China: Unpacking requirements for Critical Information Infrastructure Operators
Critical Information Infrastructure Operators ('CIIOs') are extremely important to China's cybersecurity and national security under Chinese laws and regulations. In this Insight article, Dehao Zhang, Counsel at Fieldfisher China, dives into the definition and legal obligations of CIIOs.
Who is a CIIO?
There is no clear definition of CIIOs. However, the Regulations on the Security Protection of Critical Information Infrastructure ('the Regulations') provide a definition of critical information infrastructure ('CII'), namely the key network facilities and information systems in important industries and areas, such as public telecommunication and information services, energy, transport, water conservancy, finance, public service, e-government, and science and technology industry for national defence, which may seriously endanger the national security, national economy, people's livelihood, and public welfare once they are subject to any destruction, loss of function, or data leakage. Based on the Regulations, a CIIO is defined as the operator of CII. This is actually an extension of the definition of operators under the Cybersecurity Law ('CSL') of the People's Republic of China ('PRC'), rather than of the 'personal information processor' under the Personal Information Protection Law ('PIPL'). A CIIO could be a personal information processor, as well as an entrusted party.
Who can identify as a CIIO?
According to the Regulations, the competent departments and regulatory departments governing the key industries and areas shall serve as the departments in charge of the security protection of CII. These authorities have the power to identify CII and notify the CIIOs.
In addition, to be identified as a CIIO, your organisation must have operated CII in China. If an organisation operates a very important system, but based outside of China, in practice, Chinese authorities do not send notifications to the organisation.
In practice, if your organisation does not get any notification about CII, it shall not be deemed a CIIO at least at the time of notification.
CIIOs' legal obligations
Please find below a list of requirements for CIIOs:
CSL and the Regulations
The CSL requires CIIOs to:
- comply with the requirements of classified protection of cybersecurity, according to Article 21 of the CSL, including:
- formulating internal security management systems, operating instructions, determining the persons responsible for cybersecurity, and implementing cybersecurity protections;
- taking technological measures to prevent computer viruses, network attacks, network intrusions, and other actions endangering cybersecurity;
- taking technological measures to monitor and record the network operation status and cybersecurity incidents and retaining relevant web logs for no less than six months according to the provisions;
- taking measures, such as data classification, back-ups, and encryption of important data; and
- other obligations stipulated by laws and administrative regulations;
- fulfil the following obligations of security protection:
- setting up independent security management institutions, designating persons responsible for security management, and reviewing the security background of the said responsible persons and personnel in key positions;
- conduct cybersecurity education, technical training, and skill assessment for practitioners regularly;
- making disaster recovery back-ups of important systems and databases;
- formulating contingency plans for cybersecurity incidents and carrying out drills periodically; and
- other obligations stipulated by laws and administrative regulations;
- go through a security review organised by the national Cyberspace Administration of China ('CAC') where CIIOs purchase network products and services, which may influence national security;
- enter into security confidentiality agreements with the providers of network products or services in accordance with the provisions, in which obligations and responsibilities in terms of security and confidentiality shall be clarified;
- store its personal information and important data which is generated or collected from the PRC firstly; where it is necessary to transfer such data outside of China, a security assessment shall be conducted in accordance with the rules adopted by the CAC;
- conduct by themselves, or entrust cybersecurity service institutions to conduct, the detection and assessment of their cybersecurity and any potential risk at least once a year; and
- submit the detection and assessment situations, as well as improvement measures to the relevant departments responsible for the security protection of CII.
In more detail, following the requirements of CSL, the Regulations also require the following:
- The CIIO shall, in accordance with the Regulations, the provisions of relevant laws and regulations, and the mandatory requirements in the relevant national standards, as well as based on the classified protection of cybersecurity, take technical protection measures and other necessary measures to cope with cybersecurity incidents, prevent network attacks and illegal and criminal activities, guarantee the safe and stable operation of CII, and maintain data integrity, confidentiality, and availability.
- The CIIO shall establish a sound cybersecurity protection and accountability system to guarantee the input of human, financial, and material resources.
- The CIIO shall set up specialised security management organisations and conduct security background examinations of the person-in-charge and persons in key positions of said organisations.
- The CIIO shall guarantee the operational funds for their respective specialised security management organisations and appoint corresponding personnel.
- The CIIO shall, by themselves or by entrusting cybersecurity service agencies, conduct cybersecurity detection and risk assessment of CII at least once a year, timely correct any security problem discovered, and report relevant matters as required by the security protection departments.
- Where CII is subject to any major cybersecurity incident, or any major cybersecurity threat is found, the CIIO shall report to the security protection departments or public security organs according to relevant provisions.
- The operators shall give priority to procuring safe and credible online products and services; where the procurement of any online product and service may affect national security, a security review shall be conducted pursuant to the cybersecurity provisions of the state.
- When procuring any online product and service, the CIIO shall sign a security and confidentiality agreement with online product and service providers pursuant to relevant provisions of the state, identify the providers' obligations and duties in respect of technical support, security, and confidentiality, and supervise the performance of such obligations and duties.
- In case of merger, separation, and dissolution of a CIIO, the case shall be timely reported to the security protection department, and the CII shall be handled as required by the security protection department to ensure security.
Data Security Law, PIPL, and the Measures
According to Article 31 of the Data Security Law ('DSL'), the security administration of the cross-border transfer of important data collected and generated by operators of CII during their operation in China shall be subject to the provisions of the CSL.
The administrative measures for the cross-border transfer of important data collected and generated by other data handlers during their operation in the PRC shall be formulated by the national CAC, in collaboration with relevant departments of the State Council.
In fact, the obligation of CIIOs under the DSL is actually the same as the obligations under the CSL, the Regulations, and the Measures for Security Assessment of Data Exports ('the Measures'), which have been adopted by the CAC.
However, the question arises whether a CIIO must be a 'personal information processor' under the PIPL. As described above, these are different terms under different laws. In fact, the definition of a CIIO is not the as that of a personal information processor under the PIPL, although many CIIOs are personal information processors. There are still some CIIOs who are entrusted parties.
Another question concerns data transfer restrictions. According to Articles 38 and 40 of the PIPL, as well as the Measures, if a CIIO transfers important data or personal information outside of China, and if such data is generated or collected in bound of China, the CIIO shall make application to the CAC to conduct the security assessment for the data transfer.
In practice, there will be three scenarios, namely:
- the CIIO is a personal information processor in China, transfers personal information outside of China, and conducts the required assessment according to the laws and the Measures;
- the CIIO is an entrusted party rather than a personal information processor, and does not make decisions on the transfer of data, but is technically involved in the transfer (such as some key system providers or cloud service providers), in which case the actual personal information processor should make the application, and the service/system providers should cooperate with the application, e.g. by providing enough information; or
- the CIIO transfers important data outside of China, makes the decision to do this, and conducts the required assessment.
Please note that what we listed above may be changed due to the development of Chinese cybersecurity and data protection laws and enforcements. Thus, it is worth keeping the development of the laws and cases monitored to stay up to date.
Dehao Zhang Counsel
Fieldfisher China, Beijing