On 17 Aug. 2021, the State Council promulgated the “Security Protection Regulations on Critical Information Infrastructure (hereinafter “the Regulations”,关键信息基础设施安全保护条例), which entered into force on 1 Sept. 2021.
There are 51 articles in six chapters. The Regulations provides for the identification of critical information infrastructure, the responsibilities and obligations of the critical information infrastructure operators, the guarantee and promotion of the critical information infrastructure, and the relevant legal liabilities.
Critical information infrastructure in the Regulations refers to the important network facilities and information systems in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government services, and science and technology industry of national defense, as well as other important network facilities and information systems that may seriously endanger national security, national economy, people's livelihoods or public interests in the event of damage, malfunction or data leakage.
Pursuant to the Regulations, an operator shall establish and improve the cybersecurity protection and accountability system, and ensure the input of human, financial and material resources. The operator’s person chiefly in charge shall take overall responsibility for the security protection of critical information infrastructure, lead the security protection of critical information infrastructure and the disposal of major cybersecurity events, and organize the study on the resolution of major cybersecurity issues. Besides, an operator shall conduct cybersecurity detection and risk assessment on the critical information infrastructure by itself or an entrusted cybersecurity service provider at least once a year, promptly rectify security problems discovered, and report relevant information as required by the protection authorities. An operator who violates the Regulations may be ordered to make corrections, given a warning, imposed a fine or other administrative penalties, or may even be prosecuted for criminal liability if the act constitutes a crime.
Cover Photo by Stephen Tafra (https://unsplash.com/@stafra) on Unsplash
Contributors: CJO Staff Contributors Team