CAC Releases Critical Information Infrastructure Protection (CIIP) Measures for Public Comment

On July 11, CAC released the draft Critical Information Infrastructure Protection (CIIP) Regulations for public comments, with a deadline for comments on August 10. The CIIP measures are drafted in accordance with the Cyber Security Law, which devotes an entire section to CII, highlighting the significance the government attaches to its protection and stipulating that CII security protection measures will be developed by the State Council (Article 31). 

The draft regulations mainly adopted the definition of CII in CSL, and defines CII as network facilities and information systems which, once damaged, loss of functions or data is leaked, may endanger national security, national economy and people's livelihood or public interests. Furthermore, a detailed list of key sectors falling into CII was provided, and included "telecommunication networks, broadcasting networks, internet and other information networks, and organizations providing cloud computing, big data and other large-scale public information network services". 

The draft regulations again stipulated that CII is built upon MLPS and will be given enhanced protection and the CII operators are required to follow MLPS' requirement and carry out additional tasks per the mandatory requirements of related laws, regulations and national standards.