibilities of critical information infrastructure operators (hereinafter referred to as the “operators”) as subjects, and give full play to the role of the government and all sectors of society, so as to jointly protect the security of critical information infrastructure.

Article 5 The State gives priority to the protection of critical information infrastructure, takes measures to monitor, defends against and deal with cyber security risks and threats from both within and outside the territory of the People’s Republic of China, protects critical information infrastructure from attacks, intrusions, interference and damage, and punishes illegal and criminal activities endangering the security of critical information infrastructure in accordance with the law.No individual or organization may illegally invade, interfere with or destroy the critical information infrastructure, or endanger the security of the critical information infrastructure.

Article 6 Operators shall, in accordance with the provisions of these regulations, relevant laws and administrative regulations and compulsory requirements of national standards, take technical protection measures and other necessary measures based on the graded protection for cyber security, respond to cyber security incidents, prevent cyber attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data.

Article 7 Entities and individuals that have made remarkable achievements in or outstanding contributions to the security protection of critical information infrastructure shall be commended in accordance with relevant provisions of the State.

Chapter II Identification of Critical Information Infrastructure

Article 8 For the important industries and fields mentioned in Article 2 hereof, the competent authorities and supervisory authorities are the authorities responsible for the security protection of critical information infrastructure (hereinafter referred to as the “protection authorities”).

Article 9 The protection authorities shall, in light of the actual conditions of respective industries and fields, develop rules for the identification of critical information infrastructure, and file such rules with the public security department under the State Council for the record.The following factors shall be taken into account in the formulation of identification rules:

(I) the degree of importance of network facilities, information systems, etc. for the key and core business of the industry and field concerned;

(II) the degree of harm that may be caused in the event of any destruction, loss of function or leak of data of network facilities or information systems; and

(III) the impact on the relevance to other industries and fields.

Article 10 The protection authorities shall, in accordance with identification rules, be responsible for organizing the identification of critical information infrastructure of respective industries and fields, notify the operators concerned of the identification results in a timely manner, and report the same to the public security department under the State Council.

Article 11 Operators shall report relevant information on any material change in critical information infrastructure that may affect the identification results to the protection authorities in a timely manner. The protection authorities shall complete the identification again within three months upon receipt of the report, notify the operator concerned of the identification results, and report the same to the public security department under the State Council.

Chapter III Responsibilities and Obligations of an Operator

Article 12 The security protection measures shall be planned, established and put into use simultaneously with the critical information infrastructure.

Article 13 An operator shall establish sound cyber security protection system and the responsibility system to ensure the input of manpower, financial and material resources. The person chiefly in charge of the operator shall take overall responsibility for the protection of the security of critical information infrastructure, lead the security protection of critical information infrastructure and the disposal of major cyber security incidents, and organize the study and resolution of major cyber security issues.

Article 14 An operator shall set up a specialized security management body, and conduct security background review of the person in charge of the specialized security management body and persons in key positions. During the review, the public security authority and national security authority shall provide assistance.

Article 15 The specialized security management body of an operator shall be specifically responsible for the security protection of critical information infrastructure of the operator, and shall perform the following duties:

(I) Establishing the sound cyber security management, evaluation and assessment system, and drafting the security protection plan for critical information infrastructure;

(II) Organizing and promoting the development of cyber security protection capacity, and conducting the monitoring, testing and risk assessment of cyber security;

(III) Developing the operator’s own emergency plans, conducting regular emergency drills, and disposing of cyber security incidents in accordance with the national and industrial emergency plans for cyber security incidents;

(IV) Identifying key positions for cyber security, organizing the assessment of cyber security work, and proposing rewards and punishments;

(V) Organizing cyber security education and training;

(VI) Performing the responsibility of personal information and data security protection, and establishing the sound personal information and data security protection system;

(VII) Conducting security management of services such as design, construction, operation and maintenance of critical information infrastructure; and

(VIII) Reporting cyber security incidents and important matters as required.

Article 16 An operator shall ensure the operation funds for its specialized security management body, allocate corresponding personnel, and have the personnel of the specialized security management body participate in making decisions relating to cyber security and informatization.

Article 17 An operator shall conduct by itself or entrust a cyber security service agency to conduct cyber security testing and risk assessment on its critical information infrastructure at least once a year, timely rectify security problems discovered, and report information as required by the protection authorities.

Article 18 In the event of occurrence of any major cyber security incident or discovery of any major cyber security threat for the critical information infrastructure, the operator shall report to the protection authorities and the public security authorities as required.For any particularly major cyber security incident such as disruption of the operation of critical information infrastructure in whole or major function failure, divulgence of national basic information and other important data, divulgence of large scale personal information, large economic losses or spread of illegal information over a large scale, or discovery of any particularly major cyber security threat, the protection authorities shall, after receiving such report, timely report to the CAC and the public security department under the State Council.

Article 19 Operators shall give priority to safe and reliable networking products or services purchased. If the purchase of networking products or services may affect national security, it is required to pass the security review in accordance with the national cyber security provisions.

Article 20 In purchasing networking products or services, operators shall enter into a security confidentiality agreement with a networking product or service provider in accordance with the relevant provisions of the State, specifying the technical support and security confidentiality obligations and responsibilities of the provider, and supervise the fulfillment of the obligations and responsibilities.

Article 21 In the event of merger, division or dissolution, an operator shall report to the protection department in a timely manner, and deal with the critical information infrastructure as required by the protection department to ensure security.

Chapter IV Guarantee and Promotion

Article 22 The protection authorities shall work out a security plan for the critical information infrastructure of the industry or field, specifying protection objectives, basic requirements, tasks and specific measures.

Article 23 The CAC shall coordinate with the relevant authorities to establish a cyber security information sharing mechanism, timely summarize, study, judge, share and release cyber security threats, vulnerabilities, incidents and other information, and promote cyber security information sharing among the relevant authorities, protection authorities, operators and cyber security service agencies.

Article 24 The protection authorities shall establish a sound monitoring and early warning system for the cyber security of the critical information infrastructure of the industry or field, timely learn about the operation status and security situation of the critical information infrastructure of the industry or field, give an early warning and notify threats and hazards to cyber security, and guide the security prevention work.

Article 25 The protection authorities shall, in accordance with the requirements of the State emergency plan for cyber security incidents, establish the sound emergency plan for cyber security incidents of the industry or field, regularly organize emergency drills, guide the operator to respond to and deal with cyber security incidents, and organize to provide technical support and assistance as needed.

Article 26 The protection authorities shall regularly organize inspections and testing of the cyber security of the critical information infrastructure of the industry or field, and guide and supervise the operator to promptly rectify potential security risks and improve security measures.

Article 27 The CAC shall coordinate with the public security department under the State Council and the protection authorities to inspect and test cyber security of the critical information infrastructure and propose improvement measures.When carrying out inspections of the cyber security of the critical information infrastructure, relevant authorities shall strengthen cooperation and information communication to avoid unnecessary inspections and cross and repeated inspections. No fees shall be charged for the inspections, and the inspected entities shall not be required to purchase the products or services of designated brands or designated manufacturers or sellers.

Article 28 Operators shall cooperate with the inspections and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, and the inspections of the cybersecurity of the critical information infrastructure carried out by the public security department, State security department, secrecy administration, password administration and other relevant authorities in accordance with the law.

Article 29 The CAC, the competent telecommunications department of the State Council and the public security department under the State Council shall, in accordance with the needs of the protection authorities, provide technical support and assistance in a timely manner during the protection of the security of the critical information infrastructure.

Article 30 The CAC, public security organs, protection authorities and other relevant authorities, cyber security service agencies and the staff thereof shall use the information acquired in the protection of the security of the critical information infrastructure only for the purpose of maintaining cyber security, and the security of such information shall be ensured in strict accordance with the requirements of relevant laws and administrative regulations, and such information shall not be divulged, sold or illegally provided to others.

Article 31 Without the approval of the CAC and the public security department under the State Council or the authorization of the protection authorities or an operator, no individual or organization may carry out vulnerability testing, penetration testing and other activities that may affect or endanger the security of the critical information infrastructure. Before carrying out vulnerability testing, penetration testing and other activities on the basic telecommunications network, it is required to report to the competent telecommunications department under the State Council in advance.

Article 32 The State takes measures to give priority to the safe operation of critical information infrastructure such as energy and telecommunications.Energy and telecommunications industries shall take measures to give priority to the safe operation of critical information infrastructure in other industries and fields.

Article 33 Public security organs and State security organs shall, ex officio, strengthen the security protection of critical information infrastructure in accordance with the law, and prevent and crack down on illegal and criminal activities against the critical information infrastructure and illegal and criminal activities by using the aforesaid information.

Article 34 The State formulates and improves the security standards for critical information infrastructure, guides and regulates the protection of the security of critical information infrastructure.

Article 35 The State takes measures to encourage specialized cyber security talent to engage in the protection of the security of critical information infrastructure and includes the training of security management personnel and security technicians of the operator in the national continuing education system.

Article 36 The State supports technological innovation and industrial development in respect of security protection for critical information infrastructure and organizes efforts to make technological breakthroughs in respect of security protection for critical information infrastructure.

Article 37 The State strengthens the construction and management of cyber security service agencies, formulates administrative requirements and reinforces supervision and guidance, constantly improves the capability of service agencies, and gives full play to their role in the protection of the security of critical information infrastructure.

Article 38 The State strengthens military and civilian integration of cyber security and protects the security of critical information infrastructure through military-civilian collaboration.

Chapter V Legal Liability

Article 39 For an operator falling under any of the following circumstances, the competent authorities shall order it to make corrections and give it a warning ex officio. In case of refusal to make corrections or resulting in such consequence as endangering cyber security, it shall be subject to a fine of not less than 100,000 yuan but not more than 1 million yuan, and the person directly in charge shall be subject to a fine of not less than 10,000 yuan but not more than 100,000 yuan:

(I) Failing to report relevant information to the competent protection authorities in a timely manner when the identification result may be affected due to material changes in critical information infrastructure;

(II) Failing to plan, construct or put into use security protection measures and critical information infrastructure simultaneously;

(III) Failing to establish a sound cyber security protection system and responsibility system;

(IV) Failing to set up a specialized security management body;

(V) Failing to conduct background review on the person in charge and personnel in key positions of a specialized security management body;

(VI) Failing to have the personnel of a specialized security management body participate in making decisions relating to cyber security and informatization;

(VII) Failing to perform the duties specified in Article 15 of these Regulations by a specialized security management body;

(VIII) Failing to conduct cyber security testing and risk assessment for critical information infrastructure at least once a year, failing to make timely rectification of security problems found out, or failing to report the relevant information as required by the competent protection authorities;

(IX) Failing to enter into a security confidentiality agreement with the provider of networking products or services in accordance with the relevant provisions of the State when purchasing networking products or services; or

(X) Failing to report to the competent protection authorities in a timely manner in the event of merger, division or dissolution, or failing to deal with critical information infrastructure as required by the competent protection authorities.

Article 40 For any operator failing to report to the competent protection authorities or the public security organ as required when a major cybersecurity incident occurs or a major cybersecurity threat is discovered with respect to critical information infrastructure, the competent protection authorities or the public security organ shall, ex officio, order it to make rectifications and give it a warning; in case of refusal to make rectifications or resulting in such consequence as endangering cybersecurity, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed on it, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the person directly in charge of the operator.

Article 41 For an operator failing to conduct security review in accordance with the provisions on cybersecurity of the State when purchasing networking products or services that may affect national security, the CAC and other competent authorities shall, ex officio, order it to make rectifications, impose a fine of not less than one time but not more than ten times the purchase amount on it, and impose a fine of not less than 10,000 yuan but not more than 100,000 yuan on the person directly in charge and other persons directly liable.

Article 42 Where an operator refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the protection authorities, or refuses to cooperate with the inspection and testing of the cybersecurity of the critical information infrastructure carried out by the public security, national security, secrecy administration, password administration and other relevant authorities in accordance with the law, the competent authorities shall order it to make rectifications. If it refuses to make rectifications, a fine of not less than 50,000 yuan but not more than 500,000 yuan will be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan will be imposed on the person directly in charge and other persons directly liable. In a serious case, the operator shall be investigated for corresponding legal liability in accordance with the law.

Article 43 Whoever illegally intrudes into, interferes with or destroys critical information infrastructure, which endangers the security of such infrastructure, but does not constitute a crime, the public security organ concerned shall, in accordance with the Cybersecurity Law of the People’s Republic of China, confiscate his/her illegal gains, detain him/her for not more than five days, and may jointly impose a fine of not less than 50,000 yuan but not more than 500,000 yuan on him/her; if the circumstances are relatively serious, the public security organ concerned shall detain him/her for not less than five days but not more than 15 days, and impose a fine of not less than 100,000 yuan but not more than 1 million yuan on him/her.Where an entity commits any of the acts prescribed in the preceding paragraph, the public security organ concerned shall confiscate its illegal gains, impose a fine of not less than 100,000 yuan but not more than 1 million yuan on it, and punish the person directly in charge and other persons directly liable in accordance with the provisions of the preceding paragraph.

Whoever violates the provisions of Paragraph 2 of Article 5 and Article 31 hereof and is subject to public security administrative penalties shall not hold key posts of cyber security management and network operation for five years, and whoever is subject to criminal penalties shall not hold key posts of cyber security management and network operation for life.

Article 44 Where a cyberspace administration, public security organ, protection authorities or any other relevant authority, as well as their staff, fail to perform their duties of protecting, supervising and administering the security of critical information infrastructure, neglects their duties, abuses their powers, or plays favoritism and commits irregularities, the person directly in charge and other persons directly liable shall be punished in accordance with the law.

Article 45 In conducting a cybersecurity inspection of critical information infrastructure, where a public security organ, protection authorities or any other relevant authority charges fees, or requires the inspection object to purchase products or services of designated brands or designated production or sales entities, the superior organ shall order it to make corrections and to return the fees collected; if the circumstances are serious, the person directly in charge and other persons directly liable shall be punished in accordance with the law.

Article 46 Where a cyberspace administration, public security organ, protection authority or any other relevant department, a cyber security service agency and any staff thereof use the information acquired in the security protection of critical information infrastructure for any other purpose, or divulge, sell or illegally provide such information to others, the person directly in charge and other persons directly liable shall be punished in accordance with the law.

Article 47 For a major cybersecurity incident or an extremely major cybersecurity incident occurred to critical information infrastructure, which is determined as a liability accident upon investigation, the liability of the operator shall be investigated and pursued in accordance with the law, and the liability of the relevant cyber security service agency and relevant department shall also be investigated. In the case of dereliction of duty, malpractice or other illegal acts, liability shall be pursued in accordance with the law.

Article 48 The operator of a critical information infrastructure for e-government failing to perform the cybersecurity protection obligation as stipulated in these regulations shall be punished in accordance with the relevant provisions of the Cybersecurity Law of the People’s Republic of China.

Article 49 Whoever violates the provisions of these Regulations, causing damage to others, shall bear civil liability in accordance with the law.Whoever violates the provisions of these Regulations, constituting a violation of public security administration, shall be imposed a penalty for public security administration in accordance with the law and, if a crime is constituted, be investigated for criminal liability in accordance with the law.

Chapter VI Supplementary Provisions

Article 50 The protection of the security of storage and processing of any critical information infrastructure involving State secrets shall also be subject to the laws and administrative regulations on confidentiality.The password use and management for a critical information infrastructure shall also be governed by the provisions of the relevant laws and administrative regulations.

Article 51 These regulations shall come into force as of September 1, 2021.