Follow us on
Member Login
sign out
[ICT] - AUG 17, 2021, Regulation on Critical Information Infrastructure Effective Soon
Uploading Date: 2021-08-23 12:25:23


The Regulation on Security and Protection of Critical Information Infrastructure (hereinafter referred to as “the Regulation”) was promulgated on August 17 and will enter into force since September 1, 2021.

 

To understand whether the Regulation will influence their current business, enterprises should first confirm if the Regulation would be applicable to them. The scope and implementation of Critical Information Infrastructure (CII) are elaborated as below.

 

What is CII Scope?


 The CII mentioned in the Regulation refers to network facilities and information systems in important industries and fields such as:

-Public communication and information services

-Energy

-Transportation

-Water conservancy

-Finance

-Public services

-E-government

-National defense science and technology industry

-Other important network facilities

 

Secondly, if the infrastructure may seriously endanger national security, national economy, people's livelihood and public interests in case of damage, loss of function or data leakage, etc., it is also regarded as CII.

 

Who defines CII?


The competent departments and administrative departments of those important industries and fields could be the ones who are responsible for the CII security and protection (hereinafter referred to as “Protection Departments”). Therefore, the ministries and other competent departments will define the CII in their sectors.

 

The Protection Departments shall formulate rules for the CII identification in consideration of the actual situation of the industries and fields, and they should report such information to the Public Security Department of the State Council for the record.

 

What are the critical indicators to identify a CII?

 

The following factors shall be considered for the CII determination:

-          The importance of network facilities and information systems to the key businesses of the industry and the field.

-          The degree of harm that may be caused by network facilities, information systems, etc. in case of damages, function lost or data leakage.

-          Impact on other industries and fields.

 

What is the procedure to determine CII?

 

The Protection Departments shall, in accordance with the identification rules, be responsible for organizing CII identification in their own industries and fields. They should regularly inform relevant operators and enterprises of the identification results, as well as notifying the Public Security Department of the State Council.

 

In a word, local or overseas enterprises in China shall receive official notification if they are CII related. Foreign investors or manufacturers may be contacted by authority if their relevant property or facilities in China territory are identified as CII. But those who haven’t entered China market will not have impact from this new regulation at all. Yet it is still recommended that the overseas investors and companies who have business in China to consult with compliance experts or relevant authorities to have advanced information, to be better prepared for the possible changes coming along with the CII management.


If you need more information on the topic or the full English version of the document, please contact:

assistant@bestao-consulting.com


Follow us on:
Email: