On October 24, 2023, MIIT issued notice to solicit opinions on the "Administrative Measures for Industrial Internet Security Classification and Grading (Draft for Public Comment)." The document requires the implementation of industrial internet security classification and grading in industries under the supervision of MIIT, including raw material industries, equipment industries, consumer goods industries, and electronic information manufacturing industries.

The classification and grading applies to industrial internet enterprises and will categorize them into three types: industrial enterprises utilizing industrial internet, industrial internet platform enterprises, and industrial internet identifier resolution enterprises.

Industrial internet enterprises will be required to conduct self-grading based on relevant standards for industrial internet security classification, taking into account factors such as the company's size, business scope, degree of industrial internet application, importance of operational critical systems, level of control over critical data, importance for industry development and supply chain security, as well as the consequences of cybersecurity incidents. Based on the results of the self-grading, industrial internet enterprises will be graded to Grade three, two, and one, from high to low.

Industrial internet enterprises that have completed self-grading are required to register their information on the National Industrial Internet Security Classification and Grading Management Platform (referred to as the Classification and Grading Management Platform). This registration includes but is not limited to company name, type, grade, contact information, and cybersecurity personnel. Industrial internet enterprises should also, in accordance with relevant standards for industrial internet security assessment, independently or through third-party assessment organizations, regularly conduct standard compliance assessments. Grade three industrial internet enterprises must conduct assessments at least once a year, while Grade two industrial internet enterprises must conduct assessments at least once every two years.

The MIIT will establish and improve the mechanism for industrial internet security inspection and evaluation, regularly organizing security inspections and evaluations of industrial internet enterprises. If an industrial internet enterprise violates the provisions of these measures, fails to fulfill its obligations for network and data security protection, presents significant security risks, or experiences security incidents, the MIIT and local supervisory departments may take measures in accordance with relevant laws and regulations, including the Cybersecurity Law and the Data Security Law of China.

Furthermore, it's worth noting that the document also suggests that the MIIT will guide internet-connected industrial enterprises in identifying important industrial control systems and promote the inclusion of distributed control systems (DCS) and similar systems in the catalog of critical network equipment, mandating compulsory testing and certification.

The deadline for commenting is November 22, 2023.