China's Cybersecurity Law: Critical Information Infrastructure (CII) Download As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fourth installment focuses on the requirements in Section Two, Chapter Three, pertaining to Critical Information Infrastructure (CII) operators. According to the Cybersecurity Law, CII is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction. Download Overview of Critical Information Infrastructure (CII)The Regulation for CII Security (“the Regulation”) was drafted by the Cyberspace Administration of China (CAC), the agency responsible for compliance and enforcement of the Cybersecurity Law. The National Information Security Standardisation Technical Committee of China, commonly referred to as TC260, is responsible for the associated technical standards, specifications, measures, and guidelines.According to the CAC, critical systems across 11 major industries are considered CIIs. It’s important to note that the definition of CII is not exhaustive and may also cover networks or applications whose failure could harm national security, national economy, or public interest. The Cybersecurity Law provides overarching principles and high-level requirements for CII compliance.The scope of application, enforcement measures, technical specifications, and standards are stipulated by the State Council and industry regulatory ministries and commissions. Industry regulatory bodies are authorised to define detailed CII requirements and rules for companies in their respective industries according to the principles of the Regulation. Specific requirements and rules are published or released in multiple forms, from administrative orders and notifications to opinions, proposals, and provisions.In addition to the State Council and industry regulatory bodies, local governments of major cities and provinces also have the authority to identify companies as CII operators and specific systems as CIIs. Companies determined to be CII operators must regularly follow the updates on the requirements and rules released by the industry regulatory bodies and local governments. Identification of Critical Information InfrastructureAccording to the Regulation, companies should consider three factors in determining which systems and applications could potentially be classified as CII. 1. Whether the business is classified as a critical business + The Regulation classifies businesses that fall within 11 industries as critical businesses. These industries include public communications, energy, finance, and public services, among others. To determine whether all or part of their business is classified as a critical business, companies must consider the following: Do we have businesses or operations that are in the 11 pre-defined industries?Do we have businesses or operations that could be classified as critical businesses according to the definition set by different industry regulatory bodies?Do we have business or operations that could impact or harm national security, national economy, or public interest? 2. Whether systems are used to support a "critical business" + Organisations must identify whether any of their systems may be supporting CII operators that conduct critical business. The following questions can help determine which systems may be considered CIIs: Do the systems store and process important data as defined by industry regulatory bodies in mainland China? Examples of important data are listed in the table below.How many types of important data do the systems store and process?How frequently do systems process data?How much revenue is derived from the data processed by the systems?What are the consequences when systems are discontinued? For example, what would be the impact on reputation, the economy, lives, social order, or national security?How much is the loss or impact within the Maximum Tolerable Downtime (MTD)?Are there any alternative ways to run the business without the systems? If so, how sustainable are these alternatives? Critical IndustryCritical BusinessImportant DataFinancial ServicesBankingSecurities & FuturesClearing & SettlementInsuranceBusiness Operations SecurityPrivacy & CreditOrganisationAnalysis & ProfilingMedical & HealthcareEstablishment OperationsDisease ControlEmergency Center OperationsHealth & PrivacyMedical RecordsClinical TrialsTraceable IDsEmergencyDisease ControlGenetic DataManufacturingBusiness OperationsIntelligent Industry Control of Dangerous GoodsHigh-Risk Facility OperationsIndustrial StatisticsStrategy & PlanningProduction & SalesPurchasingDeliveryMarket AnalysisInvestment* This is not an exhaustive list 3. Potential impact of a security incident in the system + The Regulation provides multiple criteria to determine whether the impact from system damage is severe enough to classify the systems as CIIs. To begin, companies must consider the following questions on information assets, customers and users, asset values, and incident frequency: In terms of number of people and percentage of population, who will be affected by security incidents or data breaches?What are the consequences of security incidents or data breaches, such as privacy data or company data leaks?How much damage will the company and national security suffer from security incidents or data breaches? These three factors will help companies assess whether they and their systems are likely to be classified as CII operators and CIIs. Companies who are classified as Critical Information Infrastructure (CIIs) will receive official notifications from the local police or industry regulatory bodies. They must open communication channels with the local police or industry regulatory bodies to confirm the official notification and coordinate the submission of compliance documents. CII operators should maintain regular contact with these organisations to stay up-to-date on the latest regulatory rules, which may often be presented as regulatory opinions, notifications, or even administrative orders. Compliance requirements for Critical Information InfrastructureWhile technical standards and specifications are currently under development or being drafted for comment, industry regulatory bodies may also have specific industrial requirements. To see the key requirements for CIIs, refer the pdf.ArticleLegal RequirementsNo. 32The State Council and associated departments shall compile and organise security enforcement plans, as well as guide and supervise security protection efforts for critical information infrastructure operations.No. 33CIIs must have the capability to support business stability and sustain operations.No. 34, Sec. 1Set up a dedicated security management body with a designated security management leader; conduct security background checks on personnel in key positions.No. 34, Sec. 2Periodically conduct cybersecurity education, technical training, and skills evaluations for employees.No. 34, Sec. 3Conduct disaster-recovery backups of critical systems and databases.No. 34, Sec. 4Formulate emergency response plans for cybersecurity incidents and regularly organise drills.No. 35Network products and services purchased by CII operators that might impact national security will be subjected to a national security review by relevant departments.No. 36When purchasing network products and services, CII operators must follow relevant guidelines and sign a security and confidentiality agreement with the provider.No. 37Critical information infrastructure operators shall conduct testing and assessment of cybersecurity risks on critical information infrastructure.No. 38State cybersecurity departments shall conduct annual inspections and assessments of network security, as well as submit a cybersecurity report and proposed improvement measures to the departments responsible. Compliance considerations and challenges Compliance enforcement from industry regulatory bodies + Once a company is classified as a CII operator and has reported to the respective industry regulatory body, that regulatory body will be responsible for enforcing the company’s CII compliance. When appropriate, the regulatory body may issue additional rules and requirements for the company as long as these do not conflict with the existing laws and regulations of the central government. The regulatory body can also conduct inspections and assessments in accordance with these additional requirements and rules. If they believe the company is not fulfilling their obligations as a CII operator, they may issue various penalties. Penalties depend on the severity of the violation and may include administrative warnings and ordered rectification, business suspension, license or certificate revocation, and administrative fines. CII operators have tougher requirements and stricter compliance processes than network operators. Severe consequences may occur if CII operators practice passive compliance—waiting for explicit remediation orders by regulatory bodies. Instead, companies are encouraged to align with key stakeholders to actively engage in compliance. Adopting an active and proactive compliance approach + Considering the complex structure of CII compliance, both in terms of requirements and enforcement, CII operators should adopt an active, or even proactive, approach. An active approach entails identifying gaps between current practices and effective laws and regulations for future remediation and rectification. In this situation, compliance is seen as a separate process implemented to satisfy laws and regulations. In general, an active approach is considered good enough for normal compliance, although there might be a deviation between operational procedures and compliance requirements. However, this deviation is easily exposed through the technical tests and assessments that are part of the compliance process. A proactive approach means implementing effective security measures in response to all potential security threats and legal concerns, even if those measures are not explicitly stated in the laws or regulations. While more expensive and technically demanding, a proactive approach may be more effective because of its focus on potential technical and legal concerns. Tests and assessments from regulatory bodies + Industry regulatory bodies are authorised by Article 39 of the Cybersecurity Law to initiate a variety of tests and assessments of CII operators. These include on-site inspections and remote penetration testing. CII operators may be informed before the tests and assessments to allow for last-minute preparations, but these warnings are not guaranteed, and organisations should be prepared for surprise inspections. The best compliance strategy is to always be prepared for sudden assessments. If the actual operation procedures of CII operators are different from their designed procedures, operators won’t have time to do last-minute preparations. It’s important for security policies and procedures to be well-designed, documented, and communicated. Frequent spot inspections and reviews, along with a checklist, will also help ensure compliance with designed procedures. These can ensure that good security practices are executed every single day. Another key factor to ensuring satisfactory results from assessments is communication, especially when a company is not familiar with—or unprepared for—unexpected assessments. A typical mistake is allowing frontline staff to handle inspections directly. This may result in misunderstandings and miscommunication since frontline staff is often not fully informed about compliance requirements and processes. How Protiviti can help Protiviti aids businesses in ensuring that their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With a team of IT security professionals, compliance experts, auditors, and other professionals, Protiviti keeps track of evolving regulations based on industry innovations, environmental trends, and emerging risks.Protiviti security and privacy services will evaluate your current compliance according to relevant legal requirements and regulatory rules and develop technical solutions that correspond with your current technology, procedures, and resources competency. We will close gaps in your IT technology and processes in line with your budget plan, as well as prevent disruptions to normal IT and business operations from compliance activities. Learn more about other specific sections of the China’s Cybersecurity Law: Featured insights WHITEPAPER Interpretations of the Updates to China’s Cybersecurity Law All companies incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. WHITEPAPER China’s Cybersecurity Law: Personal Information Protection Law (PIPL) Overview As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection. WHITEPAPER China's Cybersecurity Law: Multi-Level Protection Scheme (MLPS) In part one of our Point of View (POV) seriesInterpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organisations looking to do business in mainland China. WHITEPAPER China's Cybersecurity Law: Cross-Border Data Transfer As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fifth installment focuses on the cross-border transfer of data — or data localisation — that is outlined in Article 37. Button Button Topics Cybersecurity and Privacy IT Management, Applications and Transformation Digital Transformation Industries Healthcare Technology, Media and Telecommunications Financial Services Energy and Utilities Consumer Products and Services To access the whole series Click here Leadership Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More