I. Laws
1. Cybersecurity Law of China (2017) 网络安全法
This Law is applicable to owners, managers and network service providers (hereinafter referred to as “operators”) that construct, operate, maintain and use networks in China. Key points of this Law include:
(1)Operators shall verify the identity of the user when providing such services as network access, domain name registration, phone network access, or information release and instant messaging for the user.
(2)Personal information and important data must be stored in China. Data exportation shall be subject to regulator’s review.
(3)Operators shall provide technical support and assistance to public security organs and national security authorities.
(4)Where any overseas institution, organization or individual attacks, intrudes into, disturbs, destroys or otherwise damages China’s critical information infrastructures, causing any serious consequence, the violator shall be subject to legal liability in accordance with law. The public security organs and relevant departments may decide to freeze the property of or take any other necessary sanction measure against the institution, organization or individual.
2. Decision on Strengthening the Protection of Network Information (2012) 关于加强网络信息保护的决定
The Decision establishes, for the first time in China, the rules for the collection and use of personal information and the obligations of network service providers to protect personal information.
The Cybersecurity Law, subsequently promulgated in 2018, has adopted most content of the Decision.
3. Decision on Maintaining Internet Security (2000) 关于维护互联网安全的决定
The Decision is China’s first rule on cybersecurity, with key points as follows:
(1)Hacking or destroying the computer system constitutes a crime.
(2)Subverting the state power, destroying the national unity and the unity of nationalities, stealing the state secrets and engaging in activities involving cult by publishing information on the Internet constitute a crime.
(3)Infringing the legitimate rights of others on the Internet constitutes a crime.
II.Administrative Regulations
The key points of the Measures include:
(1)The Ministry of Public Security is responsible for protecting the connection between the computer network in China and the international Internet.
(2)No entity shall use the international Internet to publish illegal content or endanger computer security.
The key points of the Measures include:
(1)The Regulations aim to protect the security of computer information systems within the territory of China.
(2)The Ministry of Public Security is the competent authority in this field, whose functions and powers include supervising the relevant security protection; investigating and punishing the illegal acts endangering the computer security.
On June 27, 2018, the Ministry of Public Security based on Article 21 of the Cyber Security Law, drafted the “Regulations on Levels of Cyber Security Protection” and announced its draft for soliciting opinions from the public. As of now, the draft has not yet become an officially promulgated law.
The core points of the draft are as follows:
(1) The network system will be divided into five security protection levels according to its importance in national security, economic construction, and social life.
The importance of the network system gradually increases from the first level to the fifth level. (Article 15)
Network systems of different levels indicate the degree to which relevant interests may be harmed in the event of a network security incident of the network system at that level, as follows:
Level 1: National security, social order and public interests will not be endangered;
Level 2: Social order and public interests will be endangered, and national security will not be endangered;
Level 3: Social order and public interests will be seriously endangered, or national security will be endangered;
Level 4: Social order and public interests will be particularly severely endangered, or national security will be severely endangered;
Level 5: National security is particularly severely endangered.
(2) The network operator shall determine the security protection level of the network during the planning and design stage, and the experts and competent authorities shall confirm its level. After the level is confirmed, the network operator should also file with the public security organ. (Articles 16, 17, 18)
(3) Network operators should perform necessary security obligations, and operators of networks above Level 3 should also perform special security protection obligations. (Articles 20 and 21)
(4) If network products and services purchased by network operators may affect national security, such products and services should undergo national security reviews organized by regulatory authorities. (Article 28)
(5) Networks above Level 3 shall be maintained within the country, and remote technical maintenance shall not be allowed overseas. (Article 29)
(6) Network operators should report network security monitoring and early warning information and network security incidents to regulatory authorities, establish important data and personal information security protection mechanisms, and formulate and exercise network security emergency plans. (Article 30, 31, 32)
III.Departmental Regulations
1. Cybersecurity Review Measures of China (2020) 网络安全审查办法
The Measures aim to supervise whether the purchase of network products and services by critical information infrastructure operators (hereinafter referred to as “operators”) affects the national security. The key points of the Measures include:
(1)If the purchase of network products and services by operators affects or may affect the national security, operators shall report to the network security review office affiliated to the Cyberspace Administration of China for the network security review.
(2)The network products or services include computers, servers, storage devices, databases, software and cloud services.
(3)The network security review office will review the following risks: whether the facilities using such products or services will be damaged; whether the data will be leaked; whether the supply channel of such products or services is safe and stable; whether the supplier of such products or services complies with Chinese laws.
2. Security Assessment Methods for Cloud Computing Services (2019) 云计算服务安全评估办法
This Security Assessment Methods aim to assess the security and the controllability of cloud computing services purchased by the Party and government organs and key information infrastructure operators. The key points are as follows:
(1)The security assessment of cloud computing services will focus on the following: (i) the basic information of cloud platform operators; (ii) the background and stability of cloud service providers; (ii) the security of cloud platform technology, products and service supply chain; (vi) the security management ability and the security measures of cloud service providers; (v) the feasibility and the convenience of customer data migration; (iv) the business continuity of cloud service providers.
(2)Cloud service providers can apply for security assessment on cloud platforms that provide cloud computing services to the Party and government organs and key information infrastructure operators.
This Regulations aim to specify how should public security organs conduct security supervision and inspection over the fulfilling by Internet service providers and Internet users of cybersecurity obligations.
The key points of the Measures include:
(1)The Ministry of Public Security is responsible for protecting the connection between the computer network in China and the international Internet.
(2)No entity shall use the international Internet to publish illegal content or endanger computer security.
5.Regulations on Technical Measures for Cybersecurity (2006) 互联网安全保护技术措施规定
This Regulations aim to supervise Internet service providers and Internet users to take technical measures for cybersecurity, and to ensure the normal function of technical measures for cybersecurity. The public information network security supervision department of the public security organ is responsible for supervising the implementation of the technical measures for cybersecurity.
IV. Policies
1. Contingency Plans on Public Internet Safety Emergency (2017) 公共互联网网络安全突发事件应急预案
This Contingency Plans aim to establish an emergency organization system and working mechanism for Public Internet Safety Emergency.
The Measures aim to enhance the monitoring and handling of work for threats to the cybersecurity of the public Internet, to eliminate security risks, stop attacks, avoid harm, and reduce security risks. Threats to the cybersecurity of public Internet refer to network resources, malicious programs, security risks or security incidents that exist or spread at public Internet, and may cause or have already caused harm to the public.
The Catalogue lists 15 types of equipment and products. Cybersecurity Law of China requires the protection of critical information infrastructure from attacks, intrusion, interference, and damage. The Catalog specifies what kind of equipment and products belong to critical information infrastructure.
This Measures aim to guide the administrative work for local regulatory authorities and Internet access enterprises that engage in Internet data centers (including Internet resource collaboration services), Internet access services, content delivery networks, and other services in managing the use and operational maintenance of Internet information security management systems.
This Opinions aim to promote the establishment of a unified and authoritative national network security standard system and standardization mechanism. The key points are as follows:
(1) Establish and continuously improve the network security standard system.
(2)Actively participate in the formulation of international rules and international standard rules for cyberspace.
This Opinions aim to strengthen the discipline development and talent training of China’s Cybersecurity Academy.
This Notice aims to urge all government departments to improve the security protection of their official websites.
This Notice is divided into 3 parts, with the aim to promote China to initially establish an industrial Internet security system by the end of 2020.
V. Technical Standard
1. Network Security Level Protection Evaluation Requirements 信息安全技术 网络安全等级保护测评要求
2. Network Security Level Protection Basic Requirements 信息安全技术 网络安全安全等级保护基本要求
3. Network Security Level Protection Security Design Requirements 信息安全技术 网络安全等级保护安全设计要求
Photo by Jéan Béller (https://unsplash.com/@jeanbeller) on Unsplash