China Question: Can You Explain China's Cybersecurity Regulatory Framework?

Summary

---

|

• If a company's network facilities and information systems are determined as critical information infrastructure it needs to follow the enhanced protection obligations as required by the Cybersecurity Law.
• China's regulator is revising the Cybersecurity Review Measures to expand the cybersecurity reviews to a broader scope.
• Cybersecurity graded protection scheme standards for the financial and securities industries have been published and financial institutions are required by authorities to implement those standards when building and maintaining their network facilities and information systems.

Since 2016, China has promulgated a series of laws and regulations on cybersecurity and data protection. Three major laws, namely the Cybersecurity Law (CSL) (网络安全法), the Data Security Law (DSL) (数据安全法 ), and the Law on the Protection of Personal Information (PIPL) (个人信息保护法), together with their implementing regulations and rules, constitute the basic regulatory framework of cybersecurity and data protection in China. The framework mainly consists of six major cybersecurity regulatory systems: (i) the protection of the critical information infrastructure; (ii) the cybersecurity review mechanism; (iii) the cybersecurity graded protection scheme; (iv) the regulation on cyber products and services; (v) the protection mechanism of data security; and (vi) the protection of personal information. The basic requirements of these systems that companies operating in China should follow will be discussed.

1 .   The Protection of the Critical Information Infrastructure