Second Draft of the Cyber Security Law Open for Comment

On July 5, the National People's Congress (NPC) released the Cyber Security Law (Draft for Second Review) for public comments on its official website, with a deadline for comments on August 4. Compared to the first draft, which was out for comment in July 2015,  this updated draft includes some major changes as follows:

  • Raises the importance of national cybersecurity strategy (Art. 4) and the protection of critical information infrastructure (Art. 5)
  • Calls to strengthen control on internet use to "promote socialism core values" and ensure political stability (Art. 6, 12, 67)
  • Clarifies cyber operators' accountability (Art. 9), including setting up internet logs that go no shorter than 6 months (Art. 20) and cooperation to law inspection and enforcement (Art. 47)
  • Coordinates promotion of both cybersecurity and development through cybersecurity management innovation, including promoting "secure and trusted" cyber products and services (Art. 15); encourages enterprises and agencies to conduct cybersecurity certification, testing and risk evaluation services (Art. 16); develop new cyber technologies, such as data use and security protection technologies, and improve cybersecurity protection (Art. 17); increase big data application while requiring anonymized personal information and further clarify the rules of personal data use (Art. 41).
  • Implements real-name registration for instant messaging services and national cyber trusted identity strategy (Art. 23)
  • Regulates cybersecurity information disclosure, especially system vulnerabilities, computer virus, cyber attacks, cyber intrusion, among others (Art. 25)
  • Places additional protection of critical information infrastructure on top of the Cybersecurity Multi-Level Protection Scheme (MLPS), with "detailed scope and security protection method to be drafted by the State Council" (Art. 29)
  • Expands the scope of data localization requirement on critical information infrastructure (CII) operations to "personal and important commercial information collected or generated in China" (Art. 35)
  • Encourages non-CII network operators to voluntarily adopt CIIP system (Art. 29), and at the same time constrains government use of cybersecurity information shared by companies or obtained by CIIP enforcement to cybersecurity maintenance only (Art. 38) for the purpose of protecting information.
  • Introduces verbal warning (Art. 54), credit downgrading (Art. 68) as well as criminal law concepts including "employment prohibition" (Art. 61) as punishment for cyber operators who threaten or damage cybersecurity.


USITO has shared an unofficial translation of the draft law with members, and is seeking members' initial comments by July 20.