On August 17, 2021, after more than three years of soliciting opinions, the State Council officially issued the “Regulations on the Security Protection of Critical Information Infrastructure” (hereinafter referred to as the “Regulations on Customs Protection”), which will be combined with the “Data Security Law” on September 1, 2021. “Synchronous implementation.

Combined with relevant legislative trends, regulatory law enforcement practices and project experience, Huiye Law Firm’s Wangshu legal team briefly interprets the “Customs Protection Regulations” as follows, which is for industry reference only.

1. Some legal documents

Two, graded protection

Through a series of legislation and law enforcement practices, my country has pioneered the establishment of a classification and grading model for network and data supervision and protection, which includes “graded protection and graded supervision”, which is embodied in:

(1) Network classification

According to the “Network Security Law”, “Regulations on Customs Protection” and Circular No. 1960, equal protection is the foundation, and customs protection is the key protection, but there is no direct corresponding relationship between the two. That is, despite the requirement of “focusing on ensuring the security of critical information infrastructure and networks above the third level”, in practice, the network or system of MLPS3 is not necessarily equivalent to CII.

(2) Data classification

(3) Classification of personal information

According to the degree of sensitivity, it can be divided into:

According to the necessary procedures, it can be divided into:

3. Regulatory system

Based on the provisions of the Cybersecurity Law, the Regulations on Customs Security, and Document No. 1960, the current customs security supervision system in my country is as follows:

4. Recognition standard

Regarding the identification standards of CII, the “Customs Protection Regulations” abandons the generalized and enumerated identification mode of the “Critical Information Infrastructure Security Protection Regulations (Draft for Comment)”, and basically continues the “industry + risk” concept of the “Cyber ​​Security Law”. Dual identification mode. That is, the following network facilities, information systems, etc. may be identified as CII:

(1) Industry standards: network facilities and information systems in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, defense technology and industry (note: newly added);

(2) Risk standards: although not in the above industries and fields, but once destroyed, lost functions or data leakage, may seriously endanger national security, national economy and people’s livelihood, public interests, or have a significant impact on other industries or fields. Important network facilities, information systems;

(3) Other standards: In addition, the “Cyber ​​Security Law (Draft)” also has a user number standard when CII is identified, that is, “networks and systems owned or managed by network service providers with a large number of users” will also be identified as CII. , The “Guidelines for Determining Critical Information Infrastructure” circulated in the market also refer to the indicator of the number of users. Whether the subsequent protection departments will consider the indicator of the number of users when formulating the determination rules for critical information infrastructure needs to be further clarified; in addition, Document No. 1960 also proposes the CII identification standard from the dimension of system functional characteristics, that is, “basic networks, large private networks, core business systems, cloud platforms, big data platforms, Internet of Things, industrial control systems, Key protection objects such as intelligent manufacturing systems, new Internet, and emerging communication facilities are included in key information infrastructure.”

It is worth noting that the above-mentioned double identification standard of “industry + risk” is still very broad. For example, in the field of “information services”, if the standards for “Administrative Measures for Internet Information Services” are used, most companies that have access to the Internet, except typical Internet companies, may be identified as providing “information services”.

The “Customs Protection Regulations” further clarifies that whether it is a CII, the protection work department is responsible for organizing the identification and notifying the operator of the identification result according to the identification rules, and the operator does not need to judge and evaluate whether it is a CIIO. According to the team of Huiye Huang Chunlin’s lawyers, some companies have already received confirmation notices from the competent authorities.

V. Compliance Obligations

Based on the “Customs Protection Regulations” and the aforementioned laws and regulations and regulatory enforcement practices, Huiye Huang Chunlin’s lawyer team reminds that the compliance obligations that CIIO should perform according to law include but are not limited to:

(1) Carrying out the assessment and rating of network security level protection in accordance with the law;

(2) Those who purchase network products and services, process important data, etc. that may affect national security, or go to market abroad, shall conduct network security review in accordance with the “Network Security Review Measures” and other regulations;

(3) It shall conduct network security testing and risk assessment on critical information infrastructure at least once a year by itself or by entrusting a network security service agency, and rectify the security problems discovered in a timely manner;

(4) Use commercial cryptographic products or services in accordance with the law to make disaster recovery backups for important systems and databases;

(5) The security protection measures should be planned, constructed and used simultaneously with the critical information infrastructure;

(6) Purchasing network products and services should ensure supply chain security, comply with relevant regulations on import and export control, and sign a security and confidentiality agreement with network product and service providers in accordance with relevant national regulations, specifying the provider’s technical support and security and confidentiality obligations and responsibilities, and supervise the performance of obligations and responsibilities;

(7) Perform data and personal information localization obligations in accordance with the law, and conduct security assessment or certification in accordance with the law if it is really necessary to leave the country;

(8) It shall establish and improve relevant systems and mechanisms for network security and data protection;

(9) The main person in charge shall take overall responsibility for the security protection of critical information infrastructure;

(10) A special security management agency and a person in charge of security management shall be set up, the operating funds shall be guaranteed, and corresponding personnel shall be provided, and the decision-making related to network security and informatization shall have the participation of the personnel of the specialized security management agency;

(11) Security background review shall be conducted on the person in charge of the specialized security management agency and personnel in key positions, and network security education, technical training and skill assessment shall be conducted for practitioners on a regular basis;

(12) Formulate contingency plans for cybersecurity incidents, and conduct regular drills. When major cybersecurity incidents occur or major cybersecurity threats are discovered, they shall be reported to protection departments and public security organs in accordance with relevant regulations;

(13) In the event of merger, division, dissolution, etc., the protection work department shall be reported in a timely manner, and the critical information infrastructure shall be disposed of in accordance with the requirements of the protection work department to ensure safety;

(14) If there is a major change that may affect the result of its CII identification, the relevant situation shall be reported to the protection work department in a timely manner and re-identified; etc.