On 22 April, the National People's Congress of the People's Republic of China reaffirmed that cyber security was part of its legislative plan, which indicated that the Cyber Security Law for China might be passed within this year. It is therefore a great opportunity to cover the topic of "Key Information Infrastructure Operators" under the CSL and their obligations. First of all it is necessary to understand that KIIO are a special category of network operators defined by the Article 65 of the CSL as “[...] owners, administrators of network and network service providers who provides relevant services through using the network owned or administered by others, including basic telecom operators, network information service providers, operators of important information systems, etc.." As such KIIO must comply with the relevant obligations of network operators while complying with their own specific obligations.

Understanding the concept of key information infrastructure operators

Being key to defining the relevant obligations binding the stakeholders, the definition of key information infrastructure operators is one of the main challenges of the regulation. First of all the KIIO are divided into two branches: Information network operating for public service fields and basic information networks providing certain types of services (Article 25):

 In itself the list of KIIOs is vast and will lead to difficulties for its interpretation due to vague terms such as “important information systems," which is not clearly defined within the CSL. As a result, doubt will remain until there is a revision or a legal interpretation from Chinese court. As such we strongly recommend network operators providing services to key sectors to remain alert until a clear definition is reached. 

The relevant obligations on the KIIO:

By being tagged as KIIO, networks operators will have to comply with a supplementary set of rules issues by the state (Article 25) and “relevant departments in charge […] under the State Council” (Article 26) in order to ensure that “the key information infrastructure has properties for supporting the stable and continuous operation of the business, and that technical security measures are planned, established and used concurrently” (Article 27). If specific regulations and policies set by relevant departments are still to be defined in the future, specific obligations are already set out by Article 28 of the CSL:

1. Set up specialized security management institutions and persons responsible for security management, and conduct a security background review on the said responsible persons and personnel on key positions;
2. Periodically conduct cyber security education, technical training and skill assessment for employees;
3. Make disaster recovery backups of important systems and databases;
4. Formulate contingency plans for cyber security incidents, and periodically organize drills, and
5. Other duties specified in laws and administrative regulations.

Even though such obligations may seem to be important for KIIO, they are often considered as normal procedure to ensure a safe cyber-environment for any companies. By appointing a data-privacy professional and assigning him the training of the companies staff, one can comply with the first, second and fourth obligation. Concerning the third obligation, any company working with a decent back-up system should comply. However, it is important to stress the fact that the back-up should be safe against network corruption, especially safe from ransom-ware attacks. With the rise of ransom-ware such as Telsacrypt using exploit kit to hit health institution in the U.S., it is only a matter of time before such programs reach China.

Officers appointed in respect to Article 28.1 should be entrusted the obligation set by Article 29 to watch over the purchase of network products and services to ensure that security confidential agreements are well-formed between the parties. By doing so, those experts will require a solid general and specialized legal background. With a strong technical background, those experts may also take in charge the required education and drill set by the Article 32 in order to lower the need for third party. A corollary to Article 29 is Article 30, requiring KIIO and their provider to go through a security organized by the Cyberspace administration authorities when the network products or services might influence national security. Little is known on this review, but it may result to an analysis of the source code of software or heavy scrutiny of the service in order to achieve compliance.

Finally, the obligation set by Article 31 will greatly impact Chinese KIIO, more particular cloud services as it provides KIIO to “store citizens' personal information and other important data gathered and produced during operations within the territory of the People's Republic of China." Without a clear definition of “important data," relevant stakeholders can only speculate that the range of protected data will be large, which could lead to conflict of laws for KIIO dealing with personal information from foreign countries as the data flux would be restricted by law to a one side way. Telecoms and the media industry will also be impacted in the same manner.

What to expect from the CSL

The CSL is without any doubt a game changer that will greatly impact the cyber-industry on all level in China. Relevant KIIO will have to greatly overhaul their cyber-protection to ensure that they reach a satisfactory level of protection while having to deal more carefully with personal data. The good news is that by complying with the CSL, Chinese KIIO should be able to ensure a greater level of protection for their users which would help to prevent costs resulting from data breaches.

A greater level of protection is also a good news for Chinese KIIO willing to comply with foreign data privacy regulations as most of the provisions existing abroad such as the US regulations or the EU regulations require relevant stakeholders to provide a high level of protection to their users.