At a glance: The regulations on Critical Information Infrastructure (CII) took effect on September 1. The State Council defines CII as important network infrastructure or IT systems that if breached or destroyed could cause harm to China’s national security, economy or public interests. The policy document lists eight specific sectors including telecommunications, energy and transportation in which CII is most likely to be found. Businesses that sell, purchase or use this infrastructure could then be considered CII operators (CIIOs), they must:
- Prioritize the purchase of secure and reliable network products and services
- Conduct an annual security review and risk assessment
- Report cybersecurity incidents and any changes to their CII to the relevant sectoral regulators and public security authorities
- Establish teams to constantly monitor cybersecurity
MERICS comment: Crucially, the policy does not specify which companies will be designated as CII providers or CIIOs and only states that regulators will make that decision.