China’s top executive body published a new regulation to protect critical information infrastructure on Tuesday, which is likely to bring stricter cybersecurity oversight to companies in a wide range of sectors, including tech. 

Why it matters: In July, regulators initiated one of the nation’s first cybersecurity reviews of ride-hailing giant Didi, citing regulations indicating Didi was treated as a critical information infrastructure operator. The new regulation provides detailed definitions of what would qualify as critical information infrastructure (CII), and the responsibility and obligations of businesses treated as critical information infrastructure operators (CIIOs). 

  • Chinese tech companies need to know whether they are CIIOs, said Calvin Peng, a senior partner at Jincheng Tongda & Neal law firm. Companies classified as CIIOs should expect much stricter regulatory oversight, especially regarding national security matters, Peng added. 
  • Companies have little say when it comes to deciding whether they would qualify as CIIOs, Peng said. Peng’s law firm has seen some regional Chinese government agencies start reviewing companies to determine if there are CIIOs in their region as early as June 2019. 

Details: The regulation defines critical information infrastructure as essential network facilities and information systems used in industries such as public communication, information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology, as well as other industries that would seriously endanger national security and public interests if their data was leaked or the systems get damaged. 

  • The central government “attaches great importance to the protection of critical information infrastructure,” Chinese government agencies said in a press conference (in Chinese) on Tuesday. “Critical information infrastructure is the central nervous system of economic and social operations, and it is the top priority of network security,” it said (our translation).
  • CIIOs must conduct security examinations and risk assessments every year, said the regulation published (in Chinese) on Tuesday. Peng said companies that may not be classed as CIIOs at first could be classified later on as their businesses expand and change. 
  • Companies should prioritize purchasing “secure and reliable network products and services,” said the regulation. Operators need to pass a cybersecurity review before they buy any network products and services that could affect national security, it said.
  • The regulation takes effect on Sept. 1.

Context: The regulation comes as Beijing pushes to protect critical data and develop a new economy driven by government-led data exchanges and data marketplaces. The nation has set up multiple “data exchanges” to trade data ranging from a collection of adult faces intended for AI training to voice data collected from mobile phones, TechNode recently reported.

  • The country in June passed a comprehensive Data Security Law, stipulating how data can be used, collected, protected, and developed in China. The law, as well as the regulation, will take effect on Sept. 1.

Wei Sheng

Wei Sheng is a Beijing-based reporter covering hardware, smartphone, and telecommunications, along with regulations and policies related to the China tech scene. He writes a monthly newsletter tracking...

Qin Chen

Qin is a News Editor at TechNode. Previously, she was a reporter at Inkstone, a China-focused news site owned by the South China Morning Post. Before that, she worked in the United States for five years....