The Cybersecurity Law was promulgated: 6 highlights

On November 7, the 24th meeting of the Standing Committee of the 12th National People's Congress voted to pass the "Cybersecurity Law of the People's Republic of China" (hereinafter referred to as the "Cybersecurity Law"). As a basic law in my country's cybersecurity field, the "Cybersecurity Law" has been attracting attention from all walks of life from the first review to the final approval.

[[180195]]

The Cybersecurity Law has made clear provisions on protecting personal information, combating online fraud, protecting key information infrastructure, and implementing the online real-name system, and has drawn a "red line" that cannot be crossed in the online world. The fundamental purpose of the Cybersecurity Law is to build a good online order and protect the legitimate rights and interests of citizens, legal persons and other organizations. It is a "talisman" rather than a "tightening curse."

There are more than 700 million Internet users in my country. Problems caused by the lack of laws and order in cyberspace are endless. Without cybersecurity, there is no national security, and without cybersecurity, the legitimate rights and interests of Internet users are difficult to protect. The clarity of cyberspace must be guaranteed by law. The Cybersecurity Law outlines the basic institutional framework for a series of cybersecurity issues that are of general concern to the public.

The regulations of this legislation, such as "Internet communication control" and "Internet real-name system", have also aroused heated discussions. Some people also believe that the Internet should be a "free world". In fact, freedom is the purpose of order, and order is the guarantee of freedom. These regulations precisely reflect the dialectical unity of freedom and order. The Cybersecurity Law stipulates that "Internet restriction" measures will only be taken when it is necessary to maintain national security and social public order and deal with major sudden social security incidents in order to protect the safety of the country and the public. The Internet real-name system is also to prevent Internet fraud, clean up the use of the Internet to spread pornography, gambling, drugs and other information, and make citizens more cautious and responsible on the Internet.

Building a sound cybersecurity protection system and clarifying the rights and obligations of the government, enterprises and individuals will only restrict illegal and criminal acts in the cyber world and better protect the legitimate rights and interests of the majority of netizens. Therefore, the Cybersecurity Law is not a "tightening curse" but a "talisman". As long as you follow the rules, make order a habit, and don't step on the "red line" of the law, you can enjoy the free space protected by the law.

[[180196]]

The following are 6 highlights:

Point 1: Personal information may not be sold

According to the 2016 China Internet User Rights Protection Survey Report released by the Internet Society of China, 84% of Internet users have personally experienced the negative impact of personal information leakage. From the second half of 2015 to the first half of this year, the economic losses suffered by Chinese Internet users due to spam, fraudulent information, and personal information leakage amounted to 91.5 billion yuan. In recent years, a large number of cases uncovered and exposed by the police show that the leakage, collection, and resale of citizens' personal information has formed a complete black industry chain.

The Cybersecurity Law makes specific provisions: If network products and services have the function of collecting user information, their providers must make this clear to users and obtain their consent; network operators shall not disclose, tamper with, or destroy the personal information they collect; no individual or organization may steal or obtain personal information by other illegal means, illegally sell or provide personal information to others, and corresponding legal liabilities are stipulated.

Wang Sixin, director of the Cyber ​​Law and Intellectual Property Research Center of Communication University of China, said that the Cybersecurity Law, as a basic law in the cyber field, focuses on the leakage of personal information. It not only clarifies the responsibilities of network product service providers and operators, but also severely cracks down on the sale and trafficking of personal information. It will play a positive role in protecting the public's personal information security.

Highlight 2: Severe crackdown on online fraud

The leakage of personal information is an important reason for the rampant online fraud. Fraudsters obtain personal information, including name, phone number, home address and other detailed information, through illegal means, and then carry out targeted fraud, which is hard to guard against. The cases of two college students in Shandong who died in telecommunications fraud and the case of a professor at Tsinghua University who was defrauded by telecommunications fraud, which have attracted public attention this year, were all caused by targeted fraud after information leakage.

In addition to strictly preventing the leakage of personal information, the Cybersecurity Law also stipulates that in response to the endless stream of new types of online fraud crimes, no individual or organization may establish websites or communication groups for the purpose of committing fraud, teaching criminal methods, producing or selling prohibited or controlled items, and other illegal and criminal activities; and may not use the Internet to publish and commit fraud, produce or sell prohibited or controlled items, and other information on illegal and criminal activities.

Zhu Wei, deputy director of the Communication Law Research Center of China University of Political Science and Law, said that no matter how new the online fraud schemes are, they are all implemented and spread through instant messaging tools, search platforms, online publishing platforms, emails and other channels. These regulations not only deter individuals and organizations from committing fraud, but also clarify the unshirkable responsibilities of Internet companies.

Point 3: Clarify the "Internet real-name system" in legal form

"Junk comments" flood forums, malicious insults are used when "there is a disagreement", and even worse, some people spread rumors "for fear of chaos in the world"... For some time, all kinds of chaos have filled the virtual online space. With the introduction of the concept of online real-name registration, some people applauded, while others expressed concerns.

The Cybersecurity Law stipulates the "Internet real-name system" in the form of law: Network operators shall require users to provide real identity information when handling network access, domain name registration services, fixed-line and mobile phone network access procedures, or providing users with information release, instant messaging and other services. If users do not provide real identity information, network operators shall not provide them with related services.

Wang Sixin said that the Internet is virtual, but the people who use it are real. In fact, many Internet platforms have begun to implement the principle of "front-end resources, back-end real names", so that everyone can have privacy when using the Internet, and also enhance their sense of responsibility and self-discipline. The key to whether this regulation can be implemented is that Internet service providers must fulfill their principal responsibilities and strengthen their review and control.

Point 4: Focus on protecting critical information infrastructure

The "physical isolation" defense line can be invaded across the network, power allocation instructions can be maliciously tampered with, financial transaction information can be stolen... The security risks of these information infrastructures may not cause any problems, but once they do, they may lead to traffic interruptions, financial chaos, power paralysis and other problems, which are very destructive and lethal.

The Cybersecurity Law has a separate section that clearly stipulates the operational security of critical information infrastructure, pointing out that the state will focus on protecting critical information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government.

Zuo Xiaodong, deputy director of the China Information Security Research Institute, said that the in-depth advancement of informatization has made critical information infrastructure the nervous system of social operation. Ensuring the security of these critical information systems is not only about protecting economic security, but also about protecting social security, public security and even national security. Protecting national critical information infrastructure is an international practice, and this clarification and emphasis in the form of law is very timely and necessary.

Point 5: Punishing foreign organizations and individuals that attack and damage my country’s critical information infrastructure

In 2014, the Cyberspace Administration of China disclosed data showing that my country has always been a victim of cyber attacks, with more than 10,000 websites being tampered with every month and 80% of government websites being attacked. These cyber attacks mainly come from the United States.

The Cybersecurity Law stipulates that if individuals or organizations outside the country engage in activities that endanger the critical information infrastructure of the People's Republic of China, such as attacks, intrusions, interference, and destruction, and cause serious consequences, they shall be held accountable in accordance with the law; the public security department and relevant departments of the State Council may decide to freeze the assets of the individuals or organizations or take other necessary sanctions.

Zuo Xiaodong said that the sovereignty of cyberspace includes not only the right to protect our country's own critical information infrastructure, but also the right to resist foreign invasion. "Today, countries around the world have taken various measures to prevent their cyberspace from being invaded by foreign countries, and have taken all means, including military means, to protect the security of their information infrastructure. The Cybersecurity Law has made this provision, which is not only in line with international practice, but also shows our firm determination to safeguard national cyber sovereignty."

Point 6: "Internet communication control" can be adopted in major emergencies

In the real world, when a major emergency occurs, relevant departments often take measures such as traffic control to ensure emergency response and maintain national and public safety. Cyberspace is no exception.

The Cybersecurity Law specifically lists a chapter on the establishment of a cybersecurity monitoring, early warning and emergency response system, and clarifies the measures that relevant departments need to take when a cybersecurity incident occurs. Special provisions: In order to maintain national security and social public order and deal with major sudden social security incidents, temporary measures such as restrictions on network communications may be taken in specific areas upon decision or approval by the State Council.

Zuo Xiaodong believes that in the current situation where information technology is widely used throughout society, network communication control, as one of the control measures for major emergencies, is becoming increasingly important.

"For example, in violent terrorist incidents, terrorists increasingly organize, plan, connect and carry out activities through the Internet. At this time, it may be necessary to control network communications. However, the impact of such control is relatively large, so the Cybersecurity Law stipulates that the implementation of temporary network control must be decided or approved by the State Council, which is very rigorous."

The following are 6 highlights:

The full text is attached below:

Chapter I General Provisions

Article 1 This Law is formulated in order to ensure network security, safeguard cyberspace sovereignty and national security, and the public interest, protect the lawful rights and interests of citizens, legal persons, and other organizations, and promote the healthy development of economic and social informatization.

Article 2 This Law shall apply to the construction, operation, maintenance, and use of networks within the territory of the People's Republic of China, as well as the supervision and management of network security.

Article 3 The State adheres to the principle of giving equal importance to the development of network security and informatization, follows the principle of active use, scientific development, management in accordance with the law, and ensuring security, promotes the construction of network infrastructure and interconnection, encourages innovation and application of network technology, supports the training of network security talents, establishes and improves the network security guarantee system, and enhances network security protection capabilities.

Article 4 The state shall formulate and continuously improve the cybersecurity strategy, clarify the basic requirements and main objectives for ensuring cybersecurity, and propose cybersecurity policies, work tasks and measures in key areas.

Article 5 The state shall take measures to monitor, defend against, and deal with network security risks and threats originating from within and outside the territory of the People's Republic of China, protect critical information infrastructure from attack, intrusion, interference, and destruction, punish network illegal and criminal activities in accordance with the law, and maintain the security and order of cyberspace.

Article 6 The state advocates honest, trustworthy, healthy and civilized online behavior, promotes the dissemination of core socialist values, and takes measures to raise the network security awareness and level of the whole society, so as to create a good environment for the whole society to participate in promoting network security.

Article 7 The state actively carries out international exchanges and cooperation in cyberspace governance, network technology research and development and standard setting, and combating cyber crimes, promotes the building of a peaceful, secure, open, and cooperative cyberspace, and establishes a multilateral, democratic, and transparent network governance system.

Article 8 The national cybersecurity and informatization department is responsible for coordinating network security work and related supervision and management work. The telecommunications department, public security department and other relevant departments of the State Council are responsible for network security protection and supervision and management work within their respective responsibilities in accordance with the provisions of this Law and relevant laws and administrative regulations.

The network security protection and supervision and management responsibilities of the relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant national regulations.

Article 9 Network operators must comply with laws and administrative regulations, respect social morality, observe business ethics, be honest and trustworthy, fulfill their obligations to protect network security, accept supervision from the government and society, and assume social responsibility when carrying out business and service activities.

Article 10 When building, operating a network or providing services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of laws, administrative regulations and the mandatory requirements of national standards to ensure network security and stable operation, effectively respond to network security incidents, prevent network illegal and criminal activities, and maintain the integrity, confidentiality and availability of network data.

Article 11 Network-related industry organizations shall, in accordance with their charters, strengthen industry self-discipline, formulate cybersecurity behavioral norms, guide members to strengthen cybersecurity protection, improve the level of cybersecurity protection, and promote the healthy development of the industry.

Article 12 The state protects the rights of citizens, legal persons and other organizations to use the Internet according to law, promotes the popularization of Internet access, improves the level of Internet services, provides safe and convenient Internet services to society, and ensures the orderly and free flow of Internet information according to law.

Any individual or organization using the Internet must abide by the Constitution and laws, observe public order, respect social morality, and must not endanger network security, nor use the Internet to engage in activities that endanger national security, honor and interests, incite subversion of the state power, overthrow the socialist system, incite secession of the country, undermine national unity, promote terrorism and extremism, promote ethnic hatred and ethnic discrimination, spread violent, obscene and pornographic information, fabricate and spread false information to disrupt economic and social order, and infringe upon the reputation, privacy, intellectual property rights and other legitimate rights and interests of others.

Article 13 The state supports the research and development of network products and services that are conducive to the healthy growth of minors, punishes the use of the Internet to engage in activities that endanger the physical and mental health of minors in accordance with the law, and provides a safe and healthy network environment for minors.

Article 14 Any individual or organization has the right to report any behavior that endangers network security to the Internet Information Office, Telecommunications Office, Public Security Bureau, etc. The department that receives the report shall promptly handle it in accordance with the law; if it does not fall within the responsibilities of the department, it shall promptly transfer it to the department with the authority to handle it.

The relevant departments shall keep the relevant information of the whistleblower confidential and protect the whistleblower’s legitimate rights and interests.

Chapter II Network Security Support and Promotion

Article 15 The state shall establish and improve a network security standards system. The administrative department for standardization of the State Council and other relevant departments of the State Council shall, in accordance with their respective duties, organize the formulation and timely revision of national standards and industry standards for network security management and network products, services and operational security.

The state supports enterprises, research institutions, universities, and network-related industry organizations to participate in the formulation of national and industry standards for network security.

Article 16 The State Council and the people's governments of provinces, autonomous regions, and municipalities directly under the Central Government shall coordinate planning, increase investment, support key network security technology industries and projects, support the research, development, and application of network security technology, promote secure and reliable network products and services, protect network technology intellectual property rights, and support enterprises, research institutions, and universities to participate in national network security technology innovation projects.

Article 17 The state promotes the establishment of a social network security service system and encourages relevant enterprises and institutions to carry out security services such as network security certification, testing and risk assessment.

Article 18 The state encourages the development of network data security protection and utilization technologies, promotes the opening of public data resources, and promotes technological innovation and economic and social development.

The state supports innovative network security management methods and the use of new network technologies to improve the level of network security protection.

Article 19: People's governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and guide and urge relevant units to do a good job in cybersecurity publicity and education.

Mass media should carry out targeted cybersecurity publicity and education to the society.

Article 20 The state supports enterprises and educational and training institutions such as universities and vocational schools to carry out cybersecurity-related education and training, adopt various methods to cultivate cybersecurity talents, and promote the exchange of cybersecurity talents.

Chapter III Network Operation Security

Section 1 General Provisions

Article 21 The state implements a cybersecurity multi-level protection system. Network operators shall, in accordance with the requirements of the cybersecurity multi-level protection system, perform the following security protection obligations to protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked, stolen or tampered with:

(1) Formulate internal security management systems and operating procedures, identify network security personnel, and implement network security protection responsibilities;

(2) Taking technical measures to prevent computer viruses, network attacks, network intrusions and other acts that endanger network security;

(3) Adopt technical measures to monitor and record network operation status and network security incidents, and retain relevant network logs for no less than six months in accordance with regulations;

(iv) adopting measures such as data classification, important data backup and encryption;

(5) Other obligations prescribed by laws and administrative regulations.

Article 22 Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services shall not install malicious programs; when they discover that their network products and services have security defects, loopholes and other risks, they shall immediately take remedial measures, inform users in a timely manner in accordance with regulations, and report to the relevant competent authorities.

Providers of network products and services shall provide continuous security maintenance for their products and services; they shall not terminate the provision of security maintenance within the prescribed period or the period agreed upon by the parties.

If network products and services have the function of collecting user information, their providers shall make it clear to users and obtain their consent; if it involves user personal information, they shall also comply with the provisions of this Law and relevant laws and administrative regulations on personal information protection.

Article 23: Critical network equipment and network security products must comply with the mandatory requirements of relevant national standards and must pass security certification or security testing by qualified institutions before they can be sold or provided. The national cybersecurity and informatization department will work with relevant departments of the State Council to formulate and publish a catalog of critical network equipment and network security products, and promote mutual recognition of security certification and security testing results to avoid duplicate certification and testing.

Article 24: When network operators provide users with network access, domain name registration services, fixed-line and mobile phone network access procedures, or provide users with information publishing, instant messaging and other services, they shall require users to provide real identity information when signing an agreement with the user or confirming the provision of services. If the user does not provide real identity information, the network operator shall not provide the relevant services to the user.

The state implements a network trusted identity strategy, supports the research and development of safe and convenient electronic identity authentication technologies, and promotes mutual recognition between different electronic identity authentications.

Article 25 Network operators shall formulate emergency response plans for network security incidents and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; when an incident endangering network security occurs, they shall immediately activate the emergency response plan, take appropriate remedial measures, and report to the relevant competent authorities in accordance with regulations.

Article 26: Activities such as network security certification, testing, and risk assessment, and the release of network security information such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public must comply with relevant national regulations.

Article 27 No individual or organization shall engage in activities that endanger network security, such as illegally intruding into other people's networks, interfering with the normal functions of other people's networks, stealing network data, etc.; shall not provide programs or tools specifically used to engage in activities that endanger network security, such as intruding into networks, interfering with the normal functions and protective measures of networks, stealing network data, etc.; if knowing that others are engaged in activities that endanger network security, they shall not provide them with technical support, advertising promotion, payment settlement and other assistance.

Article 28 Network operators shall provide technical support and assistance to public security organs and state security organs in their activities to safeguard national security and investigate crimes in accordance with the law.

Article 29 The state supports cooperation between network operators in areas such as network security information collection, analysis, notification and emergency response, to improve the security protection capabilities of network operators.

Relevant industry organizations should establish and improve network security protection standards and cooperation mechanisms in their industries, strengthen analysis and assessment of network security risks, regularly issue risk warnings to members, and support and assist members in dealing with network security risks.

Article 30: Information obtained by cybersecurity and informatization departments and relevant departments in the performance of their network security protection duties may only be used for the needs of maintaining network security and may not be used for other purposes.

Section 2 Operational Security of Critical Information Infrastructure

Article 31 The state shall implement key protection for key information infrastructure in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as other critical information infrastructure that may seriously endanger national security, national economy and people's livelihood, and public interests if destroyed, loses function, or data is leaked, based on the network security multi-level protection system. The specific scope and security protection measures for critical information infrastructure shall be formulated by the State Council.

The state encourages network operators other than critical information infrastructure to voluntarily participate in the critical information infrastructure protection system.

Article 32: In accordance with the division of responsibilities prescribed by the State Council, the departments responsible for the security protection of critical information infrastructure shall respectively formulate and organize the implementation of critical information infrastructure security plans in their respective industries and fields, and guide and supervise the security protection of critical information infrastructure operations.

Article 33: The construction of critical information infrastructure shall ensure that it has the performance to support stable and continuous business operations, and ensure that security technical measures are planned, constructed, and used simultaneously.

Article 34: In addition to the provisions of Article 21 of this Law, operators of critical information infrastructure shall also perform the following security protection obligations:

(1) Establish a special security management organization and a person in charge of security management, and conduct security background checks on the person in charge and personnel in key positions;

(2) Regularly provide cybersecurity education, technical training, and skills assessment to practitioners;

(3) Carry out disaster recovery backup of important systems and databases;

(4) Formulate emergency response plans for cybersecurity incidents and conduct regular drills;

(5) Other obligations prescribed by laws and administrative regulations.

Article 35: Where the procurement of network products and services by operators of critical information infrastructure may affect national security, they shall undergo a national security review organized by the National Cyberspace Administration of China in conjunction with relevant departments of the State Council.

Article 36: When operators of critical information infrastructure purchase network products and services, they shall sign security and confidentiality agreements with providers in accordance with regulations, clarifying security and confidentiality obligations and responsibilities.

Article 37: Personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory of the People's Republic of China. If it is necessary to provide such data overseas due to business needs, a security assessment shall be conducted in accordance with the measures formulated by the national cybersecurity and informatization department in conjunction with relevant departments of the State Council; if otherwise provided by laws and administrative regulations, such provisions shall apply.

Article 38 Operators of critical information infrastructure shall conduct testing and assessment of the security of their networks and possible risks at least once a year, either by themselves or by entrusting a network security service agency, and shall report the testing and assessment results and improvement measures to the relevant departments responsible for the security protection of critical information infrastructure.

Article 39: The national cybersecurity and informatization department shall coordinate and coordinate relevant departments to take the following measures to protect the security of critical information infrastructure:

(1) Conduct random inspections of security risks of critical information infrastructure and propose improvement measures. If necessary, they may entrust network security service agencies to conduct inspections and assessments of security risks existing in the network;

(2) Regularly organize operators of critical information infrastructure to conduct cybersecurity emergency drills to improve their ability to respond to cybersecurity incidents and their coordination and cooperation capabilities;

(3) Promote the sharing of cybersecurity information among relevant departments, operators of critical information infrastructure, and relevant research institutions, cybersecurity service agencies, etc.;

(4) Providing technical support and assistance for emergency response to network security incidents and restoration of network functions.

Chapter 4 Network Information Security

Article 40 Network operators shall strictly keep confidential the user information they collect and establish and improve a user information protection system.

Article 41 Network operators shall collect and use personal information in accordance with the principles of lawfulness, legitimacy, and necessity, publicize the rules for collection and use, clearly state the purpose, method, and scope of collection and use of information, and obtain the consent of the person whose information is being collected.

Network operators shall not collect personal information that is not related to the services they provide, shall not collect and use personal information in violation of the provisions of laws, administrative regulations and the agreement between the two parties, and shall process the personal information they store in accordance with the provisions of laws, administrative regulations and the agreement with users.

Article 42 Network operators shall not disclose, tamper with, or destroy the personal information they collect; and shall not provide personal information to others without the consent of the person whose information is collected, except where the information cannot be identified after processing and cannot be restored.

Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect and prevent information leakage, damage, or loss. When personal information leakage, damage, or loss occurs or is likely to occur, remedial measures shall be taken immediately, and users shall be informed in a timely manner in accordance with regulations and reported to the relevant competent authorities.

Article 43: If an individual discovers that a network operator has violated the provisions of laws, administrative regulations or the agreement between the two parties in collecting or using their personal information, they have the right to request that the network operator delete their personal information; if they discover that the personal information collected or stored by the network operator is incorrect, they have the right to request that the network operator correct it. The network operator shall take measures to delete or correct it.

Article 44 No individual or organization may steal or obtain personal information by other illegal means, or illegally sell or provide personal information to others.

Article 45: Departments and their staff that are lawfully responsible for network security supervision and management must strictly keep confidential the personal information, privacy, and commercial secrets that they become aware of in the course of performing their duties, and must not disclose, sell, or illegally provide them to others.

Article 46 Any individual or organization shall be responsible for their use of the Internet and shall not establish websites or communication groups used for fraud, teaching criminal methods, manufacturing or selling prohibited or controlled items, or other illegal or criminal activities; and shall not use the Internet to publish information involving fraud, manufacturing or selling prohibited or controlled items, or other illegal or criminal activities.

Article 47 Network operators shall strengthen the management of information posted by their users. If they discover information that is prohibited from being released or transmitted by laws or administrative regulations, they shall immediately stop transmitting the information, take measures such as elimination to prevent the spread of the information, preserve relevant records, and report to the relevant competent authorities.

Article 48: Electronic information sent or application software provided by any individual or organization must not contain malicious programs or information prohibited from being released or transmitted by laws or administrative regulations.

Providers of electronic information delivery services and application software download services shall fulfill their security management obligations. If they know that their users have engaged in conduct specified in the preceding paragraph, they shall stop providing services, adopt measures such as elimination, preserve relevant records, and report to the relevant competent authorities.

Article 49 Network operators shall establish a network information security complaint and reporting system, publish information such as complaint and reporting methods, and promptly accept and handle complaints and reports related to network information security.

Network operators should cooperate with the supervision and inspection carried out by the Internet Information Office and relevant departments in accordance with the law.

Article 50 The national cybersecurity and informatization department and relevant departments shall perform their network information security supervision and management duties in accordance with the law. If they discover information that is prohibited from being released or transmitted by laws or administrative regulations, they shall require network operators to stop transmission, take measures such as elimination, and preserve relevant records; for the above information originating from outside the People's Republic of China, they shall notify relevant agencies to take technical measures and other necessary measures to block its dissemination.

Chapter V Monitoring, Early Warning and Emergency Response

Article 51 The State shall establish a network security monitoring, early warning and information reporting system. The national cybersecurity and informatization department shall coordinate and coordinate relevant departments to strengthen the collection, analysis and reporting of network security information, and shall uniformly release network security monitoring and early warning information in accordance with regulations.

Article 52: Departments responsible for the security protection of critical information infrastructure shall establish and improve network security monitoring, early warning and information reporting systems for their industries and fields, and report network security monitoring and early warning information in accordance with regulations.

Article 53 The national cybersecurity and informatization department coordinates relevant departments to establish and improve cybersecurity risk assessment and emergency response mechanisms, formulate emergency response plans for cybersecurity incidents, and organize drills on a regular basis.

The department responsible for the security protection of critical information infrastructure shall formulate emergency response plans for network security incidents in its industry and field, and organize drills regularly.

The emergency response plan for cybersecurity incidents should classify cybersecurity incidents according to factors such as the degree of harm and scope of impact after the incident, and stipulate corresponding emergency response measures.

Article 54: When the risk of a cybersecurity incident increases, the relevant departments of the people's government at or above the provincial level shall adopt the following measures in accordance with the prescribed authority and procedures, and based on the characteristics of the cybersecurity risk and the possible harm it may cause:

(1) Require relevant departments, institutions and personnel to collect and report relevant information in a timely manner and strengthen the monitoring of network security risks;

(2) Organize relevant departments, institutions and professionals to analyze and evaluate cybersecurity risk information and predict the likelihood of incidents, the scope of impact and the degree of harm;

(3) Issue cybersecurity risk warnings to the public and announce measures to avoid or mitigate harm.

Article 55: When a cybersecurity incident occurs, the cybersecurity incident emergency plan shall be immediately activated, an investigation and assessment of the cybersecurity incident shall be conducted, network operators shall be required to take technical measures and other necessary measures to eliminate potential security risks and prevent the expansion of harm, and public warning information shall be promptly released to the society.

Article 56: When relevant departments of the people's government at or above the provincial level discover that a network has a significant security risk or a security incident while performing their network security supervision and management duties, they may interview the legal representative or principal person in charge of the network operator in accordance with the prescribed authority and procedures. Network operators shall take measures to rectify and eliminate hidden dangers as required.

Article 57 If an emergency or production safety accident occurs due to a network security incident, it shall be handled in accordance with the provisions of the "Emergency Response Law of the People's Republic of China", "Production Safety Law of the People's Republic of China" and other relevant laws and administrative regulations.

Article 58: Where necessary to maintain national security and social public order, or to handle major public security incidents, temporary measures such as restrictions on network communications may be taken in specific areas upon decision or approval by the State Council.

Chapter VI Legal Liability

Article 59 Where a network operator fails to perform the network security protection obligations provided for in Articles 21 and 25 of this Law, the relevant competent department shall order it to make corrections and give it a warning; where it refuses to make corrections or where such corrections result in consequences that endanger network security, a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed, and the directly responsible supervisor shall be fined not less than RMB 5,000 but not more than RMB 50,000.

If the operator of critical information infrastructure fails to perform the network security protection obligations stipulated in Articles 33, 34, 36 and 38 of this Law, the relevant competent department shall order it to correct the problem and give it a warning; if it refuses to correct the problem or causes consequences such as endangering network security, it shall be fined not less than RMB 100,000 yuan but not more than RMB 1 million, and the directly responsible supervisor shall be fined not less than RMB 10,000 yuan but not more than RMB 100,000 yuan.

Article 60 Where any of the following acts are committed in violation of the provisions of paragraphs 1 and 2 of Article 22 and paragraph 1 of Article 48 of this Law, the relevant competent department shall order rectification and give warnings; where rectification is refused or results in consequences such as endangering network security, a fine of not less than RMB 50,000 but not more than RMB 500,000 shall be imposed, and the directly responsible supervisor shall be fined not less than RMB 10,000 but not more than RMB 100,000:

(1) installing malicious programs;

(2) failing to take immediate remedial measures for security defects, loopholes and other risks in its products and services, or failing to promptly inform users and report to relevant competent authorities in accordance with regulations;

(3) terminating the provision of security maintenance for its products or services without authorization.

Article 61 Where a network operator violates the provisions of the first paragraph of Article 24 of this Law by failing to require users to provide real identity information, or providing relevant services to users who do not provide real identity information, the relevant competent department shall order it to make corrections; if it refuses to make corrections or the circumstances are serious, it shall be fined not less than RMB 50,000 but not more than RMB 500,000, and the relevant competent department may order it to suspend relevant business, suspend operations for rectification, close its website, revoke its relevant business permit or business license, and impose a fine of not less than RMB 10,000 but not more than RMB 100,000 on the directly responsible supervisor and other directly responsible persons.

Article 62 If a person violates the provisions of Article 26 of this Law, carries out network security certification, detection, risk assessment and other activities, or publishes system vulnerabilities, computer viruses, network attacks, network intrusions and other network security information to the public, the relevant competent department shall order the correction and give a warning; if the refusal to correct the correction or the circumstances are serious, a fine of not less than RMB 10,000 and not more than RMB 100,000, and the relevant competent department may order the suspension of relevant business, suspension of business rectification, closure of the website, revoke the relevant business license or revoke the business license, and the directly responsible supervisor and other directly responsible persons shall be fined not less than RMB 5,000 and not more than RMB 5,000.

Article 63 If ​​a violation of the provisions of Article 27 of this Law, engages in activities that endanger network security, or provides procedures and tools specifically used to engage in activities that endanger network security, or provides technical support, advertising promotion, payment settlement and other assistance for others engaging in activities that endanger network security, does not constitute a crime, the public security organ shall confiscate the illegal gains and be detained for not more than five days, and may be fined not more than five yuan but not more than five million yuan; if the circumstances are serious, the detention shall be imposed for not more than five days but not more than fifteen days, and may be fined not more than one million yuan.

If an organization commits the acts in the preceding paragraph, the public security organ shall confiscate the illegal gains and impose a fine of not less than RMB 100,000 and not more than RMB 1 million, and the directly responsible supervisors and other directly responsible persons shall be punished in accordance with the provisions of the preceding paragraph.

Persons who violate the provisions of Article 27 of this Law and are punished by public security management shall not engage in key positions in network security management and network operations within five years; persons who are subject to criminal punishment shall not engage in key positions in network security management and network operations for life.

Article 64 If a network operator or provider of network products or services violates the provisions of Article 22, paragraph 3, Articles 41 to Article 43 of this Law and infringes on the right of personal information to be protected in accordance with the law, the relevant competent department shall order the corrections. According to the circumstances, the illegal gains may be issued a warning or confiscated, or a fine of not more than one times but not more than ten times the illegal gains. If there is no illegal gains, a fine of not more than one million yuan will be imposed, and a fine of not more than RMB 10,000 and not more than RMB 100,000 will be imposed on the directly responsible supervisors and other directly responsible persons; if the circumstances are serious, they may be ordered to suspend relevant business, suspend business and rectify the website, revoke the relevant business license or revoke the business license.

If a violation of Article 44 of this Law and steal or obtain, sell or illegally provide personal information to others by other illegal means, and does not constitute a crime, the public security organ shall confiscate the illegal gains and impose a fine of not more than one times but not more than ten times the illegal gains. If there is no illegal gains, a fine of not more than one million yuan will be imposed.

Article 65 If the operator of a critical information infrastructure violates the provisions of Article 35 of this Law and uses network products or services that have not been passed without security review or security review, the relevant competent department shall order it to stop using it and impose a fine of not more than one times but not more than ten times the purchase amount; the directly responsible supervisor and other directly responsible persons shall be fined not less than RMB 10,000 and not more than RMB 100,000.

Article 66 If the operator of a critical information infrastructure violates the provisions of Article 37 of this Law, stores network data overseas, or provides network data abroad, the relevant competent department shall order the correction, give a warning, confiscate the illegal income, and impose a fine of not less than RMB 50,000 and not more than RMB 500,000, and may order the relevant business to be suspended, the website is closed, the relevant business license is revoked, or the business license is revoked; the directly responsible supervisors and other directly responsible persons shall be fined not less than RMB 10,000 and not more than RMB 100,000.

Article 67 If a website or communication group is established for the violation of Article 46 of this Law, or a website or communication group for the implementation of illegal and criminal activities is established, or a network is used to publish information involving the implementation of illegal and criminal activities, and does not constitute a crime, the public security organ shall be detained for not more than five days.

A fine of not less than RMB 10,000 and not more than RMB 100,000 can be imposed; if the circumstances are serious, the detention shall be imposed for not less than five days and not more than fifteen days, and a fine of not more than RMB 500,000 can be imposed for not less than RMB 500,000. Websites and communication groups used to commit illegal and criminal activities shall be closed.

If an organization commits the acts in the preceding paragraph, the public security organ shall impose a fine of not less than RMB 100,000 and not more than RMB 500,000, and the directly responsible supervisors and other directly responsible persons shall be punished in accordance with the provisions of the preceding paragraph.

Article 68 If a network operator violates the provisions of Article 47 of this Law and fails to stop transmitting information prohibited by laws and administrative regulations, take measures such as elimination, and keep relevant records, the relevant competent department shall order the correction, give a warning, and confiscate the illegal gains; if the refusal to correct the correction or the circumstances are serious, a fine of not less than RMB 100,000 and not more than RMB 500,000, and may order the relevant business suspension, suspension of business rectification, closure of the website, revoke the relevant business license or revoke the business license, and impose a fine of not more than RMB 10,000 and not more than RMB 100,000 on the directly responsible supervisors and other directly responsible persons.

If an electronic information sending service provider or application software download service provider fails to fulfill the security management obligations stipulated in Article 48, paragraph 2 of this Law, he shall be punished in accordance with the provisions of the preceding paragraph.

Article 69 If a network operator violates the provisions of this Law and commits any of the following acts, the relevant competent department shall order the correction; if the refusal to correct the correction or the circumstances are serious, a fine of not less than RMB 50,000 and not more than RMB 500,000 will be imposed on the directly responsible supervisor and other directly responsible persons:

(1) If the information that is prohibited from being published or transmitted by laws and administrative regulations in accordance with the requirements of relevant departments, such as stopping transmission and elimination are taken;

(2) Reject or obstruct the supervision and inspection of relevant departments in accordance with the law;

(3) Refusal to provide technical support and assistance to public security organs and state security organs.

Article 70 If the publication or transmission of information prohibited by Article 12, paragraph 2 of this Law and other laws and administrative regulations shall be punished in accordance with the provisions of relevant laws and administrative regulations.

Article 71 If there are any illegal acts stipulated in this Law, they shall be recorded in the credit file in accordance with the provisions of relevant laws and administrative regulations and made public.

Article 72 If the operator of a government network of a state organ fails to perform the network security protection obligations stipulated in this Law, its superior authority or relevant authority shall order it to correct the problem; the directly responsible supervisors and other directly responsible persons shall be punished in accordance with the law.

Article 73 If the Internet Information Department and relevant departments violate the provisions of Article 30 of this Law and use the information obtained in the performance of network security protection duties for other purposes, the directly responsible supervisors and other directly responsible persons shall be punished in accordance with the law.

If the staff of the Internet Information Department and relevant departments neglect their duties, abuse their power, and commit favoritism and fraud, and do not constitute a crime, they shall be punished in accordance with the law.

Article 74 If you violate the provisions of this Law and cause damage to others, you shall bear civil liability in accordance with the law.

Any violation of the provisions of this Law and constitutes violation of public security management shall be imposed on public security management in accordance with the law; if a crime constitutes a criminal offense, criminal liability shall be pursued in accordance with the law.

Article 75 If overseas institutions, organizations and individuals engage in activities that endanger key information infrastructure such as attacks, invasions, interferences, and sabotage, and cause serious consequences, they shall be held legally responsible in accordance with the law; the public security department of the State Council and relevant departments may also decide to take property freezing or other necessary sanctions against the institution, organizations and individuals.

Chapter VII Supplementary Provisions

Article 76 The meaning of the following terms in this Law:

(1) Network refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures.

(2) Network security refers to the ability to prevent attacks, intrusions, interference, destruction, illegal use and accidents on the network, and to ensure the integrity, confidentiality and availability of network data by taking necessary measures.

(III) Network operator refers to the owner, manager and network service provider of the network.

(IV) Network data refers to various electronic data collected, stored, transmitted, processed and generated through the network.

(V) Personal information refers to various information recorded electronically or other means that can identify the personal identity of a natural person alone or in combination with other information, including but not limited to the name, date of birth, ID number, personal biometric information, address, telephone number, etc. of a natural person.

Article 77: In addition to complying with this Law, the operation security protection of networks that store and process state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.

Article 78 The security protection of military networks shall be separately stipulated by the Central Military Commission.

Article 79 This Law shall come into force on June 1, 2017.