At a glance: The regulations on Critical Information Infrastructure (CII) took effect on September 1. The State Council defines CII as important network infrastructure or IT systems that if breached or destroyed could cause harm to China’s national security, economy or public interests. The policy document lists eight specific sectors including telecommunications, energy and transportation in which CII is most likely to be found. Businesses that sell, purchase or use this infrastructure could then be considered CII operators (CIIOs), they must:
- Prioritize the purchase of secure and reliable network products and services
- Conduct an annual security review and risk assessment
- Report cybersecurity incidents and any changes to their CII to the relevant sectoral regulators and public security authorities
- Establish teams to constantly monitor cybersecurity
MERICS comment: Crucially, the policy does not specify which companies will be designated as CII providers or CIIOs and only states that regulators will make that decision. Network equipment and service providers, such as Nokia and Ericsson, as well as industrial software firms like ABB or SAP, will likely count as CII providers and rank among the most impacted foreign companies. Pressure to adopt “secure and reliable network products and services” will direct cautious firms to their Chinese competitors.
Companies that operate in the listed sectors, such as energy or transportation, risk being deemed CIIOs and may need to consider switching their suppliers of network equipment and services. In addition, according to Cybersecurity Law, such companies would be required to store personal and important data locally. This could create interoperability issues with business operations outside of China, or even destroy business models relying on cross-border data transfers. Given the broad definition of CII, companies outside of the selected industries could still benefit from tightening their data and cybersecurity. Having said that, it is unlikely that businesses dealing in consumer products will be impacted.
The regulations come at a time when Chinese decision makers regard cyberattacks as an immense threat to China’s national security and society. This is fueled by US-China tensions, the recent proliferation of cyberattacks globally and China’s relatively weak cybersecurity footing. The policy is part of a larger package of cybersecurity measures (e.g., the updated Multi-Level Protection System) that enforce the Cybersecurity Law. The cybersecurity review that followed Didi’s US IPO is an important warning sign for tech companies. To avoid being caught in the crosshairs of regulators, companies should make sure to be compliant.
Policy name: Regulations on the Security Protection of Critical Information Infrastructure (关键信息基础设施安全保护条例) (Link)
Issuing body: State Council
Date: August 17, 2021