.jpg)
30 July, 2018
The draft Multi-Level Cybersecurity Protection Regulation (“Draft Regulation”) was released by the Ministry of Public Security (“MPS”) on June 27, 2018 in order to implement the multi-level protection scheme under Article 21 of the Cybersecurity Law (“CSL”). The Draft Regulation provides an update to the original multi-level cybersecurity protection measures addressed in the Administrative Measures for Multi-Level Protection of Information Security issued in 2007 (“2007 Measures”). The key points and changes to the existing requirements arising from the Draft Regulation are as follows.
I. Slight change to the grading criteria
The five-tier system and the criteria for identifying the tiers generally remain the same as in the 2007 Measures. The main difference is that an information system that might cause extraordinarily serious damage to the rights and interests of citizens, legal persons and other organizations, is categorized under the Draft Regulation as Tier 3, whereas they were categorized as Tier 2 under the 2007 Measures.
II. New obligations for information systems of Tier 2 incorporated into Draft Regulation
As well as reiterating the general obligations included in existing laws, the Draft Regulation imposes heightened requirements for Tier 2 information systems, including requiring: (a) expert review for tier identification, (b) filing with the relevant public security authority, (c) testing before putting the information system online, (d) annual self-examination and reporting of security risks, and (e) audit and review of implementation status of multi-level protection system by industrial regulators for licensed businesses.
III. New obligations for Tier 3 or higher level information systems added into Draft Regulation
Similar to the critical information infrastructure requirements under CSL, the Draft Regulation includes obligations relating to cybersecurity for Tier 3 or higher level information systems. The Draft Regulation also sets out new requirements for matters, including: (a) the need to design cybersecurity prevention and management platforms that can be connected with the relevant public security authority; (b) checking by a testing and evaluation agency before the information system is put online; (c) annual evaluation of the level of security of an information system; and (d) specific requirements for key personnel.
IV. Risk control for new technology
The Draft Regulation generally provides that network operators bear the responsibility to take necessary measures to control the risks associated with new technologies such as cloud computing, big data, artificial intelligence (AI), the internet of things (IOT), industrial control systems and mobile internet.
V. Obligation to cooperate with regulators’ inquiries and enforcement
The Draft Regulation restated that requirement in the CSL that network operators are obliged to cooperate and support enforcement by regulators and to take emergency measures as required. In addition, if the relevant public security department and other relevant regulators identify any major security risk, or in the event of any security incident, they may make enquiries of the legal representative or the network operator’s main responsible person.
VI. Encryption regulation and cybersecurity protection for information systems involving State secrets
The Draft Regulation outlines various heightened obligations for information systems of Tier 3 or higher in relation to encryption techniques. The Draft Regulation also separately addresses the need for cybersecurity protection for any information system that includes State secrets, including in relation to how the system is built, equipment used and the management, testing and risk assessment associated with products used to protect the secrecy of information.
VII. Our Observation
The Draft Regulation will likely be implemented as a key regulation supporting the CSL, along with several other national standards that are currently still in draft format. We envisage that companies will need to enhance their internal cybersecurity and information protection schemes in order to comply with the Draft Regulation and its enforcement by public security authorities in the near future.
