Regulations on Security Protection of Key Information Infrastructure

2025年4月7日 | admin | A1

decree of the state council of the people’s republic of china

No.745

"Regulations on the Security Protection of Critical Information Infrastructure" has been adopted at the 133rd executive meeting in the State Council on April 27, 2021, and is hereby promulgated and shall come into force as of September 1, 2021.

Prime Minister Li Keqiang

July 30, 2021

Regulations on Security Protection of Key Information Infrastructure

Chapter I General Principles

the first In order to ensure the security of key information infrastructure and maintain network security, these regulations are formulated in accordance with the Network Security Law of the People’s Republic of China.

the second The key information infrastructure mentioned in these Regulations refers to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, and other important network facilities and information systems that may seriously endanger national security, national economy and people’s livelihood and public interests once they are damaged, lose their functions or have data leaked.

Article Under the overall coordination of the national network information department, the public security department of the State Council is responsible for guiding and supervising the security protection of key information infrastructure. The State Council telecommunications authorities and other relevant departments shall, in accordance with the provisions of these regulations and relevant laws and administrative regulations, be responsible for the security protection, supervision and management of key information infrastructure within their respective functions and duties.

The relevant departments of the provincial people’s government shall, according to their respective responsibilities, implement security protection and supervision and management of key information infrastructure.

Article 4 The security protection of key information infrastructure adheres to comprehensive coordination, division of responsibilities and legal protection, strengthens and implements the main responsibility of key information infrastructure operators (hereinafter referred to as operators), gives full play to the role of the government and all sectors of society, and jointly protects the security of key information infrastructure.

Article 5 The state gives priority to the protection of key information infrastructure, takes measures to monitor, defend and deal with cyber security risks and threats originating from inside and outside People’s Republic of China (PRC), protects key information infrastructure from attack, intrusion, interference and destruction, and punishes illegal and criminal activities that endanger the security of key information infrastructure according to law.

No individual or organization may illegally invade, interfere with or destroy critical information infrastructure, and may not endanger the security of critical information infrastructure.

Article 6 Operators shall take technical protection measures and other necessary measures to deal with network security incidents, prevent network attacks and illegal and criminal activities, ensure the safe and stable operation of key information infrastructure and maintain the integrity, confidentiality and availability of data on the basis of network security level protection in accordance with the provisions of this Ordinance and relevant laws and administrative regulations and the mandatory requirements of national standards.

Article 7 Units and individuals that have made remarkable achievements or made outstanding contributions in the security protection of key information infrastructure shall be commended in accordance with relevant state regulations.

Chapter II Identification of Key Information Infrastructure

Article 8 The competent departments and supervision departments of important industries and fields involved in Article 2 of these Regulations are the departments responsible for the security protection of key information infrastructure (hereinafter referred to as the protection departments).

Article 9 The protection department shall, in combination with the actual situation of this industry and this field, formulate rules for the identification of key information infrastructure and report them to the public security department of the State Council for the record.

The following factors shall be mainly considered in formulating the identification rules:

(a) the importance of network facilities, information systems, etc. to the key core business of this industry and this field;

(two) the degree of harm that may be caused by the destruction, loss of function or data leakage of network facilities and information systems;

(three) the impact on other industries and fields.

Article 10 The protection department is responsible for organizing the identification of the key information infrastructure of the industry and the field according to the identification rules, and notifying the operators of the identification results in time and the public security department of the State Council.

Article 11 If the key information infrastructure changes greatly, which may affect its identification results, the operator shall report the relevant information to the protection department in a timely manner. The protection department shall complete the re-certification within 3 months from the date of receiving the report, and notify the operator of the certification result and the public security department of the State Council.

Chapter III Responsibilities and Obligations of Operators

Article 12 Security protection measures should be planned, constructed and used simultaneously with key information infrastructure.

Article 13 Operators should establish and improve the network security protection system and responsibility system to ensure the input of manpower, financial resources and material resources. The main person in charge of the operator takes overall responsibility for the security protection of key information infrastructure, leads the security protection of key information infrastructure and the handling of major network security incidents, and organizes research and solutions to major network security issues.

Article 14 Operators shall set up special safety management institutions, and conduct safety background review on the persons in charge and key positions of the special safety management institutions. During the examination, the public security organ and the state security organ shall provide assistance.

Article 15 Specialized security management institutions shall be specifically responsible for the security protection of key information infrastructure of their own units and perform the following duties:

(a) to establish and improve the network security management, evaluation and assessment system, and formulate the security protection plan for key information infrastructure;

(two) to organize and promote the construction of network security protection capacity, and to carry out network security monitoring, detection and risk assessment;

(three) according to the national and industrial emergency plans for network security incidents, formulate the emergency plan of the unit, carry out emergency drills regularly, and deal with network security incidents;

(four) identify key positions in network security, organize the assessment of network security work, and put forward suggestions on rewards and punishments;

(5) Organizing education and training on network security;

(six) to fulfill the responsibility of personal information and data security protection, establish and improve the personal information and data security protection system;

(seven) the implementation of security management of key information infrastructure design, construction, operation and maintenance services;

(eight) in accordance with the provisions of the report network security incidents and important matters.

Article 16 Operators should guarantee the operating expenses of special security management institutions and equip them with corresponding personnel, and the personnel of special security management institutions should participate in the decision-making related to network security and informatization.

Article 17 Operators shall conduct network security detection and risk assessment on key information infrastructure at least once a year by themselves or by entrusting network security service agencies, rectify the security problems found in time, and submit the information according to the requirements of the protection department.

Article 18 When a major network security incident occurs in key information infrastructure or a major network security threat is found, the operator shall report to the protection department and the public security organ in accordance with relevant regulations.

In case of major network security incidents such as overall interruption of key information infrastructure or major functional failure, disclosure of national basic information and other important data, large-scale disclosure of personal information, resulting in greater economic losses, widespread dissemination of illegal information, or discovery of major network security threats, the protection department shall, after receiving the report, promptly report to the national network information department and the public security department of the State Council.

Article 19 Operators should give priority to purchasing safe and credible network products and services; If the procurement of network products and services may affect national security, it shall pass the security review in accordance with the national network security regulations.

Article 20 Operators purchasing network products and services shall, in accordance with the relevant provisions of the state, sign a security and confidentiality agreement with the network product and service providers, clarify the technical support and security and confidentiality obligations and responsibilities of the providers, and supervise the performance of the obligations and responsibilities.

Article 21 In case of merger, division, dissolution, etc., the operator shall promptly report to the protection department, and dispose of the key information infrastructure according to the requirements of the protection department to ensure safety.

Chapter IV Guarantee and Promotion

Article 22 The protection department shall formulate the safety planning of key information infrastructure in this industry and field, and define the protection objectives, basic requirements, tasks and specific measures.

Article 23 The national network information department co-ordinates relevant departments to establish a network security information sharing mechanism, timely collects, judges, shares and publishes information on network security threats, vulnerabilities and incidents, and promotes the sharing of network security information among relevant departments, protection departments, operators and network security service agencies.

Article 24 The protection department shall establish and improve the network security monitoring and early warning system for the key information infrastructure in the industry and field, timely grasp the operation status and security situation of the key information infrastructure in the industry and field, notify the network security threats and hidden dangers in early warning, and guide the safety prevention work.

Article 25 The protection department shall, in accordance with the requirements of the national emergency plan for cyber security incidents, establish and improve the emergency plan for cyber security incidents in its own industry and field, and organize emergency drills regularly; Guide operators to deal with network security incidents, and organize and provide technical support and assistance as needed.

Article 26 The protection department shall regularly organize the network security inspection and detection of key information infrastructure in this industry and field, and guide and supervise operators to timely rectify potential safety hazards and improve safety measures.

Article 27 The national network information department co-ordinates the public security department and protection department of the State Council to check and detect the network security of key information infrastructure, and puts forward improvement measures.

Relevant departments should strengthen coordination and information communication when carrying out network security inspection of key information infrastructure, so as to avoid unnecessary inspection and overlapping inspection. No fees shall be charged for the inspection work, and the inspected units shall not be required to buy products and services of designated brands or designated production and sales units.

Article 28 Operators shall cooperate with the network security inspection and testing of key information infrastructure carried out by the protection department, as well as the network security inspection of key information infrastructure carried out by the relevant departments of public security, national security, confidentiality administration and password management according to law.

Article 29 In the security protection of key information infrastructure, the national network information department, the competent telecommunications department in the State Council and the public security department in the State Council should provide timely technical support and assistance according to the needs of the protection department.

Article 30 The information obtained by the network information department, the public security organ, the protection department and other relevant departments, the network security service institutions and their staff can only be used to maintain network security, and ensure information security in strict accordance with the requirements of relevant laws and administrative regulations, and shall not be leaked, sold or illegally provided to others.

Article 31 Without the approval of the national network information department and the public security department of the State Council or the authorization of the protection department and operators, no individual or organization may carry out activities such as vulnerability detection and permeability testing on key information infrastructure that may affect or endanger the security of key information infrastructure. The implementation of vulnerability detection, permeability testing and other activities on the basic telecommunications network shall be reported to the competent telecommunications department of the State Council in advance.

Article 32 The state takes measures to give priority to ensuring the safe operation of key information infrastructures such as energy and telecommunications.

The energy and telecommunications industries should take measures to provide key guarantees for the safe operation of key information infrastructure in other industries and fields.

Article 33 Public security organs and state security organs shall, in accordance with their respective duties, strengthen the security of key information infrastructure in accordance with the law, and prevent and crack down on illegal and criminal activities against and using key information infrastructure.

Article 34 The state formulates and improves the safety standards of key information infrastructure, and guides and regulates the safety protection of key information infrastructure.

Article 35 The state takes measures to encourage network security professionals to engage in the security protection of key information infrastructure; Incorporate the training of operators’ safety management personnel and safety technicians into the national continuing education system.

Article 36 The state supports the technological innovation and industrial development of key information infrastructure security protection, and organizes forces to tackle key information infrastructure security problems.

Article 37 The state strengthens the construction and management of network security service institutions, formulates management requirements and strengthens supervision and guidance, constantly improves the ability level of service institutions, and gives full play to their role in the security protection of key information infrastructure.

Article 38 The state strengthens network security, and integration of defense and civilian technologies, the military and the land cooperate to protect the security of key information infrastructure.

Chapter V Legal Liability

Article 39 In any of the following circumstances, the operator shall be ordered to make corrections and given a warning by the relevant competent authorities according to their duties; Those who refuse to correct or lead to the consequences of endangering network security shall be fined between 100,000 yuan and 1 million yuan, and those who are directly in charge shall be fined between 10,000 yuan and 100,000 yuan:

(1) Failing to report the relevant information to the protection department in time when the key information infrastructure has changed greatly, which may affect its identification result;

(two) the safety protection measures are not synchronized with the key information infrastructure planning, construction and use;

(3) Failing to establish and improve the network security protection system and responsibility system;

(four) there is no special safety management organization;

(5) Failing to review the safety background of the person in charge of the specialized safety management institution and the personnel in key positions;

(six) to carry out decisions related to network security and informatization without the participation of personnel from special security management institutions;

(seven) the specialized safety management agencies failed to perform the duties stipulated in Article 15 of these regulations;

(8) Failing to conduct network security detection and risk assessment on key information infrastructure at least once a year, failing to rectify the security problems found in time, or failing to submit the information according to the requirements of the protection department;

(nine) purchasing network products and services, and failing to sign a security agreement with the network product and service provider in accordance with the relevant provisions of the state;

(ten) the merger, division, dissolution, etc., did not report to the protection department in time, or did not dispose of the key information infrastructure in accordance with the requirements of the protection department.

Article 40 If the operator fails to report to the protection department and the public security organ in accordance with the relevant provisions when a major network security incident occurs or a major network security threat is discovered in the key information infrastructure, the protection department and the public security organ shall order it to make corrections and give a warning according to their duties; Those who refuse to correct or lead to the consequences of endangering network security shall be fined from 100,000 yuan to 1 million yuan, and those who are directly in charge shall be fined from 10,000 yuan to 100,000 yuan.

Article 41 If an operator purchases network products and services that may affect national security and fails to conduct security review in accordance with the national network security regulations, the national network information department and other relevant competent departments shall order it to make corrections according to their duties, and impose a fine of more than 1 time and less than 10 times the purchase amount, and impose a fine of more than 10,000 yuan and less than 100,000 yuan on the directly responsible person in charge and other directly responsible personnel.

Article 42 Operators of key information infrastructure network security inspection and testing work carried out by the protection department, and public security, national security, confidentiality administration, password management and other relevant departments in accordance with the law to carry out key information infrastructure network security inspection work does not cooperate, by the relevant competent departments shall be ordered to make corrections; Refuses to correct, a fine of 50 thousand yuan to 500 thousand yuan, and a fine of 10 thousand yuan to 100 thousand yuan for the directly responsible person in charge and other directly responsible personnel; If the circumstances are serious, the corresponding legal responsibilities shall be investigated according to law.

Article 43 If the activities that illegally invade, interfere with or destroy key information infrastructure and endanger its security do not constitute a crime, in accordance with the relevant provisions of the Cyber Security Law of the People’s Republic of China, the illegal income shall be confiscated by the public security organs, and they shall be detained for less than 5 days, and may also be fined between 50,000 yuan and 500,000 yuan; If the circumstances are serious, they shall be detained for more than 5 days and less than 15 days, and may be fined more than 100,000 yuan and less than 1 million yuan.

If a unit commits the acts mentioned in the preceding paragraph, the illegal income shall be confiscated by the public security organ, and a fine of 100,000 yuan to 1 million yuan shall be imposed, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.

In violation of the provisions of the second paragraph of article fifth and the provisions of article thirty-first, the personnel who are punished by public security management shall not engage in the work of key positions in network security management and network operation within 5 years; Persons who are subject to criminal punishment shall not engage in key positions in network security management and network operation for life.

Article 44 If the network information department, the public security organ, the protection department and other relevant departments and their staff fail to perform the duties of security protection, supervision and management of key information infrastructure or neglect their duties, abuse their powers or engage in malpractices for selfish ends, the directly responsible person in charge and other directly responsible personnel shall be punished according to law.

Article 45 Public security organs, protection departments and other relevant departments charge fees in the network security inspection of key information infrastructure, or ask the inspected units to buy products and services of designated brands or designated production and sales units, and their higher authorities shall order them to make corrections and refund the fees charged; If the circumstances are serious, the directly responsible person in charge and other directly responsible personnel shall be punished according to law.

Article 46 Network information departments, public security organs, protection departments and other relevant departments, network security service institutions and their staff use the information obtained in the security protection of key information infrastructure for other purposes, or disclose, sell or illegally provide it to others, the directly responsible person in charge and other directly responsible personnel shall be punished according to law.

Article 47 If a major and particularly major network security incident occurs in key information infrastructure and is determined as a liability accident after investigation, the responsibilities of the operators should be ascertained and investigated according to law, and the responsibilities of relevant network security service institutions and relevant departments should also be ascertained. Those who have dereliction of duty, dereliction of duty and other illegal acts should be investigated according to law.

Article 48 Operators of e-government key information infrastructure fail to fulfill the obligations of network security protection stipulated in these regulations, and shall be dealt with in accordance with the relevant provisions of the Network Security Law of the People’s Republic of China.

Article 49 Anyone who violates the provisions of these regulations and causes damage to others shall bear civil liability according to law.

In violation of the provisions of this Ordinance, which constitutes a violation of public security administration, the public security administration shall be punished according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.

Chapter VI Supplementary Provisions

Article 50 The security protection of key information infrastructure for storing and processing state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.

The use and management of passwords in key information infrastructure shall also comply with the provisions of relevant laws and administrative regulations.

Article 51 These Regulations shall come into force as of September 1, 2021.