China's State Council issued a long-anticipated set of cybersecurity regulations on Tuesday that provide guidance about how regulators will designate "Critical Information Infrastructure" operators and the regulatory scrutiny they will face.
The Critical Information Infrastructure Security and Protection Regulations are vastly different from what's found in the first draft, published in 2017. Together, the rules will subject tech companies that fall under the CII category to stricter cybersecurity requirements.
Critical information infrastructure refers to important network infrastructure and information systems in critical industries, such as public telecommunications and information services, energy, transportation, finance and national defense science. And if data leakage, destruction or dysfunction of a network system or infrastructure may hinder national security or public interest, then it's also considered CII regardless of whether it falls into one of those categories.
Beijing's new rules, which will go into effect on September 1, do not provide specific metrics for classifying CII operators or networks. But they do clarify that sectoral regulators will determine who are CII operators or networks, in coordination with the Cybersecurity Administration of China and guided by the Ministry of Public Security.
In July, when CAC launched an investigation into DiDi Chuxing's data infrastructure, the enforcement action was based on Cybersecurity Review Measures, which are aimed at CII operators. The cybersecurity review therefore implied that DiDi was treated as a CII operator.
The new rules also detail compliance requirements for CII operators. Those include dedicating a management body to carry out cybersecurity protection duties, conducting annual internal security risk assessments of their CII and purchasing "secure and reliable" network products and services.
"This matters immensely to businesses and other network operators because the Cybersecurity Law imposes special data protection, procurement, and cross-border data rules on CII operators," Graham Webster, who heads the DigiChina Project at the Stanford University Cyber Policy Center, told Protocol. "And the category is present in a bunch of other rules that mostly reinforce the [Cybersecurity Law]."
And because CII regulations are a critical part of a broad cybersecurity apparatus that Beijing is actively building, they send important signals about comparative power within China's bureaucracy. "It certainly indicates the cyberspace regulatory regime is coming out of a long period of flux, especially combined with the Data Security Law going into effect Sept.1 and the expected passage of the Personal Information Protection Law on Friday," Webster said.