Regulations on the Security Protection of Critical Information Infrastructure
Regulations on the Security Protection of Critical Information Infrastructure
Regulations on the Security Protection of Critical Information Infrastructure
Order of the State Council of the People's Republic of China No. 745
July 30, 2021
The Regulations on the Security Protection of Critical Information Infrastructure (the "Regulations"), which has been adopted at the 133rd executive meeting of the State Council on April 27, 2021, are hereby promulgated and shall come into effect from September 1, 2021.
Li Keqiang, Premier
Regulations on the Security Protection of Critical Information Infrastructure
Chapter I General Provisions
Article 1 The Regulations are formulated in accordance with the Cybersecurity Law of the People's Republic of China with a view to guaranteeing the security of critical information infrastructure and safeguarding cybersecurity.
Article 2 The "critical information infrastructure" herein shall refer to the key network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industry for national defense, which may seriously endanger the national security, national economy, people's livelihood or public welfare once they are subject to any damage, loss of function or data leakage.
Article 3 Under the overall coordination by the national cyberspace department, the public security department under the State Council shall be responsible for guiding and overseeing the security protection of critical information infrastructure. The competent telecommunication department under the State Council and other relevant departments shall be responsible for the security protection, supervision and administration of critical information infrastructure within the scope of their respective duties pursuant to the Regulations and the provisions in relevant laws and administrative regulations. Relevant departments of the provincial people's government shall carry out the security protection, supervision and administration of critical information infrastructure according to their respective duties.
Article 4 The security protection of critical information infrastructure shall adhere to comprehensive coordination, division of duties and lawful protection; it is required to enhance and implement the primary responsibilities of the critical information infrastructure operators (the "operators"), give full play to the role of the government and all walks of life, and jointly protect the critical information infrastructure.
Article 5 The State shall adopt key protection for critical information infrastructure and shall take measures to monitor, detect, defend and dispose of cybersecurity risks and threats within and outside of the territory of the People's Republic of China, protect the critical information infrastructure from attack, invasion, disturbance and destruction, and legally punish illegal and criminal activities that endanger the security of critical information infrastructure.
Any individual or organization shall not illegally intrude into, disturb or sabotage any critical information infrastructure, or endanger the security of critical information infrastructure.
Article 6 The operators shall, in accordance with the Regulations, the provisions of relevant laws and regulations, and the mandatory requirements in the relevant national standards and based on the classified protection of cybersecurity, take technical protection measures and other necessary measures to cope with cybersecurity incidents, prevent network attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain data integrity, confidentiality and availability.
Article 7 The entities or individuals that achieve remarkable results or make outstanding contributions in the security protection of critical information infrastructure shall be given commendation in accordance with the relevant provisions of the State.
Chapter II Identification of Critical Information Infrastructure
Article 8 The competent departments and regulatory departments governing the key industries and areas involved in Article 2 hereof shall serve as the departments in charge of the security protection of critical information infrastructure (the "security protection departments").
Article 9 The security protection departments shall formulate the rules for identification of critical information infrastructure according to the actual conditions of the respective industries and areas and submit such rules to the State Council for record-filing.
The following factors shall be considered in the formulation of identification rules:
(1) the degree of importance of the network facilities and information systems to the core businesses of the industry and area concerned;
(2) the degree of damage that may be caused if the network facilities and information systems are subject to destruction, loss of function or data leakage;
(3) the correlative impact on other industries and areas.
Article 10 The security protection departments shall be responsible for organizing the identification of critical information infrastructure in their respective industries and areas in accordance with the identification rules, timely notify the identification results to the operators and report such results to the public security department under the State Council.
Article 11 Where any major change occurs to the critical information infrastructure and its identification result may be affected, the operator shall timely report the relevant matter to the security protection department, which shall conduct the identification once again within three months upon receiving the report, notify the operator of the identification result and report it to the public security department under the State Council.
Chapter III Responsibilities and Obligations of the Operators
Article 12 Security protection measures shall be planned, constructed and used simultaneously with critical information infrastructure.
Article 13 The operators shall establish a sound cybersecurity protection system and accountability system to guarantee the input of human resources, financial resources and material resources.
......
Order of the State Council of the People's Republic of China No. 745
July 30, 2021
The Regulations on the Security Protection of Critical Information Infrastructure (the "Regulations"), which has been adopted at the 133rd executive meeting of the State Council on April 27, 2021, are hereby promulgated and shall come into effect from September 1, 2021.
Li Keqiang, Premier
Regulations on the Security Protection of Critical Information Infrastructure
Chapter I General Provisions
Article 1 The Regulations are formulated in accordance with the Cybersecurity Law of the People's Republic of China with a view to guaranteeing the security of critical information infrastructure and safeguarding cybersecurity.
Article 2 The "critical information infrastructure" herein shall refer to the key network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industry for national defense, which may seriously endanger the national security, national economy, people's livelihood or public welfare once they are subject to any damage, loss of function or data leakage.
Article 3 Under the overall coordination by the national cyberspace department, the public security department under the State Council shall be responsible for guiding and overseeing the security protection of critical information infrastructure. The competent telecommunication department under the State Council and other relevant departments shall be responsible for the security protection, supervision and administration of critical information infrastructure within the scope of their respective duties pursuant to the Regulations and the provisions in relevant laws and administrative regulations. Relevant departments of the provincial people's government shall carry out the security protection, supervision and administration of critical information infrastructure according to their respective duties.
Article 4 The security protection of critical information infrastructure shall adhere to comprehensive coordination, division of duties and lawful protection; it is required to enhance and implement the primary responsibilities of the critical information infrastructure operators (the "operators"), give full play to the role of the government and all walks of life, and jointly protect the critical information infrastructure.
Article 5 The State shall adopt key protection for critical information infrastructure and shall take measures to monitor, detect, defend and dispose of cybersecurity risks and threats within and outside of the territory of the People's Republic of China, protect the critical information infrastructure from attack, invasion, disturbance and destruction, and legally punish illegal and criminal activities that endanger the security of critical information infrastructure.
Any individual or organization shall not illegally intrude into, disturb or sabotage any critical information infrastructure, or endanger the security of critical information infrastructure.
Article 6 The operators shall, in accordance with the Regulations, the provisions of relevant laws and regulations, and the mandatory requirements in the relevant national standards and based on the classified protection of cybersecurity, take technical protection measures and other necessary measures to cope with cybersecurity incidents, prevent network attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain data integrity, confidentiality and availability.
Article 7 The entities or individuals that achieve remarkable results or make outstanding contributions in the security protection of critical information infrastructure shall be given commendation in accordance with the relevant provisions of the State.
Chapter II Identification of Critical Information Infrastructure
Article 8 The competent departments and regulatory departments governing the key industries and areas involved in Article 2 hereof shall serve as the departments in charge of the security protection of critical information infrastructure (the "security protection departments").
Article 9 The security protection departments shall formulate the rules for identification of critical information infrastructure according to the actual conditions of the respective industries and areas and submit such rules to the State Council for record-filing.
The following factors shall be considered in the formulation of identification rules:
(1) the degree of importance of the network facilities and information systems to the core businesses of the industry and area concerned;
(2) the degree of damage that may be caused if the network facilities and information systems are subject to destruction, loss of function or data leakage;
(3) the correlative impact on other industries and areas.
Article 10 The security protection departments shall be responsible for organizing the identification of critical information infrastructure in their respective industries and areas in accordance with the identification rules, timely notify the identification results to the operators and report such results to the public security department under the State Council.
Article 11 Where any major change occurs to the critical information infrastructure and its identification result may be affected, the operator shall timely report the relevant matter to the security protection department, which shall conduct the identification once again within three months upon receiving the report, notify the operator of the identification result and report it to the public security department under the State Council.
Chapter III Responsibilities and Obligations of the Operators
Article 12 Security protection measures shall be planned, constructed and used simultaneously with critical information infrastructure.
Article 13 The operators shall establish a sound cybersecurity protection system and accountability system to guarantee the input of human resources, financial resources and material resources.
......