The “Regulations on the Security Protection of Critical Information Infrastructure” were officially released and will be implemented on September 1st

Today, the State Council officially promulgated the “Regulations on the Security Protection of Critical Information Infrastructure” of the People’s Republic of China, which will come into effect on September 1, 2021. The full text is as follows:

Order of the State Council of the People’s Republic of China

No. 745

The “Regulations on the Security Protection of Critical Information Infrastructure” have been adopted at the 133rd executive meeting of the State Council on April 27, 2021. They are hereby promulgated and shall come into force on September 1, 2021.

Critical Information Infrastructure Security Protection Regulations

Chapter One General Provisions

Article 1 In order to ensure the security of critical information infrastructure and maintain network security, these regulations are formulated in accordance with the “Network Security Law of the People’s Republic of China”.

Article 2 The “critical information infrastructure” mentioned in these Regulations refers to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, and other important industries and fields if they are damaged. , Loss of functions or data leakage, important network facilities, information systems, etc. that may seriously endanger national security, national economy, people’s livelihood, and public interest.

Article 3 Under the overall coordination of the national cybersecurity and informatization department, the public security department of the State Council is responsible for guiding and supervising the safety protection of critical information infrastructure. The competent telecommunications department of the State Council and other relevant departments shall, in accordance with these regulations and relevant laws and administrative regulations, be responsible for the safety protection and supervision and management of critical information infrastructure within the scope of their respective duties.

The relevant departments of the provincial people’s government implement security protection, supervision and management of key information infrastructure in accordance with their respective responsibilities.

Article 4 The security protection of critical information infrastructure adheres to comprehensive coordination, division of responsibilities, and protection in accordance with the law, strengthens and implements the main responsibility of key information infrastructure operators (hereinafter referred to as operators), and gives full play to the role of the government and all aspects of society to jointly protect the key Information infrastructure security.

Article 5 The state shall implement key protection of key information infrastructure, adopt measures to monitor, defend, and dispose of network security risks and threats originating within and outside the People’s Republic of China, and protect key information infrastructure from attack, intrusion, interference and destruction. Punish illegal and criminal activities that endanger the safety of critical information infrastructure in accordance with the law.

No individual or organization shall carry out activities that illegally invade, interfere with, or destroy key information infrastructure, or endanger the security of key information infrastructure.

Article 6 Operators shall adopt technical protection measures and other necessary measures to respond to cyber security incidents and prevent cyber attacks in accordance with the provisions of these Regulations, relevant laws, administrative regulations, and mandatory requirements of national standards, based on the level of cyber security protection. And illegal and criminal activities, ensure the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data.

Article 7 Units and individuals that have made outstanding achievements or made outstanding contributions in the security protection of critical information infrastructure shall be commended in accordance with relevant national regulations.

Chapter II Identification of Critical Information Infrastructure

Article 8 The competent departments and supervision and management departments of the important industries and fields covered by Article 2 of these Regulations are the departments responsible for the security protection of critical information infrastructure (hereinafter referred to as the protection departments).

Article 9 The protection department shall, in light of the actual conditions of the industry and this field, formulate rules for the identification of critical information infrastructure, and report to the public security department of the State Council for the record.

The following factors should be mainly considered when formulating the determination rules:

(1) The importance of network facilities, information systems, etc., to the industry and key core businesses in this field;

(2) The degree of harm that may be caused by network facilities, information systems, etc., once they are damaged, lost functions, or data leaks;

(3) Relevance influence on other industries and fields.

Article 10 The protection work department shall be responsible for organizing the identification of key information infrastructures in the industry and this field in accordance with the identification rules, and notify the operators of the identification results in a timely manner, and notify the public security department of the State Council.

Article 11: In the event of major changes in critical information infrastructure that may affect the results of its determination, the operator shall promptly report the relevant information to the protection department. The protection department shall complete the re-determination within 3 months from the date of receipt of the report, notify the operator of the determination result, and notify the public security department of the State Council.

Chapter III Liability and Obligation of Operators

Article 12 Security protection measures shall be planned, constructed and used simultaneously with key information infrastructure.

Article 13: Operators shall establish a sound network security protection system and responsibility system to ensure the input of human, financial, and material resources. The main person in charge of the operator is responsible for the security protection of critical information infrastructure, leads the security protection of critical information infrastructure and the handling of major network security incidents, and organizes research and resolution of major network security issues.

Article 14: Operators shall set up a special safety management agency, and conduct safety background checks on the persons in charge of the special safety management agency and personnel in key positions. During the review, the public security organs and national security organs shall provide assistance.

Article 15 The special security management agency is specifically responsible for the security protection of the key information infrastructure of the unit, and performs the following duties:

(1) Establish and improve network security management, evaluation and assessment systems, and formulate plans for the security protection of critical information infrastructure;

(2) Organizing and promoting the construction of network security protection capabilities, and carrying out network security monitoring, testing and risk assessment;

(3) In accordance with national and industry emergency plans for cyber security incidents, formulate emergency plans for the unit, conduct emergency drills on a regular basis, and deal with cyber security incidents;

(4) Identify key cybersecurity positions, organize cybersecurity work assessments, and propose rewards and punishments;

(5) Organizing network security education and training;

(6) Fulfill personal information and data security protection responsibilities, and establish and improve personal information and data security protection systems;

(7) Implement security management for the design, construction, operation, maintenance and other services of key information infrastructure;

(8) Report network security incidents and important matters in accordance with regulations.

Article 16 Operators shall guarantee the operating funds of the specialized security management agency and allocate corresponding personnel, and the personnel of the specialized security management agency shall participate in the decision-making related to network security and informatization.

Article 17: Operators should conduct network security inspections and risk assessments of critical information infrastructure at least once a year by themselves or by entrusting network security service agencies, promptly rectify security issues discovered, and report the situation in accordance with the requirements of the protection work department.

Article 18: When a major network security incident occurs in a critical information infrastructure or a major network security threat is discovered, the operator shall report to the protection work department and the public security organ in accordance with relevant regulations.

A particularly major cybersecurity incident such as the overall interruption of the operation of key information infrastructure or major functional failures, the leakage of basic national information and other important data, the leakage of large-scale personal information, the resulting large economic losses, the large-scale dissemination of illegal information, or the discovery of special In the event of a major cyber security threat, the protection work department shall report to the national cybersecurity and informatization department and the public security department of the State Council in a timely manner after receiving the report.

Article 19: Operators shall give priority to purchasing safe and reliable network products and services; if purchasing network products and services may affect national security, they shall pass a security review in accordance with national network security regulations.

Article 20 When purchasing network products and services, operators shall sign security and confidentiality agreements with network product and service providers in accordance with relevant national regulations, clarify the provider’s technical support and security and confidentiality obligations and responsibilities, and review the performance of their obligations and responsibilities. Supervision.

Article 21 In the event of merger, division, dissolution, etc., an operator shall promptly report to the protection work department, and handle the critical information infrastructure in accordance with the requirements of the protection work department to ensure safety.

Chapter IV Guarantee and Promotion

Article 22 The protection work department shall formulate a security plan for the key information infrastructure of the industry and this field, and clarify the protection objectives, basic requirements, work tasks, and specific measures.

Article 23: The national cybersecurity and informatization department shall coordinate relevant departments to establish cybersecurity information sharing mechanisms, collect, study, judge, share, and publish cybersecurity threats, vulnerabilities, incidents, and other information in a timely manner, and promote relevant departments, protection departments, operators, and networks. Network security information sharing between security service agencies, etc.

Article 24: The protection work department shall establish and improve the critical information infrastructure network security monitoring and early warning system of the industry and this field, timely grasp the operation status and security situation of the critical information infrastructure of the industry and this field, and provide early warning and notification of network security threats and threats. Hidden dangers, guide safety precautions.

Article 25: The protection department shall, in accordance with the requirements of the national cybersecurity incident emergency plan, establish and improve the cybersecurity incident emergency plan for the industry and this field, organize emergency drills on a regular basis; guide operators to deal with cybersecurity incidents, and Organize and provide technical support and assistance as needed.

Article 26 The protection work department shall regularly organize and carry out the network security inspection and testing of the key information infrastructure of the industry and this field, and guide and supervise operators to rectify hidden safety hazards and improve safety measures in a timely manner.

Article 27: The national cybersecurity and informatization department shall coordinate the public security department and protection work department of the State Council to conduct cybersecurity inspections on critical information infrastructure, and propose improvement measures.

Relevant departments should strengthen coordination and information communication when conducting critical information infrastructure network security inspections, and avoid unnecessary inspections and cross-duplication inspections. No fees shall be charged for inspection work, and the inspected unit shall not be required to purchase products and services of designated brands or designated production or sales units.

Article 28: Operators shall conduct critical information infrastructure network security inspection and testing work carried out by the protection work department, as well as the critical information infrastructure network security inspection work carried out by relevant departments of public security, national security, confidentiality administration, and password management according to law. Cooperate.

Article 29 In the work of protecting the security of critical information infrastructure, the State Cyberspace Administration, the State Council’s competent telecommunications department, and the State Council’s public security department shall provide timely technical support and assistance in accordance with the needs of the protection department.

Article 30: The cybersecurity and informatization departments, public security organs, protection departments and other relevant departments, cybersecurity service agencies and their staff can only use the information obtained in the security protection of critical information infrastructure to maintain network security and strictly Ensure information security in accordance with the requirements of relevant laws and administrative regulations, and shall not disclose, sell or illegally provide to others.

Article 31 Without the approval of the national cybersecurity and informatization department, the public security department of the State Council, or the authorization of the protection work department or operator, no individual or organization shall conduct vulnerability detection, penetration testing, etc. on critical information infrastructure that may affect or harm the critical information infrastructure. Facility safety activities. Activities such as loophole detection and penetration testing of basic telecommunications networks shall be reported to the competent telecommunications department of the State Council in advance.

Article 32 The state adopts measures to give priority to ensuring the safe operation of key information infrastructure such as energy and telecommunications.

The energy and telecommunications industries should take measures to provide key guarantees for the safe operation of key information infrastructure in other industries and fields.

Article 33: Public security organs and national security organs strengthen the security of critical information infrastructure in accordance with their respective responsibilities, and prevent and crack down on illegal and criminal activities that target and utilize key information infrastructure.

Article 34 The State formulates and improves the security standards for critical information infrastructure, and guides and regulates the security protection of critical information infrastructure.

Article 35 The State takes measures to encourage network security professionals to engage in the security protection of critical information infrastructure; and incorporate the training of operator security management personnel and security technical personnel into the national continuing education system.

Article 36 The State supports technological innovation and industrial development of key information infrastructure security protection, and organizes forces to implement key information infrastructure security technology research.

Article 37: The State strengthens the construction and management of network security service institutions, formulates management requirements and strengthens supervision and guidance, continuously improves the capabilities of service institutions, and gives full play to their role in the security protection of critical information infrastructure.

Article 38: The state strengthens cybersecurity military-civilian integration, and the military and local governments coordinate to protect the security of critical information infrastructure.

Chapter V Legal Liability

Article 39 If an operator has one of the following circumstances, the relevant competent department shall order corrections and give warnings according to their duties; if they refuse to make corrections or cause harm to network security, they shall impose a fine of 100,000 yuan up to 1 million yuan. The person in charge who is directly responsible shall impose a fine of not less than 10,000 yuan but not more than 100,000 yuan:

(1) Failure to promptly report the relevant information to the protection department when major changes in the key information infrastructure may affect the determination results;

(2) The security protection measures are not planned, constructed and used simultaneously with the key information infrastructure;

(3) Failure to establish a sound network security protection system and responsibility system;

(4) No special safety management agency has been established;

(5) Failure to conduct a safety background review on the person in charge of the special safety management agency and the personnel in key positions;

(6) The decision-making related to network security and informatization does not involve the participation of personnel from specialized security management agencies;

(7) The special safety management agency fails to perform the duties prescribed in Article 15 of these Regulations;

(8) Failing to conduct network security inspections and risk assessments for critical information infrastructure at least once a year, failing to rectify the security problems discovered in a timely manner, or failing to report the situation in accordance with the requirements of the protection work department;

(9) When purchasing network products and services, failing to sign security and confidentiality agreements with network product and service providers in accordance with relevant national regulations;

(10) In case of merger, division, dissolution, etc., failing to report to the protection department in time, or failing to dispose of the key information infrastructure in accordance with the requirements of the protection department.

Article 40: If an operator fails to report to the protection work department or public security organ in accordance with relevant regulations when a major cybersecurity incident occurs in a critical information infrastructure or a major cybersecurity threat is discovered, the protection work department or public security organ shall order corrections based on their duties. A warning is given; those who refuse to make corrections or endanger network security shall be fined 100,000 yuan up to 1 million yuan, and the directly responsible person in charge shall be fined 10,000 yuan up to 100,000 yuan.

Article 41: If an operator purchases network products and services that may affect national security, and fails to conduct a security review in accordance with national network security regulations, the national cybersecurity and informatization department and other relevant competent authorities shall order corrections based on their duties and impose more than one time the purchase amount 10 The person in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.

Article 42: Operators’ critical information infrastructure network security inspections carried out by the protection department, as well as the critical information infrastructure network security inspections carried out by relevant departments such as public security, national security, confidential administration, and password management, are not If cooperation is granted, the relevant competent authority shall order corrections; if they refuse to make corrections, a fine of 50,000 yuan to 500,000 yuan shall be imposed, and the directly responsible persons in charge and other directly responsible persons shall be fined 10,000 yuan but less than 100,000 yuan; circumstances In serious cases, the corresponding legal liabilities shall be investigated in accordance with the law.

Article 43: If the illegal intrusion, interference, or destruction of key information infrastructure is carried out, and the activities that endanger its security do not constitute a crime, the public security organ shall confiscate the illegal gains and impose a punishment for 5 days in accordance with the relevant provisions of the “Network Security Law of the People’s Republic of China” The following detentions may be concurrently fined 50,000 yuan but not more than 500,000 yuan; if the circumstances are more serious, they shall be detained for not less than 5 days but not more than 15 days, and may be concurrently fined 100,000 yuan but not more than 1 million yuan.

If a unit commits the acts mentioned in the preceding paragraph, the public security organ shall confiscate its illegal income and impose a fine of 100,000 yuan up to 1 million yuan, and the directly responsible persons in charge and other directly responsible persons shall be punished in accordance with the preceding paragraph.

Violating the provisions of Article 5, paragraph 2 and Article 31 of these Regulations, persons who have been punished by public security management shall not engage in network security management and network operations key positions within 5 years; persons who have received criminal penalties shall not engage in network security for life Work in key positions in management and network operations.

Article 44: Cybersecurity and informatization departments, public security organs, protection work departments, and other relevant departments and their staff who fail to perform key information infrastructure security protection and supervision and management responsibilities, or neglect their duties, abuse their powers, or practice favoritism, shall be directly responsible in accordance with the law. The person in charge and other directly responsible personnel shall be punished.

Article 45: Where public security organs, protection work departments, and other relevant departments charge fees for conducting critical information infrastructure network security inspections, or require the inspected unit to purchase products and services of designated brands or designated production or sales units, The higher-level authorities shall order corrections and refund the fees collected; if the circumstances are serious, the directly responsible person in charge and other directly responsible persons shall be punished according to law.

Article 46: Cybersecurity and informatization departments, public security organs, protection departments and other relevant departments, cybersecurity service agencies and their staff use information obtained in the security protection of critical information infrastructure for other purposes, or leak, sell, or Those who illegally provide to others shall be punished by the directly responsible person in charge and other directly responsible persons in accordance with the law.

Article 47: Where a major and particularly major cybersecurity incident occurs in a critical information infrastructure, and the investigation is determined to be a responsible accident, in addition to the operator’s responsibility and the investigation in accordance with the law, the relevant cybersecurity service agency and relevant Responsibilities of the department, for dereliction of duty, dereliction of duty, or other illegal acts, shall be held accountable in accordance with the law.

Article 48: Operators of critical information infrastructure for e-government who fail to perform their cyber security protection obligations under these Regulations shall be dealt with in accordance with the relevant provisions of the Cyber ​​Security Law of the People’s Republic of China.

Article 49 Anyone who violates these regulations and causes damage to others shall bear civil liability in accordance with the law.

Violation of the provisions of these regulations constitutes a violation of public security management, public security management penalties shall be imposed in accordance with the law; if a crime is constituted, criminal responsibility shall be investigated in accordance with the law.

Chapter VI Supplementary Provisions

Article 50 The security protection of key information infrastructures that store and process state secret information shall also comply with the provisions of secrecy laws and administrative regulations.

The use and management of passwords in critical information infrastructure shall also comply with relevant laws and administrative regulations.

Article 51 These regulations shall come into force on September 1, 2021.

The Links:   MG200Q1US51 LM150X05-A3 LCD-SUPPLIER