On June 27, 2018, the Ministry of Public Security based on Article 21 of the Cyber Security Law, drafted the “Regulations on Levels of Cyber Security Protection” and announced its draft for soliciting opinions from the public.
As of now, the draft has not yet become an officially promulgated law.
The core points of the draft are as follows:
(1) The network system will be divided into five security protection levels according to its importance in national security, economic construction, and social life.
The importance of the network system gradually increases from the first level to the fifth level. (Article 15)
Network systems of different levels indicate the degree to which relevant interests may be harmed in the event of a network security incident of the network system at that level, as follows:
Level 1: National security, social order and public interests will not be endangered;
Level 2: Social order and public interests will be endangered, and national security will not be endangered;
Level 3: Social order and public interests will be seriously endangered, or national security will be endangered;
Level 4: Social order and public interests will be particularly severely endangered, or national security will be severely endangered;
Level 5: National security is particularly severely endangered.
(2) The network operator shall determine the security protection level of the network during the planning and design stage, and the experts and competent authorities shall confirm its level. After the level is confirmed, the network operator should also file with the public security organ. (Articles 16, 17, 18)
(3) Network operators should perform necessary security obligations, and operators of networks above Level 3 should also perform special security protection obligations. (Articles 20 and 21)
(4) If network products and services purchased by network operators may affect national security, such products and services should undergo national security reviews organized by regulatory authorities. (Article 28)
(5) Networks above Level 3 shall be maintained within the country, and remote technical maintenance shall not be allowed overseas. (Article 29)
(6) Network operators should report network security monitoring and early warning information and network security incidents to regulatory authorities, establish important data and personal information security protection mechanisms, and formulate and exercise network security emergency plans. (Article 30, 31, 32)