Violating the cybersecurity classification protection system - the Cybersecurity Law - will surely be severely punished

Industry News 4 Reading A+ Default A-

At about 10:30 on August 13, 2020, the Public Security Bureau of Sanhe City found during a cybersecurity inspection of a certain gas company in Sanhe that the company had not established a security training and assessment system, had not implemented classified protection for information security, and had not fulfilled the responsibility for cybersecurity protection.

On August 17, 2020, during a cybersecurity inspection of three key information infrastructure units within Sanhe City, the Public Security Bureau of Sanhe City found that these three units had not established a security training and assessment system, had not implemented classified protection for information security, and had not fulfilled their cybersecurity protection responsibilities.

The public security authorities, in accordance with the provisions of Article 33, Article 34, Article 36, Article 38 and the second paragraph of Article 59 of the Cybersecurity Law of the People's Republic of China, have lawfully imposed warning penalties on the above-mentioned four units.

As early as the first meeting of the Central Leading Group for Cyberspace Affairs held on February 27, 2014, the concept of critical information infrastructure was officially proposed. On June 1, 2017, the Cybersecurity Law was officially implemented, clearly stipulating that the state has strict regulations on important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that, once damaged, lose functionality or have data leaked, may seriously endanger national security, the national economy and people's livelihood, and public interests. On the basis of the cybersecurity classification protection system, key protection is implemented. The protection of critical information infrastructure is the top priority in implementing the Cybersecurity Law!

Interpretation of the Cybersecurity Law

Through this incident, we will interpret the provisions on the security of critical information infrastructure and the legal responsibilities in the Cybersecurity Law below. The provisions define the scope of critical information infrastructure, clarify its relationship with the cybersecurity classification protection system, and stipulate the main contents of the protection of critical information infrastructure.

Article 31 The state shall, on the basis of the cybersecurity classification protection system, protect important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that, once damaged, lose functionality or have data leaked, may seriously endanger national security, the national economy and people's livelihood, and public interests. Implement key protection. The specific scope and security protection measures of critical information infrastructure shall be formulated by The State Council. The state encourages network operators outside of critical information infrastructure to voluntarily participate in the protection system of critical information infrastructure.

Interpretation: This clause defines the scope of critical information infrastructure, emphasizing the necessity of implementing the cybersecurity classification protection system and providing focused protection. The State Council will formulate corresponding security protection measures for critical information infrastructure.

Article 33

The construction of critical information infrastructure should ensure that it has the performance to support the stable and continuous operation of business, and guarantee that security technical measures are planned, constructed and used simultaneously.

Interpretation: This clause explains how to build critical information infrastructure and emphasizes the "three synchronizations" principle for the implementation of security technologies.

Applicable legal liability: [Article 59

Article 34 In addition to the provisions of Article 21 of this Law, the operators of critical information infrastructure shall also perform the following security protection obligations:

(1) Establish a dedicated safety management institution and a safety management person in charge, and conduct safety background checks on such person in charge and personnel in key positions;

(2) Regularly provide cybersecurity education, technical training and skills assessment for employees;

(3) Perform disaster recovery and backup for important systems and databases;

(4) Develop emergency response plans for cyber security incidents and conduct regular drills;

(V) Other obligations as prescribed by laws and administrative regulations.

Interpretation: This clause stipulates that the protection requirements for critical information infrastructure are higher than those of the cybersecurity classification protection system as stipulated in Article 21. At the same time, it emphasized background checks, education and training, assessment, disaster recovery and backup, emergency response plans and drills.

Applicable legal liability: [Article 59

Article 36: When operators of critical information infrastructure purchase network products and services, they shall enter into security and confidentiality agreements with providers in accordance with the regulations, clearly defining their security and confidentiality obligations and responsibilities.

Interpretation: The core of this clause is to clarify the security of outsourcing services and emphasize the signing of security and confidentiality agreements.

Applicable legal liability: [Article 59

Article 38 The operator of critical information infrastructure shall, either on its own or by entrusting a cybersecurity service agency, conduct at least one inspection and assessment of the security and potential risks of its network each year, and report the inspection and assessment results and improvement measures to the relevant department responsible for the security protection of critical information infrastructure.

Interpretation: The key words of this clause are grade assessment, risk evaluation, and penetration testing.

Applicable legal liability: [Article 59

Article 39 The cyberspace Administration of the state shall coordinate with relevant departments to take the following measures for the security protection of critical information infrastructure:

(1) Conduct random checks and tests on the security risks of critical information infrastructure, propose improvement measures, and when necessary, entrust cybersecurity service institutions to test and assess the security risks existing in the network.

(2) Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to enhance their ability to respond to cybersecurity incidents and their collaborative capabilities;

(3) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and related research institutions, cybersecurity service providers, etc.

(4) Provide technical support and assistance for emergency response to cyber security incidents and the restoration of network functions, etc.

Interpretation: This clause stipulates the work requirements of the national competent authorities regarding the undertaking of overall coordination.

Specific legal liability provisions

Article 59 Where a network operator fails to perform the obligations of network security protection as prescribed in Articles 21 and 25 of this Law, the relevant competent department shall order it to make corrections and give it a warning. Where corrections are refused or consequences such as endangering network security are caused, a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed, and a fine of not less than 5,000 yuan but not more than 50,000 yuan shall be imposed on the directly responsible person in charge. Where the operator of critical information infrastructure fails to perform the obligations of cyber security protection as prescribed in Articles 33, 34, 36 and 38 of this Law, the relevant competent department shall order it to make corrections and give it a warning. Where corrections are refused or consequences such as endangering network security are caused, a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed, and a fine of not less than 10,000 yuan but not more than 100,000 yuan shall be imposed on the directly responsible person in charge.


Related articles