Point of View: Critical Information Infrastructure

Critical Information Infrastructure
Point of View: Critical Information Infrastructure

As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fourth installment focuses on the requirements in Section Two, Chapter Three, pertaining to Critical Information Infrastructure (CII) operators. According to the Cybersecurity Law, CII is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction.

Overview of Critical Information Infrastructure

The Regulation for CII Security (“the Regulation”) was drafted by the Cyberspace Administration of China (CAC), the agency responsible for compliance and enforcement of the Cybersecurity Law. The National Information Security Standardization Technical Committee of China, commonly referred to as TC260, is responsible for the associated technical standards, specifications, measures, and guidelines.

According to the CAC, critical systems across 11 major industries are considered CIIs. It’s important to note that the definition of CII is not exhaustive and may also cover networks or applications whose failure could harm national security, national economy, or public interest. The Cybersecurity Law provides overarching principles and high-level requirements for CII compliance.

The scope of application, enforcement measures, technical specifications, and standards are stipulated by the State Council and industry regulatory ministries and commissions. Industry regulatory bodies are authorized to define detailed CII requirements and rules for companies in their respective industries according to the principles of the Regulation. Specific requirements and rules are published or released in multiple forms, from administrative orders and notifications to opinions, proposals, and provisions.

In addition to the State Council and industry regulatory bodies, local governments of major cities and provinces also have the authority to identify companies as CII operators and specific systems as CIIs. Companies determined to be CII operators must regularly follow the updates on the requirements and rules released by the industry regulatory bodies and local governments.

Click “Download” to read the full article.