Critical Information Infrastructure Operators (CIIOs) are a central and so far vague concept of China’s new cybersecurity and data protection system. With the regulations on critical information infrastructure protection (“the regulations”) that came into force on September 1, 2020, the government is now creating more transparency, but at the same time increasing the pressure on companies operating in China.
Whether a company is a critical information infrastructure operator is ultimately decided by the authorities on a case-by-case basis. In principle, CIIOs can belong to industries such as telecommunications and information, energy, transportation, water management, and finance, among others, but can also be “any other major network operator” that affects national security in the event of a non-function, damage, or data leak.
Foreign companies can also be identified as CIIOs by the authorities and must subsequently meet the same requirements as Chinese companies, which are specified in Article 6 of the regulations. For example, they are required to establish a security management system, screen key employees in cooperation with the authorities and police, as well as conduct regular risk assessments of their overall network security.
The strict regulations, some of which are still unclear, pose a major challenge for companies classified as CIIO operators. Coupled with other data protection laws such as the Personal Information Protection Law (PIPL), which goes into effect Nov. 1, data protection requirements are greatly increasing.
Non-compliance can result in fines of up to RMB 1 million, in addition to correction orders or confiscation of company income. Individuals in key positions may also be held liable. In addition, not only the CIIOs but also their cybersecurity service providers are liable in the event of a data leak.