China’s Cybersecurity Law (CSL) was introduced already in 2017, but some of its provisions are still being rolled out and adjusted from time to time. Nowadays, the law is seen as one pillar of the overall Data Security legal framework. Still, when it was enacted a couple of years ago, it was a major milestone in China’s efforts to safeguard national cyberspace, ensure public interest, and protect the rights and interests of citizens and legal persons.
The updated CSL introduced The China Cybersecurity Classified Protection System (CCPS), as an integral part that applies to Network Operators (NO) and Critical Information Infrastructure Operators (CIIO). “Network Operators”, as defined in the appendix to the Cybersecurity Law, could refer to almost all businesses in China that own or administer their networks, and not exclusively to communication companies or internet service providers, as one might think. In other words, the regulatory scope of the CCPS covers pretty much every and any company in China, whether it is big/small, local/foreign-owned, which provides services and collects data in China.
The essence of the law – explained
Under the law’s framework, network operators are required to classify their information systems or networks between five levels based on their sensitivity to individuals’ rights, general public and national security. Where a damage to an information system might result in high risk to an individual, the level will be classified as #1, and where a potential damage to a system could result in high risk to national security, the level will be graded #5. Network operators (and therefore CIIO alike) shall ensure that objects of different protection levels have the corresponding levels of security protection ability.
They are also required to address security risks presented by new technologies and applications. The CCPS emphasizes the importance of security protection capability, which is, the ability to prevent, detect and recover from threats, incidents, and damage.
Practical takeaways for international companies in China
Whereas not all companies and/or systems are required by law to be certified under the CCPS framework, all should be following such framework. Companies have therefore, under certain conditions, the capabilities to self-assess their systems and proceed with self-compliance without going through a certification. Would a company decide to proceed with a certification, such certification should be renewed on a yearly basis or every two years depending on the system’s certification level. Failure to comply with the CCPS framework can lead a business to suffer severe liabilities ranging from fines to business disruption or suspension.
The CCPS compliance journey:
CCPS Target groups:
The regulatory scope of the CCPS has been greatly extended from a traditional information system to network infrastructure, critical information systems, websites, big data centers, cloud computing platforms, the Internet of things, industrial control systems, public service platforms, mobile Internet, and other areas. In addition to grading, filing and evaluation, the CCPS includes more regulatory enforcement measures such as remote monitoring, on-site inspection, incident investigation, compliance inquiries with responsible personnel, remediation instruction, penalty notifications, emergency network cutoff, and other measures.
What to do now?
- Verify and validate the internal processes of how data is collected, processed, and stores
- Following the previous step, assess cybersecurity and privacy risks to craft an appropriate strategy for eliminating the existing risks.
- Implement internal monitoring systems
- Revise data handling and data security policies within your company.
- Assign an employee to be responsible for executing periodical auditing and the CSL compliance
- Develop with your HQ a proper policy for cross-border data transfer
Conclusions & final remarks
The CCPS is China’s fundamental national cybersecurity technical framework, which is the primary method for ensuring cybersecurity and data security compliance and for conducting supervisory activities, and which aims to promote a more mature consumerization of digital services.
The good news is that if your company is already compliant with the international cybersecurity standards and data privacy regulations, the CSL compliance requirements won’t trouble you too much. However, do remember that the CSL is only part of the larger picture of the Chinese data security legal framework, and careful attention to all the small prints is vital.
This is a guest post written by TEKID, a firm specialized in Digital Security and identifying the risks an organization faces. TEKID provides consulting and engineering services for multinational companies as well as medium-sized enterprises. The firm uniqueness resides in tri-expertise in legal, security, and operations, which only a lean, cross-trained, imaginative and adaptable team can provide, together with the additional personal attention and hands-on executive involvement.