On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of protections according to the level of risk involved with their networks. The comment period ends on July 27, 2018.

China’s Cybersecurity Law (“CSL”), which took effect on June 1, 2017, requires the government to implement a Multi-level Protection Scheme (“MLPS”) for cybersecurity (Article 21). The Draft Regulation, a binding regulation once finalized, echoes this requirement and provides guidance for network operators to comply with the Cybersecurity Law.

The Draft Regulation updates the existing MLPS, which is a framework dating back to 2007 that classifies information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. Information systems that are classified (initially self-assessed and proposed by operators and then confirmed by MPS) at level 3 or above are subject to enhanced security requirements.

Obligations for network operators

The obligations set out apply to network operators, which Article 21 of the CSL broadly defines  to include all entities using a network (including the Internet) to operate or provide services.  Network operators will be subject to different cybersecurity requirements corresponding to their MLPS classification level.

• Self-assessment of security level. All network operators are responsible for determining the appropriate security level for their networks at the design and planning stage, taking into account the functions of the network, scope and targets of service, and the types of data being processed.  When network functions, services scope and types of data processed are significantly changed, network operators are required to re-assess their classification level.In addition, operators of networks classified level 2 or above are required to arrange for “expert review” of the classification level and may also be required to obtain approval from industry regulators and the MPS.
• Cybersecurity requirements.
  • All network operators. The Draft Regulation sets out requirements generally applicable to all network operators regardless of classification level, which largely track the requirements under Article 21 of the CSL. All network operators are required to conduct a self-review on their implementation of the cybersecurity MLPS system and the status of their cybersecurity at least once per year and should timely rectify identified risks and report such risks and remediation plans to MPS with which the operator is registered.
  • Operators of networks classified level 3 and above. Additional requirements apply for operators of networks classified level 3 and above—some of them are repetitive or overlap with general requirements above. New level 3 networks must be tested by MLPS testing agencies accredited by MPS (a list of accredited testing agencies available here) before they can come online. (By way of comparison, network operators of networks level 2 and below can test their own new network before it comes online.) Operators of networks classified level 3 and above are also required to formulate cybersecurity emergency plans and regularly carry out cybersecurity emergency response drills (e.g., table top exercises).

• Security incident reporting. The Draft Regulation briefly mentions that network operators are required to report incidents within 24 hours to MPS. Although the Draft Regulation does not elaborate the reporting process or the information required for such notifications, this requirement imposes a new reporting timeline on network operators because the CSL, itself, does not have a specific time frame for reporting.

Additional requirements for operators of networks classified level 3 and above

Operators of networks classified level 3 and above are also subject to other requirements, including relating to procurement of products and services, technical maintenance performed overseas, and the use and testing of encryption measures.  In addition, the Draft Regulation restricts the ability of certain personnel to attend “offensive and defensive activities organized by foreign organizations” without authorization.

Enforcement and Liability

The Draft Regulation stipulates a wide array of investigative powers for MPS and sanctions for non-compliant companies, ranging from on-site inspection, investigation, and “summoning for consultation” to monetary fines and criminal liability.

* * * * *

While the meanings of certain terms in these requirements are still not clear and may require further interpretation, multinational companies operating in China may wish to closely follow developments relating to the Draft Regulation and understand how recent developments may affect their business operations. Companies have until July 28 to provide feedback to the Chinese government on possible amendments.