Fundamental criteria for the accreditation of a CIIO

In July 2017 the Regulation on Security Protection of Critical Information Infrastructure was published. At the same time, the public was invited to make comments and suggestions for public consultation. This regulation which is based on the Cybersecurity Law of the People’s Republic of China aims to protect the Chinese cyber industry and centralize the accumulation of data. Furthermore, it states that all CII operations must be conducted in China itself. Though the final implementation has not been conducted yet, it is clear that the Chinese government is strongly intending to carry out this implementation promptly. The accreditation of a Critical Information Infrastructure Operator (CIIO) in China follows a three-step process like elsewhere, details of which are described in this article.

Accreditation procedure of CIIO

At first, the key industries and their relevant branches have to be defined. Based on this, the specific definition of each potentially critical information system for each branch will be determined. The following table shows examples of certain industries and their key branches.

Table 1: Industrial branches for possible Critical Information Infrastrucure (examples)

Industry

Critical branch

Coal industry

Cole mining, coal, and mining industry

Electricity

Production, energy transmission, and distribution

Petroleum, Petrochemicals

Oil exploration, oil processing, oil transportation

and storage

Finance

Bank operations, insurance operations,

securities trading

Manufacturing

Management in businesses, intelligent manufacturing (internet of things), production and storage of hazardous materials

Communications and Internet

Accumulation and storage of information

Municipal administration

Water and heat supply, public transportation, sewage treatment

 

In a second step, the relevant information systems for these branches and their facilities have to be defined. Each of the branches mentioned in the table above requires industry-specific control and information systems. Two examples would be the thermal power generating units control systems and the monitoring systems for municipal water supply. 

In a third step, certain criteria have to be fulfilled for a system to be classified as a CIIO (Critical Information Infrastructure Operator). The following table lists criteria which have to be met for three types of information systems: websites, platforms, and production. 

Websites can be classified as CIIOs if they are operated by the ruling party or by government organizations. Additionally, important Chinese news portals can be classified as CIIOs. The operators of these sites had to submit corresponding data about their systems to the government in 2016. 

Platforms allow visitors to interact with each other or with the company, just as they do on trading platforms such as Taobao or Alibaba. 

The production category covers data centers with at least 1500 standard racks and systems of public services or state institutions at the city level or above, e.g. their control systems for emergency services, production control or traffic control systems.

Table 2: In the case of a security incident at least one of the following criteria must be applicable

Systemtyp Kriterium
Webseite Einfluss auf das Leben und die Arbeit von
mindestens einer Millionen Menschen
Webseite, Plattform Einfluss auf das Leben und die Arbeit von
mindestens 30% der Bevölkerung einer Stadt
Webseite, Plattform,
Produktion
Datenverlust von mindestens einer Millionen Menschen
Webseite, Plattform Verlust sensibler institutioneller , unternehmerischer
sowie staatlicher Daten
Webseite, Plattform,
Produktion
Untergrabung staatlicher Autorität, Störung der
sozialen Ordnung oder Gefährdung der Sicherheit
Plattform Direkter wirttschafftlicher Verlust in Höhe von mindestens
zehn Millionen RMB
Produktion Tod von mindestens fünf Menschen oder mindestens 50
verletzte Personen

Conclusion

In general, there are parallels between the intended Chinese approach for classifying critical information infrastructure and the three-stage process of the European Agency for Network and Information Security. Compared to Europe though, China seems to focus on a top-down approach while evaluating these systems. The operator themself has little to no influence on the evaluation process that is entirely conducted by governmental actors. The operators of these critical information systems are given a high responsibility for their system’s security.

 Richard2017 150x225

Richard Hoffmann

Richard Hoffmann is a partner at ECOVIS Beijing China. Richard obtained an honors degree in law and worked in Germany, the United States, and China for various prestigious law firms prior to joining ECOVIS. In addition to being a member of the board of ECOVIS International, he is Supervisor for the China business of a respected German company and shares his extensive knowledge to students by teaching commercial law in China at SRH Hochschule Heidelberg. He has published more than fifty articles in international magazines, frequently speaks at high profile events in China and abroad and is often invited as a legal expert by international TV stations. Contact: richard.hoffmann@ecovis-beijing.com

Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. It specializes in mid-sized international companies and is focused on tax & legal advisory, accounting and auditing. If you’re interested in finding out more about tax and legal, don’t hesitate to sign up for our Newsletter, give us a call +86 (10) 6561 6609 or contact us directly via service@ecovis-beijing.com

 

 

 

 


 
 

 

 

 

 

 

 

 

 

 

 

 

Conclusion

In general, there are parallels between the intended Chinese approach for classifying critical information infrastructure and the three-stage process of the European Agency for Network and Information Security. Compared to Europe though, China seems to focus on a top-down approach while evaluating these systems. The operator themself has little to no influence on the evaluation process that is entirely conducted by governmental actors. The operators of these critical information systems are given a high responsibility for their system’s security.

                                                                                                                                                                                  With contributions by Kani Oezdemir

 Richard2017 150x225

Richard Hoffmann

Richard Hoffmann is a partner at ECOVIS Beijing China. Richard obtained an honors degree in law and worked in Germany, the United States, and China for various prestigious law firms prior to joining ECOVIS. In addition to being a member of the board of ECOVIS International, he is Supervisor for the China business of a respected German company and shares his extensive knowledge to students by teaching commercial law in China at SRH Hochschule Heidelberg. He has published more than fifty articles in international magazines, frequently speaks at high profile events in China and abroad and is often invited as a legal expert by international TV stations. Contact: richard.hoffmann@ecovis-beijing.com

Ecovis Beijing is the trusted tax and legal advisor to several embassies and official institutions in China. It specializes in mid-sized international companies and is focused on tax & legal advisory, accounting and auditing. If you’re interested in finding out more about tax and legal, don’t hesitate to sign up for our Newsletter, give us a call +86 (10) 6561 6609 or contact us directly via service@ecovis-beijing.com
Linkedincontact ecovis beijing