[Editor to fill: 200-word domain overview.]
Critical Information Infrastructure.
关键信息基础设施
Identification and protection obligations for CII operators (CIIO) under CSL and the CII Protection Regulations.
The legal corpus.
7 laws.
- CII Regulations Security Protection Regulations for Critical Information Infrastructure 关键信息基础设施安全保护条例
- REGULATION Regulation on Network Data Security Management 网络数据安全管理条例
- RULE Cybersecurity Review Measures 网络安全审查办法
- CSL Cybersecurity Law of the People's Republic of China (2025 Amendment) 中华人民共和国网络安全法(2025 修正)
- Financial Sector Cybersecurity Measures (Draft) Measures for Cybersecurity Management in the Financial Sector (Draft for Comment) 金融业网络安全管理办法(征求意见稿)
- CII Commercial Cryptography Provisions Provisions on the Administration of the Use of Commercial Cryptography in Critical Information Infrastructure 关键信息基础设施商用密码使用管理规定
- Banking & Insurance Cybersecurity Measures (Draft) Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors (Draft for Public Consultation) 银行业保险业网络安全管理办法(征求意见稿)
In this domain.
3 briefs.
- § 01 · CYBERSECURITY
NFRA Opens Consultation on Banking and Insurance Cybersecurity Measures: 72 Articles, a Four-Tier Incident Scale, and a Hard CII Chapter
The National Financial Regulatory Administration is consulting on the Measures for the Administration of Cybersecurity in the Banking and Insurance Sectors — a 72-article draft that would give banks, insurers, and financial holding companies a single cybersecurity rulebook under the CSL, DSL, PIPL, and CII Regulations. It fixes board-level responsibility, a six-month log-retention floor, annual penetration testing, a four-tier incident scale with a two-hour reporting clock, and a dedicated critical-information-infrastructure chapter with a one-hour reporting deadline, domestic-operation and disaster-recovery requirements, and annual procurement-list reporting. Comments close August 10, 2026.
- § 02 · IMPORTANT-DATA
Are You Caught by the Annual Assessment? TRIMPS's Self-Identification Guide for 'Important-Data Handlers'
With the Network Data Security Risk Assessment Measures (Order No. 24) taking effect August 20, 2026, the annual risk-assessment duty stops being a principle and becomes a hard calendar event — but only for 'important-data handlers' (重要数据处理者). DCC's summary of a self-identification guide from the Data Security R&D Center of the Ministry of Public Security's Third Research Institute (公安部三所 / TRIMPS), author Lü Mingxuan, walks the threshold test the institution that helps draft the standards wants processors to run before the clock starts. There are three independent gates, any one of which puts you in: (1) you process data meeting the 'important data' definition under Article 62 of the Network Data Security Management Regulation; (2) the deeming rule — you process the personal information of more than 10 million people, which pulls you into the important-data duties of Regulation Arts. 30 and 32 regardless of whether you hold any 'important data'; or (3) your data sits on a regional, departmental, or sectoral important-data catalogue. Entrusted processors inherit the duty from an important-data-handler client; CIIO status and important-data-handler status are separate, intersecting tests; and identifying important data runs through GB/T 43697-2024 Appendix G's 18 factors plus the applicable catalogues. The guide then lays out the operating requirements once you are in: annual mandatory assessment plus trigger-based instant assessments, a stacked PIPIA for the 10-million-PI cohort, three-year report retention, and submission within 20 working days. DCC's read for overseas counsel: classification is the gate, the 10-million-PI deeming rule is the trap for consumer businesses with no 'important data' at all, and the self-ID needs to happen now.
- § 03 · CRITICAL-INFORMATION-INFRASTRUCTURE
Are You a CII Operator or an Important-Data Handler? A Practitioner's Assessment Framework Under China's New Rules
China's Cybersecurity Law, Data Security Law, and Network Data Security Management Regulations impose materially heavier compliance obligations on critical information infrastructure (CII) operators (关键信息基础设施运营者) and important-data handlers (重要数据处理者) than on ordinary data processors. This brief, drawing on a DEXC+ practitioner analysis by Gu Qingzhuo (古青卓) of the Shenzhen Data Exchange compliance team, explains how the two statuses are determined under the current framework, why neither is self-evident from a company's own assessment alone, how recent rules — including the Regulations on Promoting and Regulating Cross-Border Data Flows and the national standard GB/T 43697-2024 — have clarified but not fully resolved the important-data identification problem, and what overseas counsel should do when advising clients that operate in China's critical sectors.