November 14, 2018

November 14, 2018

Subscribe to Latest Legal News and Analysis

November 13, 2018

Subscribe to Latest Legal News and Analysis

November 12, 2018

Subscribe to Latest Legal News and Analysis

China Seeks Public Comments for Draft Cybersecurity Regulations

On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of protections according to the level of risk involved with their networks. The comment period ends on July 27, 2018.

China’s Cybersecurity Law (“CSL”), which took effect on June 1, 2017, requires the government to implement a Multi-level Protection Scheme (“MLPS”) for cybersecurity (Article 21). The Draft Regulation, a binding regulation once finalized, echoes this requirement and provides guidance for network operators to comply with the Cybersecurity Law.

The Draft Regulation updates the existing MLPS, which is a framework dating back to 2007 that classifies information systems physically located in China according to their relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. Information systems that are classified (initially self-assessed and proposed by operators and then confirmed by MPS) at level 3 or above are subject to enhanced security requirements.

Obligations for network operators

The obligations set out apply to network operators, which Article 21 of the CSL broadly defines  to include all entities using a network (including the Internet) to operate or provide services.  Network operators will be subject to different cybersecurity requirements corresponding to their MLPS classification level.

  • Self-assessment of security level. All network operators are responsible for determining the appropriate security level for their networks at the design and planning stage, taking into account the functions of the network, scope and targets of service, and the types of data being processed.  When network functions, services scope and types of data processed are significantly changed, network operators are required to re-assess their classification level.In addition, operators of networks classified level 2 or above are required to arrange for “expert review” of the classification level and may also be required to obtain approval from industry regulators and the MPS.
  • Cybersecurity requirements.
    • All network operators. The Draft Regulation sets out requirements generally applicable to all network operators regardless of classification level, which largely track the requirements under Article 21 of the CSL. All network operators are required to conduct a self-review on their implementation of the cybersecurity MLPS system and the status of their cybersecurity at least once per year and should timely rectify identified risks and report such risks and remediation plans to MPS with which the operator is registered.
    • Operators of networks classified level 3 and aboveAdditional requirements apply for operators of networks classified level 3 and above—some of them are repetitive or overlap with general requirements above. New level 3 networks must be tested by MLPS testing agencies accredited by MPS (a list of accredited testing agencies available here) before they can come online. (By way of comparison, network operators of networks level 2 and below can test their own new network before it comes online.) Operators of networks classified level 3 and above are also required to formulate cybersecurity emergency plans and regularly carry out cybersecurity emergency response drills (e.g., table top exercises).
  • Security incident reporting. The Draft Regulation briefly mentions that network operators are required to report incidents within 24 hours to MPS. Although the Draft Regulation does not elaborate the reporting process or the information required for such notifications, this requirement imposes a new reporting timeline on network operators because the CSL, itself, does not have a specific time frame for reporting.

Additional requirements for operators of networks classified level 3 and above

Operators of networks classified level 3 and above are also subject to other requirements, including relating to procurement of products and services, technical maintenance performed overseas, and the use and testing of encryption measures.  In addition, the Draft Regulation restricts the ability of certain personnel to attend “offensive and defensive activities organized by foreign organizations” without authorization.

Enforcement and Liability

The Draft Regulation stipulates a wide array of investigative powers for MPS and sanctions for non-compliant companies, ranging from on-site inspection, investigation, and “summoning for consultation” to monetary fines and criminal liability.

* * * * *

While the meanings of certain terms in these requirements are still not clear and may require further interpretation, multinational companies operating in China may wish to closely follow developments relating to the Draft Regulation and understand how recent developments may affect their business operations. Companies have until July 28 to provide feedback to the Chinese government on possible amendments.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Theodore J. Karch, Covington, intellectual property attorney
Associate

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online...

415-591-7094
Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

86.10.5910.0516
Ashden Fein, Litigation attorney, Covington Burling
Associate

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple...

202.662.5116