We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

A brief analysis of the draft key information infrastructure protection measures

August 2017

Another step forward filling in blanks in the cyber security law or more questions than answers?

On 11 July 2017, the China Cyberspace Administration ("CAC") released the draft Key Information Infrastructure Protection Measures ("Draft Measures") for public consultation, as another piece of key follow-on legislation to The People's Republic of China Cyber Security Law (see our briefings here) adopted on 6 November 2016 and effective from 1 June 2017 ("Cyber Security Law").

The Cyber Security Law stipulates that the detailed scope of key/critical information infrastructure ("KII") and security protection measures for KII will be formulated by the State Council.

The Draft Measures provides that network facilities and information systems operated or managed by the following units are included within the scope of protection for KII:

  • government agencies, and units in the fields of energy, finance, transportation, water conservancy, healthcare, education, social security, environmental protection, public utilities and other industries and sectors 
  • telecoms networks, broadcasting networks, Internet and other such information networks; and units providing cloud computing, big data, and other large-scale public information network services 
  • scientific research institutes and manufacturers in the fields of national defence science, technology and industry, large-scale equipment, chemical engineering, food and drugs and other  such industries 
  • broadcasting stations, television stations, news agencies and other such press outlets other important units.

The Draft Measures goes on to reiterate the security protection obligations of KII operators, while further expanding on existing requirements for data localization and purchases of network products and services.

On one level at least the Draft Measures may have filled out some of the gaps in the cybersecurity legal framework in China, but has it also created new uncertainties? Read our full analysis by clicking here.

Contacts

Jun Wei

Jun Wei

Office Managing Partner
Beijing

Loading data