The Cyber Security Law is the first national-level legislation establishing principles for the protection of the People’s Republic of China’s cyberspace security and the law is intended to address, amongst others, the need to control China’s critical information infrastructure (CII) and its data. The law focuses on the security challenges facing information infrastructure in a range of critical sectors, such a telecommunications, energy, transportation and finance and addresses unlawful cyber activities including illegally obtaining or selling personal information, disseminating malicious software or prohibited information, and online fraud.
The PRC Cybersecurity Law generally imposes obligations on three types of entities: 1. network operators; 2. critical information infrastructure operators; and 3. providers of network products and services.
The PRC Cybersecurity Law imposes a range of cybersecurity obligations on “network operators,” which are defined as owners and administrators of networks and network service providers. A “network” is defined as any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange, and processing of information. On its face, the term network operator could broadly be interpreted to encompass any company that uses a network to do business in China despite not having a physical presence in China.
Generally, network operators must:
- Develop internal security management systems and procedures, appoint personnel responsible for network security, and implement network security protection responsibility.
- Adopt measures to prevent viruses, network attacks, network intrusions, and other threats to network security.
- Monitor and record network activity and security incidents, and store network logs for at least six months.
- Implement measures to classify, back up, and encrypt data.
- Network operators must also provide “technical support and assistance” to law enforcement authorities to safeguard national security and i