Regulations on Levels of Cyber Security Protection (Draft for Solicitation of Comments)

Promulgation Authorities: The Ministry of Public Security

Release Date: 2018-06-27

Effective Date: 2018-06-27

Source: https://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html

Original Title: 网络安全等级保护条例（征求意见稿）

Chapter I General Provisions

Article 1 [Legislative Purpose and Basis] The present Regulations are formulated in accordance with the Cybersecurity Law of the People’s Republic of China, the Law of the People’s Republic of China on Protecting State Secrets and other applicable laws, for the purposes of strengthening the graded protection for cybersecurity, improving the capacity and level of the protection for cybersecurity, safeguarding cyberspace sovereignty, national security and public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization.

Article 2 [Scope of Application] The present Regulations shall apply to the development, operation, maintenance and use of cyberspace, the graded protection for cybersecurity, as well as the supervision and administration of such protection, within the territory of the People’s Republic of China. The said cyberspace excludes networks set up by individuals and families themselves for personal use.

Article 3 [Establishment of the System] The State adopts the graded protection system for cybersecurity to protect and supervise cyberspaces by grade.For the purpose of the preceding paragraph, “cyberspace” refers to the system that is constituted by computers or other information terminals and relevant equipment to collect, save, transmit, exchange and process information.

Article 4 [Working Principles] The graded protection for cybersecurity shall be carried out under the principle of stressing key points, proactive prevention and comprehensive controls, so as to establish a sound cybersecurity protection system with the focus to guard the infrastructure security, operation security and data security, for the cyberspace that has a bearing on the national security, national economy and the people’s livelihood and public interests.Network operators shall design, develop and run safeguards for the purpose of cybersecurity protection, confidentiality and cryptogram protection synchronously when they are building cyberspace.

Secret-involved cyberspace shall, pursuant to confidentiality provisions and standards of the state, be protected and supervised for confidentiality purposes, in consideration of the actual conditions of the system concerned.

Article 5 [Assignment of Responsibilities] The central leading body for cybersecurity and informatization shall lead the graded protection for cybersecurity in a centralized manner, and the national cyberspace administration shall be responsible for the overall planning and coordination of the graded protection for cybersecurity.The public security department of the State Council shall take charge of the graded protection for cybersecurity, supervise and administer the graded protection for cybersecurity, and organize campaigns according to the law to defend cybersecurity.

The national secrecy administration shall take charge of the graded protection of secret-involved cyberspace, and supervise and administer the secrecy-related graded protection for cybersecurity.

The state cryptogram administration shall take charge of supervising and administering the cryptogram management of the graded protection for cybersecurity.

Other relevant authorities of the State Council shall carry out the graded protection for cybersecurity within the scope of their respective duties in accordance with the provisions of applicable laws and regulations.

Local people’s governments at or above the county level shall carry out the graded protection for cybersecurity in accordance with the present Regulations and applicable laws and regulations.

Article 6 [Responsibilities and Obligations of Network Operators] Network operators shall file the grading of cyberspace for the record, make corrections in respect of the security development, conduct grading assessment and self-inspections, etc. according to the law, and take management and technological measures to ensure the safety of cyber infrastructure, the cyber operation security, data security and information security, effectively deal with cybersecurity incidents and guard against cyberspace-related violations and criminal activities.

Article 7 [Industry Requirements] The competent authority of an industries shall organize and guide the implementation of the graded protection system for cybersecurity within the industry and sector concerned.

Chapter II Support and Guarantee

Article 8 [General Guarantee] The State establishes a sound organization and leadership framework, a technical support framework and a guarantee framework for the graded protection system for cybersecurity.People’s governments at various levels and competent authorities of related industries shall incorporate the implementation of the graded protection system for cybersecurity into the general planning for informatization, and carry forward its implementation as a whole.

Article 9 [Standard Setting] The State establishes a sound framework of standards for the graded protection for cybersecurity. The standardization body of the State Council and the public security department of the State Council, the national secrecy administration and the state cryptogram administration shall, ex officio, organize efforts in setting national standards and industry standards concerning the graded protection for cybersecurity.The State supports enterprises, research institutions, institutions of higher education, and network-related industrial organizations in participating in the setting of national standards and industry standards in respect of the graded protection for cybersecurity.

Article 10 [Input and Guarantee] People’s governments at various levels shall advocate and support major projects and programs on the graded protection for cybersecurity, endorse the research, development and application of technologies intended for the graded protection for cybersecurity, and promote safe and reliable cyber products and services.

Article 11 [Technical Support] The State builds a team of experts specialized in the graded protection for cybersecurity, and develops a technical support framework for grading assessment, security development and emergency response, so as to provide support for the graded protection system for cybersecurity.

Article 12 [Performance Assessment] Competent authorities of related industries and people’s governments at various levels shall incorporate performance on the graded protection for cybersecurity into the performance assessment and evaluation, the comprehensive governance assessment for public security, etc.

Article 13 [Publicity, Education and Training] People’s governments at various levels as well as the departments thereof shall reinforce their efforts in publicity and education for the graded protection system for cybersecurity, to raise the awareness of the general public in respect of cybersecurity.The State encourages and supports enterprises, public institutions, institutions of higher learning and research institutes in carrying out educational and training programs on the graded protection system for cybersecurity, and strengthens the cultivation of management and technical talents for the graded protection for cybersecurity.

Article 14 [Encouragement of Innovations] The State encourages the application of new  technologies and applications to the administration and technical defense of the graded protection for cybersecurity, the adoption of technologies such as active defense, reliable computing and artificial intelligence, innovation in technical safeguards concerning cybersecurity, and improvement in the capacity and level of cybersecurity protection.In terms of new cyber technologies and applications to be promoted, the State will organize the evaluation of cybersecurity risks, to guard against any security risks brought about by these new technologies and applications.

Chapter III Protection for Cybersecurity

Article 15 [Cyberspace Grades] Cyberspaces are graded into five levels for security protection purposes, depending on the importance of the cyberspaces in national security, economic construction and social life, the extent of harm caused to the national security, public order, public interests and the lawful rights and interests of related citizens, legal persons and other organizations when the cyberspace is disrupted or malfunctions or the data is falsified, divulged, lost or destroyed, and other relevant factors,1. Grade I cyberspace refers to ordinary networks, the disruption of which will lead to harm to the lawful rights and interests of related citizens, legal persons and other organizations, but will not undermine the national security, public order and public interests;

2. Grade II cyberspace refers to ordinary networks, the disruption of which will lead to serious harm to the lawful rights and interests of related citizens, or harm to the public order and public interests, but will not undermine the national security;

3. Grade III cyberspace refers to important networks, the disruption of which will lead to extremely serious harm to the lawful rights and interests of related citizens, or serious harm to the public order and public interests, or harm to the national security;

4. Grade IV cyberspace refers to particularly important networks, the disruption of which will lead to extremely serious harm to the public order and public interests, or serious harm to the national security; and

5. Grade V cyberspace refers to extremely important networks, the disruption of which will lead to particularly serious harm to the national security.

Article 16 [Cyber Grading] A cyber-operator shall determine the grade of security protection for cyberspace, while it is designing and planning such cyberspace.In the case of any drastic change to cyber functions, scope of services, service receivers, and data processed, the cyber-operator shall change the grade of security protection for the cyberspace according to the law.

Article 17 [Grading Review] The cyber-operator set to be graded at or above Grade II shall organize an expert review; where the operator falls under the jurisdiction of a competent authority of the industry, the operator shall submit the grading result to such competent authority for approval, after the said expert review.As to a cross-provincial cyberspace or cyberspace uniformly networked and operated nationwide, the competent authority of the industry shall establish the proposed security protection grade and then organize the grading review, in a centralized manner.

The competent authority of the industry may give its guiding opinions on the grading of graded protection for cybersecurity for the industry, based on relevant national standards and in consideration of the characteristics of the cyberspace used in the industry concerned.

Article 18 [Filing of Grading] The operator of a cyberspace at or above Grade II shall file for record with the public security organ at or above the county level, within ten working days of the grading of the protection for cybersecurity.In the case of an adjustment to the grading of security protection due to the cancelation of or alteration to the cyberspace, the cyber-operator shall, within ten working days, go through formalities with the public security organ with which the grading of security protection has been filed originally, to revoke or upgrade the filing.

Specific measures for record-filing will be developed by the public security department of the State Council.

Article 19 [Record-filing Examination] The public security authorities shall examine materials submitted by a cyber-operator for record-filing purposes. Where the protection for cybersecurity is graded appropriately and the record-filing materials provided meet the relevant requirements, the public security authorities shall issue the record-filing certificate for the graded protection for cybersecurity within ten working days.

Article 20 [General Security Protection Obligation] A cyber-operator shall fulfill the following security protection obligations according to the law to safeguard cyberspace and information security.1. Designate an individual responsible for work on the graded protection for cybersecurity, establish a responsibility system for the graded protection for cybersecurity, and implement the accountability system;

2. Establish a system for security management and technological protection, as well as systems with respect to personnel management, educational training, system security development , system security maintenance, etc.;

3. Put in place systems in respect of computer room security management, equipment and medium security management, cybersecurity management, etc., and lay down operating procedures and work flows;

4. Adopt management and technical measures for identify identification, prevent the infection and transmission of the malware and guard against cyber-attacks;

5. Adopt management and technical measures to monitor and record the cyber operating status, Cybersecurity events, unlawful and criminal activities, and save, as required to do so, relevant cyber logs for the past six months or longer which could be used to trace online violations and offenses;

6. Implement measures such as data classification, and back-up and encryption of important data;

7. Collect, use and process personal information according to the law, put in place safeguards to ensure the protection of personal information, and prevent personal information from being divulged, destroyed, falsified, stolen, lost or abused;

8. Carry out measures designed to detect, block or eliminate illegal information, and adopt approaches to prevent illegal information from being spread to a wide extent and evidence for violations and offences from being destroyed or lost;

9. Fulfill duties with respect to networking record-filing and verification of users’ real identification;

10. Report any online events within 24 hours to the local public security organ with the jurisdiction; in the case of divulging state secrets, report it to the local secrecy administration with jurisdiction as well; and

11. Other cybersecurity protection obligations specified in laws and administrative regulations.

Article 21 [Special Security Protection Obligations] The operator of a cyberspace at or above Grade III shall fulfill other security protection obligations, in addition to the cybersecurity protection obligations specified in Article 20 hereof,1. Designate the cybersecurity management body, clarify the responsibilities concerning the graded protection for cybersecurity, and form a level-by-level examination system for certain matters, such as network alteration, network access, and change of the entity offering operating maintenance and technical safeguards;

2. Prepare and implement the master plan for cybersecurity and strategies for overall security protection, lay down the security development plan, and have them reviewed and approved by professional technicians;

3. Investigate the security background of the head in charge of the cybersecurity management and individuals in key positions, and implement the system of taking up the post with the required certificates;

4. Conduct security management of agencies and individuals that provide it with the design, development, operating maintenance and technical services for cyberspace;

5. Take precautionary actions to monitor and detect cybersecurity trends, develop a Cybersecurity protection management platform, dynamically monitor and analyze the cyber operating status, network traffic, user behaviors, cybersecurity events, etc., and establish a connection with the public security organ at the same level;

6. Implement redundancy, back-up and recovery measures for important network equipment, communications links and systems;

7. Set up the cybersecurity grade assessment system, periodically assess the grade of cybersecurity, and report to the public security organ and other related departments the assessment result, what corrective actions have been taken to enhance security, and the rectification results; and

8. Other cybersecurity protection obligations specified in laws and administrative regulations.

Article 22 [Online Test] A newly developed Grade II cyberspace shall be tested online for its security under the applicable standards concerning the graded protection for cybersecurity, prior to its online operation.A newly developed Grade III cyberspace shall be assessed by an entrusted cybersecurity grade assessment agency under the applicable standards concerning the graded protection for cybersecurity to look into its security grade, and it may not be put into operation until it successfully passes the grade assessment.

Article 23 [Grade Assessment] The operator of a cyberspace at or above Grade III shall conduct an annual assessment on the grade of cybersecurity, detect and take corrective measures to eliminate hidden security risks, and annually report to the public security authorities where the cyberspace is filed for the record its efforts in cybersecurity grade assessment and the assessment results.

Article 24 [Corrective Actions to Improve Security] A cyber-operator shall work out a plan of corrective actions to eliminate hidden security risks detected in a grade assessment, and carry out these corrective actions to estimate hidden risks.

Article 25 [Self-inspection] A cyber-operator shall conduct a self-inspection at least once a year to look into its efforts in implementing the graded protection system for cybersecurity and the cybersecurity status, take corrective measures immediately to eliminate hidden security risks if any, and report the same to the public security authorities where its cyberspace is filed for the record.

Article 26 [Safety Management of Assessment Activities] A cybersecurity grade assessment agency shall provide cyber-operators with safe, objective and impartial grade assessment services.A cybersecurity grade assessment agency shall enter into a service agreement with each cyber-operator, offer safety and secrecy education to assessors, require each of assessors to sign a safety and secrecy liability statement specifying assessors’ safety and secrecy obligations and legal liability, and arrange for assessors to attend professional training courses.

Article 27 [Requirements for Cyber Service Agencies] To provide cyber services for cyberspace at or above Grade III, ranging from cyber development, operating maintenance, and security monitoring, to data analysis, a cyber-service provider shall meet the requirements specified in applicable laws, regulations and technical standards of the country.Cybersecurity grade assessment agencies and other cyber-service providers shall keep state secrets, personal information and important data they have accessed while offering services confidential. They shall not illegally use, or publish or disclose without approval, data information, and other information about cybersecurity, such as system bugs, malware and cyber-attacks, they have collected or accessed while offering services.

Article 28 [Safety Requirements on the Procurement and Utilization of Products and Services] A cyber-operator shall purchase and employ cyber products and services that satisfy the requirements specified in laws, regulations and applicable standards of the country.The operator of a cyberspace at or above Grade III shall select cyber products and services commensurate to its security protection grade; for cyber products to be applied in important components, it shall commission a professional testing agency to perform particular tests to assess such products, and select eligible cyber products according to the testing results; cyber products and services to be purchased shall undergo the national security reviews organized by the state cyberspace administration in concert with related departments of the State Council, if such products and services may have an impact on the national security.

Article 29 [Technical Maintenance Requirements] Cyberspace at or above Grade III shall be technically maintained within the territory of China, and remote technical maintenance from overseas is prohibited. Where it is indeed necessary to have cyberspace technically maintained remotely from overseas due to business needs, it is required to assess the cybersecurity and take necessary measures to manage and control risks. Technical maintenance shall be recorded and the technical maintenance logs shall be kept and provided when the public security authority conduct inspections.

Article 30 [Monitoring, Pre-warning and Information Circulation] The people’s government at or above the prefecture level shall establish a system of monitoring, pre-warning and information circulation for cybersecurity, and work on monitoring security, understanding security situations, circulating information, issuing early warnings, etc.The operator of a cyberspace at or above Grade III shall establish and improve its system of monitoring, pre-warning and information circulation for cybersecurity, and submit information on the monitoring and early-warning of cybersecurity and report cybersecurity incidents to the public security authority at the same level as required. Where there is an applicable competent authority of the industry concerned, the operator shall submit the said information and report such events to the competent authority as well.

The competent authority of the industry concerned shall establish and improve its system of monitoring, pre-warning and information circulation for cybersecurity for this industry or sector, and submit information on the monitoring and early-warning of cybersecurity and report cybersecurity incidents to the cyberspace administration and the public security organ at the same level as required.

Article 31 [Security Protection of Data and Information] A cyber-operator shall establish and implement the security protection system for important data and personal information, take safeguards to ensure the security of data and information when it is collected, stored, transmitted, used, supplied and destroyed, and adopt technical measures concerning the backup and recovery in a different place to ensure the completeness, confidentiality and availability of important data.Without permission or authorization, no cyber-operator may collect any data and personal information unrelated to the services it offers, collect, use or process any data and personal information in violation of the provisions of laws and administrative regulations or contrary to the agreement reached with users, divulge, falsify or destroy the data and personal information it has collected, or access, use or provide data and personal information without authorization.

Article 32 [Emergency Response Requirements] The operator of a cyberspace at or above Grade III shall, in accordance with applicable provisions of the country, prepare a cybersecurity emergency response plan, and regularly carry out cybersecurity emergency response drills.In dealing with a cybersecurity incident, the cyber-operator shall preserve the scene, record and save relevant data and information, and report on such event in a timely manner to the public security organ and the competent authority of the industry concerned.

The public security authority and the competent authority of the industry concerned shall report on the response to serious cybersecurity incidents to the cyberspace administration at the same level.

In the case of a serious cybersecurity incident, related authorities shall take joint actions to deal with such incident according to the cybersecurity emergency response plan. Telecommunications business operators and internet service providers shall offer support to and assistance in dealing with serious cybersecurity incidents and recovering the cyberspace.

Article 33 [Audit and Examination Requirements] For a cyber-operator that develops, operates, maintains and uses cyberspace and carries out business activities that require administrative permits for the general public, the relevant competent authority shall incorporate its efforts in implementing the graded protection system for cybersecurity into the range of items to be audited and examined.

Article 34 [Risk Management and Control over New Technologies and New Applications] A cyber-operator shall, in accordance with the graded protection system for cybersecurity, adopt measures to manage and control security risks caused by novel technologies and new applications, including cloud computing, big data, artificial intelligence, internet of things, project control systems and mobile internet, and estimate hidden security dangers.

Chapter IV Security Protection of Secret-involved Cyberspace

Article 35 [Grade Protection] Secret-involved cyberspace is classified into three levels: topmost confidential, confidential and secret, depending on the highest level of secrecy of the state secrets stored, processed and transmitted by the cyberspace.

Article 36 [Cyber Grading] The operator of secret-involved cyberspace shall determine the level of secrecy of such secret-involved cyberspace according to the law, have the level of secrecy reviewed by its secrecy committee (or leading group), and file the level of secrecy for the record with the secrecy administration at the same level.

Article 37 [Review and Discussion of the Plan] In planning and developing a secret-involved cyberspace, the operator shall, in accordance with the secrecy provisions and standards of the country, work out a graded protection plan, and take technological and management measures, such as identifying the identification, having access control, conducting security audits, protecting cyber border security, managing and controlling circulation of information, taking precautions against electromagnetic compromising emanations, preventing against viruses, protecting cryptograms and supervising the secrecy.

Article 38 [Development Management] Where the operator of secret-involved cyberspace intends to commission another entity to develop the secret-involved cyberspace, it shall select an entity qualified for the integration of secret-involved information systems, enter into a non-disclosure agreement with the entity undertaking such development to specify its non-disclosure obligations and take non-disclosure measures.

Article 39 [Management of Information Equipment and Security and Confidentiality Products] Information equipment applied by a secret-involved cyberspace shall be selected from the catalog of information equipment exclusively used for secret-involved cyberspace as issued by the relevant competent authority of the country; where relevant equipment is not specified in the said catalog, it shall be selected from the government procurement catalog. Where it is truly necessary to select imported products, it is required to conduct tests for security and confidentiality purposes.The operator of secret-involved cyberspace shall not opt for any products prohibited by the state secrecy administration or by the competent authority of government procurement.

Security and confidentiality products used in secret-involved cyberspace shall pass the tests set by the testing institution established by the state secrecy administration. Anti-computer-virus products shall be reliable products with the sale permit for products exclusively used for the sake of the security of computer information systems, and cryptogram products shall be those approved by the state cryptogram administration.

Article 40 [Testing, Examination and Risk Assessment] Secret-involved cyberspace shall be tested and evaluated by the secrecy testing institution established or licensed by the state secrecy administration, and prove to be qualified under the examination of the secrecy administration of a city with districts, before being put into use.After secret-involved cyberspace has been put into use, the operator shall periodically inspect the security and confidentiality and assess the risks itself, and conduct the risk assessment for security and confidentiality purposes organized by the secrecy administration. Such inspection and assessment shall be performed at least once a year for topmost confidential cyberspace, and at least once every two years for confidential cyberspace and for secret cyberspace.

For the management of the operation of the secret-involved cyberspace of public security authorities  and national security authorities, relevant provisions developed by the state secrecy administration in concert with the relevant public security organ and the national security organ shall apply.

Article 41 [General Requirements on Secret-involved Cyber Use Management] The operator of secret-involved cyberspace shall establish a security and confidentiality management system, set up a corresponding management body, staff itself with management personnel for security and confidentiality, and fulfill its security and confidentiality responsibilities.

Article 42 [Pre-warning and Reporting Requirements for Secret-involved Cyberspace] The operator of secret-involved cyberspace shall establish a sound monitoring and pre-warning system for the security and confidentiality of secret-involved cyberspace and the information circulation system for secret-involved cyberspace; for any potential security risks detected, the said operator shall take immediate emergency responses and report the same to the secrecy administration.

Article 43 [Responses to Drastic Changes to Secret-involved Cyberspace] Under any of the following circumstances, the operator of secret-involved cyberspace shall report the same in a timely manner to the secrecy administration and take corresponding measures, in accordance with the secrecy provisions of the state,1. the secrecy level is changed;

2. the access scope and the quantity of terminals in practice exceed the scope and quantity approved in the examination;

3. changes to the physical environment of the cyberspace or to the security and confidentiality facilities are likely to give to rise to other security and confidentiality risks; or

4. a new application system is introduced, or changes to or the reduction of application systems may result in other security and confidentiality risks.

In the case of any of the above circumstances, the secrecy administration shall decide in a timely manner whether to test, evaluate and examine the secret-involved cyberspace again.

Article 44 [Handling of Scrapped Secret-involved Cyberspace] Where a secret-involved cyberspace will no longer be used, the operator of the secret-involved cyberspace shall report the same to the secrecy administration in a timely manner, and deal with the secret-involved information equipment, products and secret-involved mediums in accordance with the secrecy provisions and standards of the state.

Chapter V Cryptogram Management

Article 45 [Formulation of Cryptogram Requirements] The state cryptogram administration will determine the security assessment requirements for the allocation, use, management and application of cryptography, and formulate the cryptogram standards for the graded protection for cybersecurity, depending on the grade of cybersecurity protection, the secrecy level of the secret-involved cyberspace and the grade of the secret-involved cyber protection.

Article 46 [Cryptogram Protection for Secret-involved Cyberspace] Secret-involved cyberspace and the national classified information transmitted through such cyberspace shall be protected via cryptography according to the law.Cryptogram products shall be approved by the cryptogram administration, and products applying cryptogram technologies, such as software systems and hardware equipment shall pass the cryptogram tests.

The testing, installation, procurement and use of cryptography shall be managed by the cryptogram administration in a centralized manner; the system design, operating maintenance, routine management and cryptogram evaluation shall be subject to applicable national regulations and standards concerning cryptogram management.

Article 47 [Cryptogram Protection of Non-secret-involved Cyberspace] For a non-secret-involved cyberspace, cryptogram technologies, products and services shall be utilized in accordance with national laws, regulations and standards concerning cryptogram management. Cyberspaces at or above Grade III shall be protected via cryptography, and be developed with cryptogram technologies, products and services recognized by the state cryptogram administration.The operator of a cyberspace at or above Grade III shall, at stages of cyber planning, development and operation, commission a cryptography application security assessment agency to look into the security of cryptography application, in accordance with the administrative measures and standards concerning cryptography application security assessment. Cyberspace may not be released and put into operation until it has passed the assessment, and the assessment shall be conducted at least once a year after the cyberspace has been put into operation. The cryptography application security assessment results shall be filed for the record with the public security organ where the cyberspace is filed for the record and the local cryptogram administration of the city with districts.

Article 48 [Cryptography Security Management Responsibilities] Cyber operators shall perform duties of cryptography security management, strengthen the development of the cryptography security system, improve measures to manage cryptography security, and standardize the cryptography use, pursuant to national regulations on cryptography management and relevant management requirements.No entity or individual may make use of cryptography to engage in any activities to undermine the national security or public interests or in other illegal or criminal activities.

Chapter VI Supervision and Administration

Article 49 [Supervision and Administration of Security] Public security authorities at or above the county level shall supervise and administer the efforts of cyber-operators in implementing the graded protection system for cybersecurity, protecting cybersecurity, responding to cybersecurity emergencies and ensuring the cybersecurity of major activities, in accordance with national laws and regulations and requirements in applicable standards; and focus on supervising and administering the efforts of operators of cyberspaces at or above Grade III in fulfilling their duties and obligations of protecting cyber infrastructure security, cyber operating security and data security under the graded protection system for cybersecurity.Public security authorities at or above the county level shall supervise, inspect and guide the efforts of the competent authority of the concerned industries at the same level in organizing and urging the implementation of the graded protection system for cybersecurity in the industries or sectors concerned, protecting cybersecurity, responding to cybersecurity emergencies and ensuring the cybersecurity of major activities, in line with national laws and regulations and requirements in applicable standards.

Public security authorities at or above the prefecture level shall annually notify the cyberspace administrations at the same level of work on the graded protection for cybersecurity.

Article 50 [Security Check] Public security authorities at or above the county level shall supervise and inspect the efforts of cyber-operators in the following cybersecurity work,1. Precautions to safeguard the routine cybersecurity;

2. Corrective actions taken to rule out major hidden Cybersecurity risks;

3. Responses to major cybersecurity events and the recovery of the cyberspace;

4. Implementation of efforts made in ensuring the Cybersecurity of major activities;

5. Other work on cybersecurity protection.

Public security authorities shall carry out a security check at least once a year of each operator of a cyberspace at or above Grade III. Where another industry is involved, it may carry out the security check in concert with the competent authority of the industry concerned. When necessary, the public security authorities may entrust social forces to provide technical support.

Cyber operators shall assist in and cooperate with the supervisory checks legally carried out by public security authorities, and provide relevant truthful data and information as required by the public security authorities.

Article 51 [Check Response] Where public security authorities find out any hidden cybersecurity risks in the supervisory inspection, they shall order the cyber-operator in question to take measures to eliminate such risks immediately; where it is impossible to eliminate such risks immediately, the cyber-operator in question shall be ordered to make corrections within a specified time limit.Where public security authorities find that a cyberspace at or above Grade III is involved in serious hidden security risks, they shall inform the competent authority of the industry concerned as well as the cyberspace administration at the same level of the said risks in a timely manner.

Article 52 [Responses to Serious Risks] Where public security authorities find out in a supervisory inspection any serious hidden cybersecurity risks in an important industry or in the local region that pose a serious threat to the national security, public security or public interests, they shall report the same to the people’s government and the cyberspace administration at the same level and the superior public security authority.

Article 53 [Regulation of Assessment Agencies and Security Building Agencies] The State subjects cybersecurity grade assessment agencies and security development agencies to the administration by the recommendation catalog, guides cybersecurity grade assessment agencies and security development agencies to establish their industry self-regulation organization, develop industry self-regulation rules and strengthen self-regulation management.Specific administrative measures for security grade assessment agencies and security development agencies for non-secret-involved cyberspaces will be developed by the public security department of the State Council, while administrative measures for secrecy science and technology assessment agencies will be formulated by the state secrecy administration.

Article 54 [Management of Key Personnel] Individuals in key posts of the operator of a cyberspace at or above Grade III, and individuals offering security services for cyberspaces at or above Grade III, shall not participate without prior approval in cyber-attack and defense activities organized abroad.

Article 55 [Incident Investigations] Public security authorities shall, in accordance with applicable rules, deal with cybersecurity incidents, launch investigations into incidents, determine the liability for incidents and crack down on illegal and criminal activities that damage cybersecurity. When necessary, they may order a cyber-operator concerned to take urgent measures to block information transmission, temporarily shut down the network, back up relevant data, etc.The cyber-operator concerned shall cooperate with and support the efforts of public security authorities and related departments to investigate into and handle cybersecurity incidents.

Article 56 [Network Shutdown Measures in Urgent Situations] Where hidden security risks facing cyberspace pose a serious threat to the national security, public order or public interests, public security authorities may, in an emergency, order disconnection of the cyberspace and shut down server for rectification purposes.

Article 57 [Supervision and Administration of Secrecy] The secrecy administration takes charge of supervising and administering the security protection of secret-involved cyberspace and regulating the disclosure and leaks for non-secret-involved cyberspace. It shall deal with any hidden security danger, the violation of secrecy-related laws and regulations, or the behavior of keeping something secret which is unnecessary under the secrecy standards, in accordance with the Law of the People’s Republic of China on Protecting State Secrets and relevant secrecy provisions of the state.

Article 58 [Supervision and Administration of Cryptogram] The cryptogram administration takes charge of supervising and administering the cryptogram management in the graded protection for cybersecurity, and supervising and inspecting the efforts of cyber-operators in allocating, using and managing cryptography of cyberspace and evaluating cryptograms. The supervisory inspection shall be conducted at least once every two years for important secret-involved information systems. Where the supervisory check uncovers a hidden security danger, or the violation of provisions concerning cryptogram management, or the failure to meet relevant standards on cryptography, the problematic situation shall be handled according to relevant national provisions concerning cryptogram management.

Article 59 [Industry Supervision and Administration] The competent authority of an industry shall organize the formulation of the work plan and standards for the graded protection for cybersecurity in the industry or the sector, know well the basic situations of cyberspace, record-filing of the grade and security protection status, and supervise and administer cyber-operators in such industry or sector in filing a record for cyber grading, assessing the grade, taking corrective actions to build security and conducting self-security checks.The competent authority of an industry shall supervise and administer the efforts of cyber-operators in the industry or sector in taking management and technical safeguards for cybersecurity, taking precautions to ensure cybersecurity, responding to cybersecurity emergencies, and safeguarding the cybersecurity of major activities.

Article 60 [Supervisory and Administrative Responsibilities] The regulatory body in charge of the graded protection for cybersecurity as well as its staff members shall strictly maintain the confidentiality of state secrets, personal information and important data known through fulfilling their duties, and shall not divulge, sell or illegally provide the same to others.

Article 61 [Assistance in Law Enforcement] Cyber operators and technical support entities shall provide support and assistance to public security authorities and state security authorities in lawfully safeguarding national security and investigating crimes.

Article 62 [Interview System for Cybersecurity] The public security organ, the secrecy administration and the cryptogram administration of a people’s government at or above the provincial level may hold an interview with the legal representative or the head of a cyber-operator and the competent authority of the industry concerned, upon discovery of relatively major hidden security risks on the cyberspace or occurrence of a cybersecurity incident, while they fulfil their supervisory and administrative duties for the graded protection for cybersecurity.

Chapter VII Legal Liability

Article 63 [Violation of Security Protection Obligations] Where a cyber-operator fails to perform the cybersecurity protection obligations prescribed in Article 16, Paragraph 1 of Article 17, Paragraph 1 and Paragraph 2 of Article 18, Article 20, Paragraph 1 of Article 22, Article 24, Article 25, Paragraph 1 of Article 28, Paragraph 1 of Article 31, or Paragraph 2 of Article 32 hereof, the public security organ concerned shall order it to make corrections and penalize it in accordance with the provisions of Paragraph 1 of Article 59 of the Cyberspace Security Law of the People’s Republic of China.Where the operator of a cyberspace at or above Grade III violates the provisions in Article 21, Paragraph 2 of Article 22, Article 23, Paragraph 2 of Article 28, Paragraph 2 of Article 30 or Paragraph 1 of Article 32 hereof, it shall be punished more heavily under the provisions of the preceding paragraph.

Article 64 [Violation of Technical Maintenance Requirements] Where a cyber-operator violates the provisions of Article 29 hereof by having cyberspace at or above Grade III technically maintained remotely from overseas or failing to assess the cybersecurity, takes measures to manage and control risks or creates and keeps technical maintenance logs, the public security organ and the competent authority of the industry concerned shall order the cyber-operator to make rectification according to their respective duties and penalize the cyber-operator in accordance with Paragraph 1 of Article 59 of the Cyberspace Security Law of the People’s Republic of China.

Article 65 [Violation of the Requirements on Ensuring Data Security and Protecting Personal Information] Where a cyber-operator violates Paragraph 2 of Article 31 hereof by collecting, using or providing data or personal information without approval, the cyberspace administration and the public security authority concerned shall order the cyber-operator to make rectification according to their respective duties and penalize it in accordance with Paragraph 1 of Article 64 of the Cyberspace Security Law of the People’s Republic of China.

Article 66 [Cybersecurity Service Duties] In the case of violation of the provisions of Paragraph 3 of Article 26 or Paragraph 2 of Article 27 hereof, the public security authority concerned shall order rectification, and subject the violator to a warning, confiscation of illegal gains, or a fine of no less than one but no more than ten times the illegal gains or be subject to a combination thereof as the case may be; where there is no illegal gain, a fine of no more than 1 million yuan shall be imposed; and a fine of no less than 10,000 yuan but no more than 100,000 yuan shall be imposed on the persons directly in charge and other directly liable persons. Where the circumstances are serious, they shall be ordered to suspend the relevant business, stop the business for rectification, and the worst is that the authority issuing permits or licenses will be notified to revoke the relevant business permits or their business licenses.In the case of violation of Paragraph 2 of Article 27 to divulge, illegally sell or provide others with personal information, the violator shall be punished in accordance with the provisions of Paragraph 2 of Article 64 of the Cyberspace Security Law of the People’s Republic of China.

Article 67 [Violation of Assisting Obligations in Law Enforcement] Where a cyber-operator violates the provisions hereof by any of the following acts, the public security organ, the secrecy administration, the cryptogram administration, the competent authority of the industry concerned and related departments shall order rectification according to their respective duties; where the operator refuses to make corrections or the violation is serious, it shall be punished in accordance with Article 69 of the Cyberspace Security Law of the People’s Republic of China.1. Refusing or impeding the supervision and detection implemented by the relevant authorities according to the law;

2. Refusing to provide truthful data and information on Cybersecurity protection;

3. Refusing to comply with the unified command and scheduling of relevant competent authorities during emergency responses;

4. Refusing to provide technical support and assistance to public security authorities and state security authorities; or

5. Telecommunications business operators and internet service providers fail to offer support to and assistance in dealing with serious Cybersecurity events and recovering the cyberspace, as required under the present Regulations.

Article 68 [Violation of Secrecy and Cryptogram Management Duties] In the case of violation of the administrative provisions concerning secrecy or cryptogram hereof, the secrecy administration or the cryptogram administration shall order rectification according to their respective duties; in the case of refusal to make corrections, they shall give a warning, notify the superior competent authority of such refusal, and suggest taking disciplinary actions against the heads and other individuals held liable.

Article 69 [Malpractice Liability of Regulators] Where the cyberspace administration, the public security authority, the state secrecy administration, the cryptogram administration or the competent authority of the industry concerned, as well as the functionaries thereof, commits any of the following acts, disciplinary measures shall be taken against the head directly in charge of the authority and other individuals directly held liable, or relevant functionaries,1. Neglect of duties, abuse of power, or playing favoritism to seek personal gains;

2. Divulging, selling or illegally providing the state secrets, personal information or important data they have accessed while performing their duties in supervising the graded protection for cybersecurity; or using the information they have obtained for other purposes.

Article 70 [Concurrence of Applicable Laws] Where any violation of The present Regulations constitutes a violation of the public security administration regulations, the public security organ shall impose the public security administrative punishment; if the violation constitutes a crime, the violator shall be subject to criminal liability in accordance with the law.

Chapter VIII Supplementary Provisions

Article 71 [Explanations of Terms] For the purpose of the present Regulations, “within” and “more than or over” shall include the given figures; and “the competent authority of the industry concerned” shall include the industry regulatory authority.

Article 72 [Army] The graded protection for cybersecurity for the army shall be subject to relevant regulations for the army.

Article 73 [Effective Date] The present Regulations shall come into force as of MM/DD/YY.