汇业评论 | 中英文对照 | 关保条例最新解读：监管体系、认定标准及合规义务

中英文对照｜关保条例最新解读：监管体系、认定标准及合规义务

Latest Interpretation about the Regulations for the Security Protection of Critical Information Infrastructure: Supervision System, Identification Standards and Compliance Obligations

2021年8月17日，历经三年以上征求意见，国务院正式发布《关键信息基础设施安全保护条例》（下称“关保条例”），将于2021年9月1日起与《数据安全法》同步实施。

On August 17, 2021, after soliciting opinions for more than three years, the State Council officially issued the Regulations for the Security Protection of Critical Information Infrastructure (hereinafter referred to as the "Regulations"), which will be implemented simultaneously with the Data Security Law of the People's Republic of China from September 1, 2021.

结合相关立法趋势、监管执法实践及项目经验，汇业律师事务所网数法律团队简要解读《关保条例》如下，仅供业界参考。

Combined with relevant legislative trends, supervision and law enforcement practice and project experience, the cyber security and data compliance team of Hui Ye Law Firm (hereinafter referred to as the "Hui Ye") briefly interprets the Regulations as follows for reference only.

一、部分法律文件

Ⅰ. Relevant Legal Documents

二、分级保护

Ⅱ. Classification Protection

通过一系列立法、执法实践，我国开创性的建立起网络、数据监管与保护的分类分级模式，其中就包括“分等级保护、分等级监管”，具体体现在：

Through a series of legislation and law enforcement practices, China has creatively established a classification and hierarchical protection system of network and data supervision and protection, including "classification protection and classification supervision", which is specifically reflected in:

（一）网络分级

1. Network Classification

根据《网络安全法》《关保条例》及1960号文等规定，等保是基础，关保是重点保护，但二者没有直接的对应关系。即，尽管有 “重点保障关键信息基础设施和第三级以上网络的安全”的要求，但实践中，MLPS3的网络或系统不必然等同于CII。

According to the Cybersecurity Law, the Regulations on and the Document No. 1960, etc.,  grade protection is the foundation, critical information infrastructure protection is the point, but there is no direct corresponding relationship between the two. That is, despite there are requirements of "focus on protecting the security of critical information infrastructure and networks at or above Grade III", in practice, the network or system of MLPS 3 is not necessarily equivalent to CII.

（二）数据分级

2. Data Classification

（三）个人信息分级

3. Personal Information Classification

按照敏感度程度，可以分为：

According to the degree of sensitivity, it can be divided into:

按照必要性程度，可以分为：

According to the degree of necessity, it can be divided into:

三、监管体系

Ⅲ. Supervision System

综合《网络安全法》《关保条例》及1960号文等规定，当前我国关保监管体系如下：

Based on the Cybersecurity Law, the Regulations and the Document No. 1960, the current supervision system of protection of critical information infrastructure is as follows:

四、认定标准

Ⅳ. Identification Standards

关于CII的认定标准，《关保条例》摒弃了《关键信息基础设施安全保护条例（征求意见稿）》的概括加列举的认定模式，基本延续了《网络安全法》的“行业+风险”的双重认定模式。即，下列网络设施、信息系统等可能会被认定为CII：

As for the identification standard of CII, the Regulations abandon the identification mode of generalization and enumeration in the Regulations (Exposure Draft), and basically continue the dual identification mode of "industry + risk" in the Cybersecurity Law. That is, the following network facilities, information systems, etc. may be identified as CII:

(1) 行业标准：公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业（注：新增）等重要行业和领域的网络设施、信息系统；

(1) Industry standards: network facilities and information systems in important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry (Note: added);

(2) 风险标准：虽然不在上述行业和领域，但一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国家安全、国计民生、公共利益，或者会对其他行业或领域造成重大关联影响的重要网络设施、信息系统；

(2) Risk standard: important network facilities and information systems that are not in the above industries and fields, but may seriously endanger national security, national economy and people's livelihood, public interests, or have a significant impact on other industries or fields in case of damage, loss of function or data leakage.

(3) 其他标准：此外，《网络安全法（草案）》在CII认定时还有用户数量标准，即“用户数量众多的网络服务提供者所有或者管理的网络和系统”也会被认定为CII，后续坊间流传的《关键信息基础设施确定指南》也有参考用户数量这一指标，后续各保护工作部门在制定关键信息基础设施认定规则时是否会考虑用户数这一指标，有待进一步明确；此外，1960号文还从系统功能特征的维度提出了CII的认定标准，即“应将符合认定条件的基础网络、大型专网、核心业务系统、云平台、大数据平台、物联网、工业控制系统、智能制造系统、新型互联网、新兴通讯设施等重点保护对象纳入关键信息基础设施”。

(3) Other standards: in addition, the Cybersecurity Law (Draft) also has the standard of the number of users when identifying CII, that is, "networks and systems owned or managed by network service providers with a large number of users" will also be identified as CII. The subsequent Identification Guide of Critical Information Infrastructure also has the index of the number of users, Whether the subsequent protection authorities will consider the indicator of the number of users when formulating the identification rules of critical information infrastructure needs to be further clarified. In addition, Document No. 1960 also puts forward the identification standard of CII from the dimension of system functional characteristics, that is, "They shall include eligible basic networks, large private networks, core business systems, cloud platforms, big data platforms, Internet of things, industrial control systems, intelligent manufacturing systems, new Internet, emerging communication facilities and other key objects under protection into critical information infrastructure. The list of critical information infrastructure shall be subject to a dynamic adjustment mechanism".

值得注意的是，上述“行业+风险”的双重认定标准还是非常宽泛的。例如，其中的“信息服务”领域，若按照《互联网信息服务管理办法》的认定标准，除了典型的互联网公司外，大多数触网的企业都可能会被认定为提供“信息服务”。

It is worth noting that the above identification standards of "industry + risk" is still very broad. For example, in the field of "information services", if according to the identification standards of the Administrative Measures on Internet-based Information Services, except for typical Internet companies, most enterprises relevant to the Internet may be identified as providing "information services".

《关保条例》进一步明确，是否属于CII，由保护工作部门根据认定规则负责组织认定并将认定结果通知运营者，而无需运营者自行判断、评估是否属于CIIO。据汇业黄春林律师团队介绍，之前已经有部分企业收到了主管部门的认定通知。

The Regulations further clarify that the protection authorities shall be responsible for organizing the identification according to the identification rules and notifying the operator of the identification results, and it is unnecessary for operator to judge or evaluate whether it belongs to CIIO. According to the Ramon Huang ’s team of Hui Ye, some enterprises have received the identification notice from the competent department before.

五、合规义务

Ⅴ. Compliance Obligations

综合《关保条例》及前述法律法规及监管执法实践，汇业黄春林律师团队提示，CIIO应当依法履行的合规义务包括但不限于：

Based on the Regulations, the aforementioned laws and regulations and the practice of supervision and law enforcement, the Ramon Huang ’s team of Hui Ye suggests that the compliance obligations that CIIO should perform according to law include but are not limited to:

(1)  依法开展网络安全等级保护测评、定级等工作；

(1) Carry out the evaluation and grading of cybersecurity graded protection according to law;

(2) 采购网络产品和服务、处理重要数据等可能影响国家安全的，或者赴国外上市，应当按照《网络安全审查办法》等规定开展网络安全审查；

(2) Where the procurement of network products and services, processing of important data, etc. may affect national security, or listing abroad, cybersecurity review shall be carried out in accordance with the Cybersecurity Review Measures and other provisions;

(3) 应当自行或者委托网络安全服务机构对关键信息基础设施每年至少进行一次网络安全检测和风险评估，对发现的安全问题及时整改；

(3) It shall conduct cybersecurity detection and risk evaluation, on critical information infrastructure at least once a year by itself or by entrusting a cybersecurity service agency, and timely rectify the security problems found;

(4) 依法使用商用密码产品或服务，对重要系统和数据库进行容灾备份；

(4) Use commercial password products or services according to law to make disaster recovery backup for important systems and databases;

(5) 安全保护措施应与关键信息基础设施同步规划、同步建设、同步使用；

(5) Security protection measures shall be planned, constructed and used synchronously with critical information infrastructure;

(6) 采购网络产品和服务，应当确保供应链安全，遵从进出口管制相关规定，并应按照国家有关规定与网络产品和服务提供者签订安全保密协议，明确提供者的技术支持和安全保密义务与责任，并对义务与责任履行情况进行监督；

(6) When purchasing network products and services, it shall ensure the security of the supply chain, comply with relevant provisions on import and export control, sign security and confidentiality agreements with network products and service providers in accordance with relevant national regulations, clarify the provider's technical support and security and confidentiality obligations and responsibilities, and supervise the performance of obligations and responsibilities;

(7) 依法履行数据及个人信息本地化义务，确需出境的，依法开展安全评估或认证；

(7) Perform the obligation of data and personal information localization according to law. If it is truly necessary to provide such data or information outbound, carry out security evaluation or identification according to law;

(8) 应当建立健全网络安全及数据保护相关制度、机制；

(8) Establish and improve relevant systems and mechanisms for cybersecurity and data protection;

(9) 主要负责人对关键信息基础设施安全保护负总责；

(9) The main responsible personshall take overall responsibility for the security protection of critical information infrastructure;

(10) 应当设置专门安全管理机构和安全管理负责人，保障其运行经费、配备相应的人员，开展与网络安全和信息化有关的决策应当有专门安全管理机构人员参与；

(10) Designate a dedicated cybersecurity management department and responsible person to ensure its operation funds, allocate corresponding personnel, and the decision-making related to cybersecurity and informatization shall involve the personnel of the cybersecurity management body;

(11) 应当对专门安全管理机构负责人和关键岗位人员进行安全背景审查，定期对从业人员进行网络安全教育、技术培训和技能考核;

(11) Conduct background reviews for the person-in-charge and other persons holding key positions of the cybersecurity management body, and conduct cybersecurity education, technology training and skills assessment for relevant staff on a regular basis;

(12) 制定网络安全事件应急预案,并定期进行演练，发生重大网络安全事件或者发现重大网络安全威胁时，应当按照有关规定向保护工作部门、公安机关报告；

(12) Make contingency plan for cybersecurity incidents and conduct regular rehearsals of these plans, and report key cybersecurity matters, events and threat to the protection authorities;

(13) 发生合并、分立、解散等情况，应当及时报告保护工作部门，并按照保护工作部门的要求对关键信息基础设施进行处置，确保安全；

(13) Timely report the merger, division, dissolution, etc. to the protection authorities, and dispose of the critical information infrastructure according to the requirements of the protection authorities to ensure cybersecurity;

(14) 发生较大变化可能影响其CII认定结果的，应当及时将相关情况报告保护工作部门并重新认定；等等。

(14) Report the relevant information to the protection authorities where any material change occurs which may affect the CII identification results, and protection authorities which shall organize re-identification, etc..

关于作者

吴亦凡事件对网络安全合规的启示

电商平台数据断供事件对零售品牌的影响与对策

网络安全审查——筑起数据安全的第七道防线

未雨绸缪：老司机带你解锁APP下架的正确姿势