Regulation set to better protect key info facilities

China's new regulation to protect critical information facilities is not aimed at companies planning to list abroad, and all companies must be involved in ensuring network security, said a cyberspace regulatory official.

The Regulation for Safe Protection of Critical Information Infrastructure was issued by the State Council last week and will take effect on Wednesday.

The regulation, with 51 articles contained in six chapters, clarifies what is defined as critical information infrastructure. The definition includes public communication and information services, energy, transportation, water resources and finance.

Personal information and important data collected and produced by the operators within the Chinese mainland should be stored on the mainland, according to the regulation. Security assessments will be needed if a business has to provide such data overseas.

China will take measures to monitor, defend and cope with cybersecurity risks and threats, both at home and abroad, to prevent major information facilities from being "attacked, invaded, disrupted and damaged", the regulation says.

"Adhering to opening-up is a basic policy of our country, and the regulation was made to protect the safety of critical information facilities and cybersecurity," said Sheng Ronghua, vice-minister of the Cyberspace Administration of China. "We've always supported internet and information enterprises in raising money and developing in line with laws and rules."

Sheng said that all companies, regardless of what kind they are or where they are listed, must "comply with Chinese laws and rules and ensure national security, the safety of key information infrastructure and personal data security". "If companies can follow the requirements, they will not be affected. If not, they'll be affected," he said.

He highlighted the role of IT infrastructure security, saying it is important for safeguarding cybersecurity, cyberspace sovereignty and national security as well as to guarantee economic growth and people's legitimate rights.

Zuo Xiaodong, vice-president of the China Information Security Research Institute, said it is necessary for China to intensify information protection and stay alert to cyber risks by improving its legal system.

The new regulation also meets the requirements of the Cybersecurity Law. Coupled with other existing legislation, such as the Data Security Law, which will also take effect on Wednesday, and the Personal Information Protection Law, which will take effect on Nov 1, the measures will help the country reinforce its protection of national and network security.

According to the regulation, the cyberspace administration will be in charge of coordination, while public security departments will take care of supervision. The nation's telecom regulator and other relevant agencies will be responsible for protection and management of major IT infrastructure projects under their watch.

Operators of crucial IT infrastructure projects bear the primary responsibility of maintaining the integrity, confidentiality and availability of the projects' data. They are required by the regulation to ensure cybersecurity, including conducting security checks and risk assessments every year and prioritizing safe and reliable internet products and services in procurement. Otherwise, they will be punished together with regulatory agencies that fail in their duties, the regulation says.

Sun Weimin, head of the administration's cybersecurity coordination bureau, said it will make and improve relevant rules and security standards related to critical information infrastructure to ensure the regulation can be implemented effectively.

Police will conduct campaigns against security-related problems among major IT facilities as well as increase cybersecurity monitoring, alerts and handling, said Wang Yingwei, head of the Ministry of Public Security's cybersecurity bureau.