Regulations on Security Protection of Critical Information Infrastructure were promulgated on 30 July 2021, and entered into force on 1 Sept. 2021.
There are 51 articles in total. The Regulations aim to safeguard the security of critical information infrastructure and maintain cybersecurity.
The key points are as follows:
Under the overall coordination of the national cyberspace administration (Cyberspace Administration of China), the public security authority under the State Council (Ministry of Public Security) is responsible for guiding and supervising the security protection of critical information infrastructure. The competent telecommunications authority under the State Council (Ministry of Industry and Information Technology) and other relevant authorities shall be responsible for the security protection, supervision and administration of critical information infrastructure within the scope of their respective functions and duties in accordance with the Regulations, relevant laws and administrative regulations.
The State grants enhanced protection to the critical information infrastructure, and takes measures to monitor, prevent and deal with cybersecurity risks and threats originating inside and outside the territory of the People’s Republic of China, protects the critical information infrastructure from attacks, intrusions, interference and damage, and punishes illegal and criminal activities endangering the security of the critical information infrastructure in accordance with law.
Operators shall give priority to the purchase of secure and reliable network products and services. If the purchase of network products and services may affect national security, it shall pass the security review in accordance with the provisions on national cybersecurity. When purchasing network products and services, operators shall sign a security confidentiality agreement with the network product and service providers in accordance with the relevant provisions of the State, clarify the obligations and responsibilities of the providers in technical support and security confidentiality, and supervise the performance of the obligations and responsibilities.