Global menu

Our global pages


The PRC authorities published draft regulations on cybersecurity for public consultation

  • Hong Kong
  • China
  • Other


The Cyberspace Administration of China (“CAC”) published the latest set of draft regulations on the protection of security of critical information infrastructure for public consultation on 11 July (the “Draft Regulations”). These are not yet in final form and any interested parties have until 10 August 2017 to submit feedback and comments to the CAC.

Some of the key aspects of the latest Draft Regulations are as follows:

1. Sectors falling within the meaning of “critical information infrastructure”

The Cybersecurity Law imposes more stringent obligations on operators of critical information infrastructure. Previous guidance indicated that organisations operating in sectors including telecommunications, energy and financial services would likely fall within this definition. The latest Draft Regulations specify additional key sectors which are likely to constitute critical information infrastructure, including education, broadcasting and news reporting and “communications over the internet”. The Draft Regulations also specifically extends the scope of critical information infrastructure operator to cover entities which provide large scale public information network services (including cloud and big data services). It also covers entities which conduct scientific research or otherwise belong to the science and industrial sector, whether they are set up for the purpose of ensuring national defence, producing large equipment, or manufacturing chemical and pharmaceutical products.

2. Enhanced obligations imposed on operators of critical information infrastructure

The Draft Regulations will impose obligations on operators of critical information infrastructure to ensure that the infrastructure is protected from unauthorised access, interruption and loss. Some key obligations include implementing strict procedures on identity verification and the management of access rights, technical measures on preventing and containing viruses to minimise the impact of cyber-attacks and obligations to retain records and logs of access, inspection and cyber incidents for at least six months.

The Draft Regulations will also require operators of critical information infrastructure, in addition to their existing obligations to formulate policies and measures, to conduct KYC checks on their employees who are responsible for cybersecurity within the organisation and provide them with regular technical training sessions, design incident handling and data recovery measures, arrange for back-up of important systems and data and conduct periodic drills to deal with cyber incidents.

3. More specific requirements on the transfer and remote maintenance of data outside of China

As we discussed in our earlier updates, any transfer of personal information and important data outside of China must be supported by legitimate business needs and subject to security examinations. Failure to do so constitutes a breach of the Cybersecurity Law and could result in a maximum fine of RMB500,000, as well as other sanctions such as suspension of business licences and websites. The Draft Regulations clarify that the authorities may conduct periodic security assessments and will be empowered to: (i) request further information and clarification in relation to items being assessed; (ii) inspect, copy and review records and documents; (iii) monitor the progress of implementation of relevant measures; and (iv) conduct technical inspections.

Notification requirements have also been proposed in the Draft Regulations such that any entity who requires operation, maintenance and support of critical information infrastructure outside of China due to legitimate business needs must notify the relevant supervisory authorities in China in advance. The wording of the Draft Regulations has been drafted quite widely and the notification requirement could potentially cover a wide range of scenarios. For example, it is likely to be the case that an operator of critical information infrastructure must notify the relevant authorities before it appoints an IT service provider (based outside China) which requires remote access to information of that organisation inside China in order to perform its services.

Enforcement trends

We continue to witness developments which reinforce the legislative intention that the Cybersecurity Law should be taken seriously and the regulators will implement the law where necessary.

On the enforcement front, there have already been a number of actions. Within a week of the new law coming into force, more than sixty online entertainment news accounts were removed from major social media platform operators such as Baidu, Weibo and WeChat for failure to comply with the provisions relating to the transmission of untrue information and violation of individuals’ personal data protection rights.

On another occasion, 22 suspects (20 out of which were Apple’s employees) were detained in Zhejiang, Guangdong, Jiangsu and Fujian accused of obtaining and selling personal information of Apple users as part of a scam for a total of over RMB 50 million, contrary to the provisions relating to the transfer of excessive personal information for gain. Computers, phones, credit cards and other technological tools have been seized by the police for investigation.

We will continue to monitor the developments of the new law as further guidance is published and further enforcement takes place.

For summary of the background to these most recent measures, please see our earlier articles on this topic (see link).