4 years, 1 month and 7 days: the time between the draft of China’s Regulations for the Security Protection of Critical Information Infrastructure (“CII Regulations”) and the final form being released. The level of wordsmithing might hint at the internal debate and external consultation that has gone on in that time period. However, the substance of these long-awaited rules is low on “critical” must-knows for business operators and high on “infrastructure” upon which authorities must frame further rules and guidance before industry has a full understanding.
The September 1 start-date for the CII Regulations pegs them to the Data Security Law (“DSL”), which was released in final form in June. Indeed, there are various articles in the CII Regulations that mirror those of the DSL. Similarly, several provisions closely resemble the draft Cybersecurity Review Measures (“CRM”) released last month in respect of procurement of new network products and services; and the primary legislation in this area – the Cybersecurity Law (“CSL”): high-level checklists of security requirements, mandatory appointments of cybersecurity officers, annual cyber reviews, security incident reporting, etc.
Although the CII Regulations lack content which stands out as being new, a key narrative quickly drawn from the rules is the continuing momentum of Beijing’s lawmakers to wall in their critical network infrastructure with familiar mechanisms for long-term digital security and stability.
The definition of "critical information infrastructure" (or “CII”) in the CII Regulations remains attached to a consistent list of industries seen in the CSL: public communications, information services, energy, transportation and finance are a steady roster for the private sector to pigeon hole themselves into. With the passage of time, it is interesting to see that national defence technologies have been added to the list as global military capabilities digitalise, but otherwise the fields to which stricter cybersecurity obligations will intrinsically apply to are similar to those from 2017. A comparable catch-all is also included for other information systems that, if damaged, or data is lost or disclosed, may seriously endanger national security, the national economy, people's livelihood, and the public interest.
Am I CII?
The 2016 Trial Guidelines for Determining Critical Information Infrastructure were relatively detailed on specific industries and user numbers, etc., but are believed to be out-of-date and only of reference value now. International players in the prescribed critical sectors have been waiting for the CII Regulations in the hope of more granularity and an answer to the uncertainty of whether their systems are CII. Aside from the CSL’s list, however, the somewhat helpful sub-list of the 2017 draft rules has been omitted in the CII Regulations. For example, healthcare is no longer expressly called out, but you would presume large hospitals are still CII operators under the category of “public services”.
Less is not more in this context and the wait goes on for further rules to be prepared by regulators of the named critical industries in order to provide clarity – yet (a) no timetable has been set for this to happen and (b) there is no list of authorities to help distinguish your PBOCs from your CBIRCs when you are in a sector with multiple top regulators.
Reason for optimism?
Crucially, it is also the industry-level authorities that are charged under the CII Regulations with determining whether individual business operators possess CII. Delegation to those with sector knowledge, as we saw in the DSL, will help to satisfy businesses. But, do the factors to be considered by these authorities in formulating their rules aid enterprises to guess their designation upfront?
- Importance of systems to the key, core business of the specific industry / field.
- Extent of harm that may result from the destruction, loss of functionality or data leakage of those systems.
- Relevance to other industries and fields.
For MNCs like international banks that are in an industry on the critical list and therefore uncertain about their cyber standing, dare I say that comfort can be taken from the combination of these 3 factors? Particularly limbs (1) and (3) suggest that operations must be substantial compared to the market as a whole if systems are to be classed as CII. “Too big to fail” labels have not been pinned to many multinationals in the finance or tech sectors because foreign investment laws and other market factors have traditionally restricted their scale. More guidance is needed but this could be a point for optimism.
Absence of transparency
On the flipside, the process for making these regulatory determinations seems a little opaque.
While designated cyber departments within industry regulators must formulate the criteria for identifying CII operators and then report these to the Ministry of Public Security for record, it is not clear whether their frameworks will be made public. Similarly, if and when your industry regulator notifies you that you have been classified as a CII operator, it is not explicit under the CII Regulations that you will be given a breakdown of why – or have an opportunity to contest the result.
Maybe a fuller process is implicit in the rules or intended by the legislature. For now, the lack of transparency may worry some managers – domestic and foreign alike. It will also make it hard for other businesses to benchmark themselves when configuring new systems or when first entering the China market.
On this latter scenario, interestingly a related obligation from the 2017 draft rules has been removed – new entrants no longer have to put their hands up as potential CII operators by reporting to regulators on establishment. That said, the filing procedures under the multi-level protection scheme rules (aka, the MLPS 2.0 – rules that have been re-invigorated since the first draft of the CII Regulations) should help to flag new CII to the authorities.
Possibly most importantly for many big-name players though – how long should businesses wait to be told whether they are CII operators? Will a notice of negative determinations be given on an individual or industry-wide basis? Some international operators, in particular, are in a hiatus waiting to know if the CSL’s restrictions on cross-border data transfers apply to them.
The 2017 draft of the CII Regulations had mandated that prior reporting to, and therefore possibly de facto pre-approval from, regulators and the public security bureau would be required to conduct technical maintenance of CII from offshore. While foreign-owned businesses will be pleased to see that this operational hurdle has been removed in the final form rules, sceptical overseas stakeholders may query whether onshoring and anti-international elements are creeping in elsewhere:
- Anti-SPAC provision? Some commentators have questioned whether the CRM and other new rules are designed to regulate foreign investment via the M&A market as well as the capital markets through restrictions on foreign listing. Even if this was not apparent under July’s draft rules, the CII Regulations do require CII operators to promptly report to their industry regulators if they undergo a merger, separation or other corporate transaction; enterprises must then follow any instructions given by the authorities to ensure network safety is preserved. Note that the CII Regulations do not have express extraterritorial effect. However, in the same way that some market watchers predict that the CRM may be stretched to offshore holding companies and special purpose vehicles, there may be speculation as to whether this article of the CII Regulations allows for the review and unwind of technology SPACs that threaten national security.
- Level playing field? The obligation under the CII Regulations to give priority to the procurement of “secure and credible” network products and services may lead some to wonder if foreign products and services will be more vulnerable than their domestic equivalents to requiring a national security examination before use – particularly when partnering with state-owned enterprises. International stakeholders continue to rail against state-ownership’s impact on competition in the world’s second largest economy. This stance will likely continue with these new regulations.
- International cooperation moratorium? Despite China seeking to push globally on harmonisation of tech and data standards, the obligation on the Chinese state to actively exchange ideas and cooperate on the international stage in the security of CII has been omitted from the revised CII Regulation. This might be a recognition of recent geopolitical tensions, but hopefully other recent treaties, such the Regional Comprehensive Economic Partnership, can keep international collaboration on the agenda.
Stick and carrot
Unlike the CRM, the amended introduction to the CII Regulation does not reference the DSL. This might have been expected to be done to expressly pull in the higher level of financial penalties for wrongdoing under the CII Regulation. Instead, the sanctions under these new rules are not substantial changed in the manner that we have seen an uptick in levels of fines in new cyber legislation in China and other markets.
On the contrary and to end on a positive note, the CII Regulations introduce several cyber carrots for businesses to comply with their rules. First, those that make outstanding contributions to the security protection of CII should be recognised by the state. Second, CII operators’ management teams should reward staff for good network security work. At least since the CSL, China’s cyber regime has expressly encouraged “business ethics” and “acts of good faith”. While obtaining a “Cyber Worker of the Month” award might not be everyone’s career goal, enterprises that are named in some sort of annual “CII Superstar” list could logically receive elevated corporate credit scores or other benefits worth vying for.
Businesses will have to continue to monitor developments to have the full answer to whether they are “CII or not”. Further rules and possibly advanced regulator consultations will be paramount.
For a recognised CII operator, detailed security protection obligations are expected to be covered by at least two national standards – the Information Security Technology: Critical Information Infrastructure Security Protection Requirements and the Security Control Measures for Information Security Technology Critical Information Infrastructure. The National Information Security Standardisation Technical Committee of China (or TC260 to its friends) started drafting these standards in 2017. The market now expects them to be finished quickly.
Even if the CII Regulations do not meet all expectations, with the third draft of the Personal Information Protection Law currently being read by China’s top legislature and seemingly in a “mature” form, anticipation among those involved in the country’s tech sector and beyond remains sky-high for more critical news soon.
Watch this space!
The new rules require that regulators for specific industries formulate detailed guidance to recognise their respective important operators, then notify them and the State Council accordingly. The public security department, the police, will then take a leading position in ensuring security.