Last review date: 13 January 2025
Yes.
Last review date: 13 January 2025
Network information security requirements (broader than telecommunications)
Under the CSL, network operators are generally required to:
Health regulatory requirements
According to the Measures for Cybersecurity Administration of Medical and Healthcare Institutions issued by the National Health Commission (NHC) together with the other two supervisory authorities and which became effective on 29 August 2022, licensed medical and healthcare institutions are required to conduct certification of Classified Protection of Cybersecurity (CCSP), also known as Multi-Level Protection Scheme (MLPS) as required under the CSL. The Measures also stipulate other cybersecurity requirements such as conducting annual security self-inspection in various forms: document verification, vulnerability scanning and penetration test in order to timely discover possible issues and potential dangers.
Financial services requirements
Each of the financial regulators in China has also formulated and implemented their industry-specific cybersecurity requirements for the financial institutions under their respective jurisdictions.
Telecommunication requirements
As key telecommunication operators are generally deemed as CIIOs, please refer to the cybersecurity obligations of the CIIO described below.
Providers of critical infrastructure
According to the Regulations on Critical Information Infrastructure Security Protection, a CIIO is responsible for the security protection of its CII(s). A CIIO should implement technical protection measures and other necessary measures to deal with cybersecurity incidents, prevent cyberattacks and other illegal and criminal activities, ensure the security and stable operation of critical information infrastructure, and maintain integrity, confidentiality and availability of data.
Digital or connected (IoT) products
According to the Measures for the Administration of Data Security in the Industrial and Information Technology Sector (for Trial Implementation), data processors in the field of industry and information technology shall take the main responsibility for the security of data processing activities, implement graded protection for different types of data, and where different levels of data are being processed at the same time and where it is difficult to take separate protection measures, data protection shall be implemented in accordance with the requirements of the highest level, so as to ensure that the relevant data continue to be in the state of being effectively protected and legally utilized. Such measures include:
Other
The CSL also imposes a general obligation on all network operators to fulfill the CCSP obligations in order to ensure that the network is free from interference, damage or unauthorized access and prevent network data from being divulged, stolen or falsified. Such requirements include:
Last review date: 13 January 2025
Last review date: 13 January 2025
Yes
A general breach notification mechanism has been set out in the PIPL.
In the event of leakage of, tampering with, or loss of personal information, or when such events may have occurred, personal information processors should take remedial actions at once and notify personal information protection authorities as well as any individual concerned. The notification should include information such as:
If the personal information processors consider that the measures taken can prevent any harm arising from the leakage of, tampering with, or loss of information, they may choose not to notify the individual concerned. Nonetheless, if personal information protection authorities consider that the personal information leakage may be detrimental to the individuals concerned, the authorities may still require the personal information processors to notify the individuals concerned.
In the draft Measures for the Administration of Reporting of Cybersecurity Incidents issued by the CAC in December 2023 (Draft Cybersecurity Incident Reporting Measures), it is proposed that network operators engaged in the development and operation of networks or in the provision of services through networks within China should report cybersecurity incidents (which are events that caused harm to a network or information system or its data due to human factors, software or hardware defects or malfunctions, natural disasters, etc., resulting in negative social impacts) to the CAC, the Public Security Bureau, the authority taking charge of critical information infrastructure operator and/or competent industry regulator.
Last review date: 13 January 2025
Last review date: 13 January 2025
As a default rule under the PIPL, controllers are under the obligation to notify. However, as the notification requirement stipulated under the CSL broadly applies to any network operator without making the distinction between controllers and processors, it is also accepted that controllers and processors can agree on the party who will give the notification in case of a personal data breach.
Last review date: 13 January 2025
Yes
Details regarding the identified data security breach notification requirements
Currently, there is no detailed definition of security breach and specific requirements (e.g., contents to be reported) stipulated under the relevant industry-specific rules. Since the PIPL came into effect recently, it remains to be seen whether the sector-specific rules will be updated in light of the introduction of the PIPL.
The Measures for Reporting, Investigating and Handling Cyber Security Incidents in Securities and Futures Industry require Key Institutions (e.g., stock exchanges) and Operation Institutions (e.g., securities companies, futures companies, and fund management companies) to report any cyber security incident to the China Securities Regulatory Commission (CSRC). The report to the CSRC should be in the form of a summary report of the incident, which should contain the following information:
In the healthcare sector, the Interim Measures for Reporting of Information Security Incidents of Healthcare Quality require licensed healthcare institutions to report information security incidents concerning the quality of medical treatment to public health authorities. Reporting may be through the online system (or via a telephone call or fax if the online system is not available) and must be within specific timeframes depending on the seriousness of the incident, as follows:
In the telecommunications sector, the Emergency Response Plan for Network Security Incidents of the Public Internet requires basic telecoms service operators, domain name registrars and internet enterprises to report to the Ministry of Industry and Information Technology (and its local offices) any network security emergencies within ten working days from the completion of the emergency measures conducted in response to the security incidents.
According to the Draft Cybersecurity Incident Reporting Measures, reporting shall be made by the CAC and other competent regulators by filing a template formulated by the CAC within one hour for any significant, major or critical incident or within 24 hours (if information other than the first two items is not available within one hour) to the provincial CAC (and to other competent authorities in case of CII operators):