​

“Network facilities and information systems, industries and fields such as telecommunications and information services energy, transportation, water conservancy, finance, public service, on-line government service, national defense science and other important industries and fields, as well as other important network facilities and information systems, of which the destruction, lost function or data leakage make seriously endanger national security, public wellbeing and public interest." – Article 2 of the CII Rules

Each industry regulator at the ministry level (such as the Ministry of Industry and Information Technology, and the Civil Aviation Administration of China) is responsible for the guidance and the supervision of the CIIs in its respective industry or field that the above Article 2 specifies.  The Cyberspace Administration of China (“CAC") is the overall coordinator among those different industries and fields, while the Ministry of Public Security (“MPS") provides guidance and supervision across all industries and fields. 

1. The regulators for the industries and technology fields mentioned in the above Article 2 of the CII Rules need to promulgate rules to identify CIIs in their respective industry jurisdictions. When drafting the identification rules, they need to consider the following:

• i. the degree of importance of such network facility or information system to the critical core business of the industry or the technology field;

• ii. the degree of damage caused by the network facility’s or information system’s destruction, lost-function or data leakage; and

• iii. other related impacts on other industries or fields.

2. The provincial-level (or higher) regulators will then, according to the above identification rules, determine which companies or entities have CIIs.  The regulators will notify each CIIO of such decisions, and provide a copy of the CII list to the MPS. 

3. If any CII or CIIO experiences any substantial change, and such change may impact its CII status, the CIIO needs to report to the industry regulator for a possible review.

​

1. When building a CII, protection measures should also be planned and set-up, simultaneously with the design, set-up, and commissioning of the CII.

2. The top executive of the CIIO must be personally responsible for the security and protection of the CII. 

3. Each CIIO must set up a security management department; candidates for the leadership and key personnel positions of this department must undergo background checks.  Each CIIO must provide sufficient financial and human resources to the security management department.   

4. At least once a year, each CIIO must by itself or engage a service provider, to audit the network security and assess security risks.  The regulators may require such audit reports.

5. CIIOs must report network security incidents to their regulators, and if an incident is serious, the regulators need to report to the CAC and the MPS.

6. CIIOs must give priorities to “safe and trustworthy" network products and services in their procurements.  If a network product or service to a CII may impact national security, such product or service must pass the national security review process.

7. CIIOs must sign confidential agreements with product or service providers.

8. Each CIIO must report to its regulators any corporate merger, split, dissolution, and must handle the CII according to the requirements of the regulators.

​

Such detection or testing is not allowed unless one of the following provides authorization, depending on the specific circumstances: (i). the CAC; (ii). the MPS; (iii). the relevant industry regulator; or (iv) the CIIO.

The liabilities for CIIOs include: warning, correction order, monetary fine of up to RMB 1 million, and in some circumstances, confiscation of illegal revenue from the intrusion or destruction of the CII.

The CIIO Rules also set forth possible liabilities for individuals responsible for security management, and for other individuals who commit wrongdoings.  Such liabilities include: (i). fine of up to RMB 100,000; (ii). administrative detention; (iv) barring from taking any key positions related to network security management; and (v). Criminal prosecution for serious violations.

​

CIIOs may also need to comply with the State secret law and regulations, if applicable.  In addition, if a CII uses any commercial encryption product, then the CIIO must also ensure compliance with the encryption regulations.

Even with the CII Rules, many questions remain.  For example:

1. The CII Rules require that when building a CII, protection measures should also be planned and built, simultaneously with the design, building and commissioning of the CII.  Does that mean that companies in those sensitive industries need to apply for CII identifications as early as when they plan on a network system? 

2. Many foreign invested enterprises (“FIE") in the IT industry are very concerned about their competitiveness if the term “safe and trustworthy" is interpreted too broadly to unreasonably exclude most of the FIE IT companies. 

3. Cross-border transfer of important data and personal information will be restricted and may be subject to security assessment.  Many companies, particularly FIEs, are waiting for the procedural rules to identify important data, and to understand what kinds of data need security assessments, by whom, and how to conduct assessments. 

Companies will need to wait for regulators in their respective industries to issue CII identification guidelines, organize identification process, and then let companies know if they are CIIOs.  Therefore, while the CII Rules will take effect on Sept 1, 2021, there will still be time to prepare for the actual implementation. 

However, companies in the industries called out in Articles 2 of the CII rules, as well as network product and services providers, may need to take more pro-active actions, including:

1. monitoring the implementation of the CII Rules, maintaining contacts with their customers (for network product and service providers) and industry regulators (for possible CIIOs);

2. reviewing the legal requirements under the CII Rules, planning and budgeting on human and financial resources to staff a security management department, and

3. starting self-assessments, with reference to existing laws, rules, and industry standards, for examples, on personal information, on CIIs and on important data.