Decree of The State Council of the People's Republic of China

第745号

The Regulations on the Security Protection of Critical Information Infrastructure, adopted at the 133rd Executive Meeting of The State Council on April 27, 2021, are hereby promulgated and will come into force as of September 1, 2021。

总理　　李克强

July 30, 2021

 

 

Regulations on the security protection of critical information infrastructure

 

Chapter I General provisions

Article one　To ensure the security of critical information infrastructure and maintain network security, these Regulations are formulated in accordance with the Cybersecurity Law of the People's Republic of China。

Article 2　Critical information infrastructure referred to in these Regulations，Refers to public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry and other important industries and fields，And others in the event of a breach, loss of functionality, or data breach，Important network facilities and information systems that may seriously endanger national security, national economy and people's livelihood, and public interests。

Article 3　Under the overall coordination of the national cyberspace Administration, the public security department of The State Council is responsible for guiding and supervising the security protection of critical information infrastructure。The competent department of telecommunications under The State Council and other relevant departments shall, in accordance with the provisions of these Regulations and relevant laws and administrative regulations, be responsible for the security protection, supervision and administration of critical information infrastructure within the scope of their respective duties。

The relevant departments of the people's governments at the provincial level shall, in accordance with their respective duties, implement security protection, supervision and management of critical information infrastructure。

Article 4　Critical information infrastructure security protection adhere to comprehensive coordination, division of responsibilities, protection according to law, strengthen and implement the main responsibility of critical information infrastructure operators (hereinafter referred to as operators), give full play to the role of the government and all aspects of society, and jointly protect the security of critical information infrastructure。

Article 5　The state gives priority to the protection of critical information infrastructure，Take measures，Monitor, defend against, and deal with cybersecurity risks and threats originating within and outside the People's Republic of China，Protect critical information infrastructure from attack, intrusion, interference and destruction，To punish illegal and criminal activities that endanger the security of critical information infrastructure according to law。

No individual or organization shall engage in activities that illegally invade, interfere with, or destroy critical information infrastructure, or endanger the security of critical information infrastructure。

Article 6　The operator shall comply with these Regulations and the provisions of relevant laws and administrative regulations and the mandatory requirements of national standards，On the basis of network security level protection，Take technical protection measures and other necessary measures，Responding to cyber security incidents，Guard against cyber attacks and criminal activities，Ensure the safe and stable operation of critical information infrastructure，Maintain data integrity, confidentiality, and availability。

Article 7　Units and individuals that have made outstanding achievements or made outstanding contributions in the security protection of critical information infrastructure shall be commended in accordance with the relevant provisions of the State。

Chapter II Identification of critical information infrastructure

Article VIII　The competent departments and supervisory and administrative departments of the important industries and fields involved in Article 2 of these Regulations are the departments responsible for the security protection of critical information infrastructure (hereinafter referred to as the protection departments).。

The ninth article　The protection department shall formulate rules for the identification of critical information infrastructure in light of the actual conditions of the industry and the field, and report them to the public security department under The State Council for the record。

The following factors shall be considered in the formulation of the rules for determination:

(a) the importance of network facilities, information systems, etc. to the key core business of the industry and the field;

(2) The extent of harm that may be caused by the damage, loss of function or data leakage of network facilities and information systems;

(3) The correlation effect on other industries and fields。

Article ten　The protection department shall be responsible for organizing the identification of the key information infrastructure of the industry and the field in accordance with the identification rules, promptly notifying the operator of the identification result, and notifying the public security department under The State Council。

Article 11　In the event of major changes in critical information infrastructure that may affect the result of its determination, the operator shall promptly report the relevant situation to the protection department。The protection work department shall, within three months from the date of receipt of the report, complete the re-identification, notify the operator of the result of the identification, and notify the public security department under The State Council。

Chapter III Responsibilities and obligations of operators

Article 12　Security protection measures shall be planned, constructed and used simultaneously with critical information infrastructure。

Article 13　Operators should establish a sound network security protection system and responsibility system to ensure human, financial and material input。The main person in charge of the operator is responsible for the overall responsibility for the security protection of critical information infrastructure, leading the security protection of critical information infrastructure and the disposal of major network security incidents, and organizing the research and solution of major network security issues。

Article 14　The operator shall set up a special safety management agency, and conduct a safety background review of the person in charge of the special safety management agency and the personnel in key positions。During the examination, the public security organ and the state security organ shall provide assistance。

Article 15　The specialized security management agency is specifically responsible for the security protection of the critical information infrastructure of the unit and performs the following duties:

(1) Establish and improve network security management, evaluation and assessment systems, and formulate security protection plans for critical information infrastructure;

(2) To organize and promote cybersecurity protection capacity building, and carry out cybersecurity monitoring, testing and risk assessment;

(C) In accordance with the national and industrial network security incident emergency plans, formulate their own emergency plans, regularly carry out emergency drills, and deal with network security incidents;

(d) to identify key positions of network security, organize the assessment of network security work, and put forward suggestions for rewards and punishments;

(5) Organize network security education and training;

(6) to fulfill the responsibility of personal information and data security protection, and establish and improve the personal information and data security protection system;

(7) Implement security management of services such as the design, construction, operation and maintenance of critical information infrastructure;

(8) Report cybersecurity incidents and important matters in accordance with regulations。

Article 16　The operator shall ensure the operating funds of the specialized security management agency and equip the corresponding personnel, and the decision-making related to network security and informatization shall be participated by the personnel of the specialized security management agency。

Article 17　Operators shall, by themselves or entrust network security service agencies, conduct network security testing and risk assessment on critical information infrastructure at least once a year, rectify security problems found in a timely manner, and report the situation according to the requirements of the protection department。

Article 18　When a major cybersecurity incident occurs in critical information infrastructure or a major cybersecurity threat is discovered, the operator shall report to the protection department and the public security organ in accordance with relevant provisions。

When critical information infrastructure is interrupted or its main functions fail, national basic information and other important data are leaked, large-scale personal information is leaked, large economic losses are caused, and illegal information is spread widely, or especially major network security threats are discovered，The protection department shall, upon receipt of the report，Timely report to the national cyberspace administration and the public security Department under The State Council。

Article 19　Operators should give priority to the procurement of secure and trusted network products and services;Procurement of network products and services that may affect national security shall pass the security review in accordance with the national network security provisions。

Article 20　Operators purchasing network products and services shall, in accordance with the relevant provisions of the State, sign a security and confidentiality agreement with network products and service providers, clarify the technical support and security and confidentiality obligations and responsibilities of the providers, and supervise the performance of obligations and responsibilities。

Article 21　In case of merger, division or dissolution of the operator, it shall promptly report to the protection department, and dispose of the critical information infrastructure in accordance with the requirements of the protection department to ensure safety。

Chapter IV Protection and promotion

Article 22　Protection departments shall formulate security plans for critical information infrastructure in their own industries and fields, and specify protection objectives, basic requirements, work tasks, and specific measures。

Article 23　The national cyberspace administration coordinates and coordinates relevant departments to establish a network security information sharing mechanism, and timely summarizes, evaluates, shares, and releases information on network security threats, vulnerabilities, and incidents, so as to promote network security information sharing among relevant departments, protection departments, operators, and network security service organizations。

Article 24　The protection work department shall establish and improve the network security monitoring and early warning system of the key information infrastructure in the industry and the field, grasp the operation status and security situation of the key information infrastructure in the industry and the field in a timely manner, give early warning and report network security threats and hidden dangers, and guide the security prevention work。

Article 25　The protection department shall, in accordance with the requirements of the national cyber security incident emergency plan, establish and improve the cyber security incident emergency plan in its own industry and field, and regularly organize emergency drills;Guide operators to deal with network security incidents, and provide technical support and assistance as needed。

Article 26　The protection work department shall regularly organize and carry out the network security inspection and testing of the key information infrastructure in the industry and the field, and guide and supervise the operators to timely rectify security risks and improve security measures。

Article 27　The national cyberspace administration coordinates the public security department and the protection department under The State Council to carry out network security inspection and testing of key information infrastructure, and put forward improvement measures。

When carrying out network security checks on critical information infrastructure, relevant departments should strengthen coordination and information communication to avoid unnecessary checks and cross-checks。No fees shall be charged for the inspection work, and no units under inspection shall be required to purchase products and services of designated brands or designated production or sales units。

Article 28　The operator shall cooperate with the key information infrastructure network security inspection and testing carried out by the protection work department, as well as the key information infrastructure network security inspection carried out by relevant departments such as public security, national security, confidentiality administration, and password management according to law。

Article 29　In the security protection of critical information infrastructure, the national network information department, the telecommunications department under The State Council and the public security department under The State Council shall provide technical support and assistance in a timely manner according to the needs of the protection department。

Article 30　Network information department, public security organs, protection departments and other relevant departments，Information obtained by cyber security service organizations and their staff in the security protection of critical information infrastructure，It can only be used to maintain network security，And strictly in accordance with the requirements of relevant laws and administrative regulations to ensure information security，It shall not be disclosed, sold or illegally provided to others。

Article 31　Without the approval of the national cyberspace administration, the public security department of The State Council, or the authorization of the protection department and the operator, no individual or organization shall carry out any activity that may affect or endanger the security of critical information infrastructure, such as vulnerability detection and permeability testing。Activities such as vulnerability detection and penetration testing of basic telecommunications networks shall be reported to the competent department of telecommunications under The State Council in advance。

Article 32　The state takes measures to give priority to the safe operation of key information infrastructure such as energy and telecommunications。

The energy and telecommunications industries shall take measures to provide key guarantees for the safe operation of critical information infrastructure in other industries and fields。

Article 33　Public security organs and state security organs shall, in accordance with their respective duties, strengthen the security of critical information infrastructure in accordance with the law, and prevent and crack down on illegal and criminal activities targeting and using critical information infrastructure。

Article 34　The state formulates and improves security standards for critical information infrastructure, guides and standardizes the security protection of critical information infrastructure。

Article 35　The state takes measures to encourage cybersecurity professionals to engage in the security protection of critical information infrastructure;The training of operators' safety managers and safety technicians will be included in the national continuing education system。

Article 36　The state supports technological innovation and industrial development for the security protection of critical information infrastructure, and organizes forces to carry out technological research on the security of critical information infrastructure。

Article 37　The state strengthens the construction and management of cybersecurity service institutions, formulates management requirements and strengthens supervision and guidance, constantly improves the capacity of service institutions, and gives full play to their role in the security protection of critical information infrastructure。

Article 38　The state has strengthened military-civilian integration in cyber security, and cooperated with the military and local governments to protect the security of critical information infrastructure。

Chapter V Legal liability

Article 39　In any of the following circumstances, the relevant competent department shall order the operator to make corrections and give him a warning according to his duties;Those who refuse to make corrections or cause consequences such as endangering network security shall be fined not less than 100,000 yuan but not more than 1 million yuan, and the person in charge directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan:

(1) failing to report the relevant situation to the protection department in a timely manner when the critical information infrastructure has undergone major changes that may affect the result of its determination;

(2) Security protection measures are not synchronized with the planning, construction, and use of critical information infrastructure;

(3) failing to establish and improve the network security protection system and responsibility system;

(4) there is no special safety management organization;

(5) failing to conduct safety background checks on the heads of specialized safety management agencies and personnel in key positions;

(6) carrying out decisions related to network security and informatization without the participation of personnel of special security management agencies;

(7) The specialized safety management agency fails to perform the duties prescribed in Article 15 of these Regulations;

(8) Failing to carry out network security testing and risk assessment on critical information infrastructure at least once a year, failing to rectify the discovered security problems in a timely manner, or failing to report the situation as required by the protection department;

(9) Purchasing network products and services and failing to sign security and confidentiality agreements with network products and service providers in accordance with relevant state regulations;

(10) Failing to timely report to the protection department in case of merger, division, dissolution, etc., or failing to dispose of critical information infrastructure according to the requirements of the protection department。

Article 40　When a major cybersecurity incident occurs in critical information infrastructure or a major cybersecurity threat is discovered by the operator，Failing to report to the protection department or public security organ in accordance with relevant provisions，The protection department and the public security organ shall order the correction according to their duties，Give a warning;Refusing to correct or causing harm to network security and other consequences，Be fined not less than 100,000 yuan but not more than 1 million yuan，The person in charge who is directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan。

Article 41　Operators procure cyber products and services that may affect national security，Failing to conduct security review in accordance with national cybersecurity regulations，The State cyberspace administration and other relevant competent departments shall order corrections in accordance with their duties，Impose a fine of more than one time and less than 10 times the amount of purchase，The persons directly in charge and other persons directly responsible shall be fined not less than 10,000 yuan but not more than 100,000 yuan。

Article 42　The key information infrastructure network security inspection and testing carried out by the operator to the protection work department，And do not cooperate with the key information infrastructure network security inspection carried out by relevant departments such as public security, national security, confidentiality administration, and password management according to law，The competent department shall order it to make corrections;recalcitrant，Be fined not less than 50,000 yuan but not more than 500,000 yuan，The persons directly in charge and other persons directly responsible shall be imposed a fine of not less than 10,000 yuan but not more than 100,000 yuan;serious，Appropriate legal responsibility shall be investigated in accordance with the law。

Article 43　Trespass, interfere with, or destroy critical information infrastructure，Activities endangering their safety do not constitute a crime，In accordance with the relevant provisions of the Cybersecurity Law of the People's Republic of China，The illegal gains shall be confiscated by the public security organ，Detention for up to 5 days，May impose a fine of not less than 50,000 yuan but not more than 500,000 yuan;More serious circumstances，Detention for not less than 5 days but not more than 15 days，May impose a fine of not less than 100,000 yuan but not more than 1 million yuan。

Where a unit commits the acts mentioned in the preceding paragraph, the public security organ shall confiscate the illegal gains, impose a fine of not less than 100,000 yuan but not more than 1 million yuan, and punish the persons directly in charge and other persons directly responsible in accordance with the provisions of the preceding paragraph。

Persons who violate the provisions of Article 5, paragraph 2 and Article 31 of these Regulations and are punished for public security administration shall not engage in key positions of network security management and network operation within five years;Those who receive criminal punishment shall not be allowed to work in key positions of network security management and network operation for life。

Article 44　Where Internet and information technology departments, public security organs, protection departments and other relevant departments and their staff fail to perform the duties of security protection and supervision and management of critical information infrastructure, or neglect their duties, abuse their power, or engage in malpractices for personal gains, the directly responsible persons in charge and other directly responsible persons shall be punished according to law。

Article 45　Public security organs, protection departments and other relevant departments collect fees in carrying out network security inspections of critical information infrastructure，Or requiring the unit under inspection to purchase the products and services of a designated brand or of a designated production or sales unit，The higher authority shall order it to make corrections，Refund the fees charged;serious，The persons directly in charge and other persons directly responsible shall be given sanctions according to law。

Article 46　Relevant departments such as Internet and information technology departments, public security organs, protection departments, network security service organizations and their staff will use the information obtained in the security protection of critical information infrastructure for other purposes，Or divulge, sell, or illegally provide to others，The persons directly in charge and other persons directly responsible shall be given sanctions according to law。

Article 47　Critical information infrastructure major and particularly major network security incidents, determined by investigation as a responsible accident, in addition to the responsibility of the operator should be identified and investigated in accordance with the law, should also identify the responsibility of the relevant network security service agencies and relevant departments, there are dereliction of duty, dereliction of duty and other illegal acts, investigated in accordance with the law。

Article 48　Operators of key e-government information infrastructure who fail to fulfill the obligations of network security protection provided for in this Regulation shall be dealt with in accordance with the relevant provisions of the Network Security Law of the People's Republic of China。

Article 49　Whoever violates the provisions of these Regulations and causes damage to others shall bear civil liability according to law。

Whoever violates the provisions of these Regulations and constitutes an act violating the administration of public security shall be punished for the administration of public security according to law;If the case constitutes a crime, criminal responsibility shall be investigated according to law。

Chapter VI Supplementary Provisions

Article 50　The security protection of key information infrastructure for storing and processing state secret information shall also comply with the provisions of confidentiality laws and administrative regulations。

The use and management of passwords in critical information infrastructure shall also comply with the provisions of relevant laws and administrative regulations。

Article 51　These Regulations shall come into force as of September 1, 2021。