China: Implemented Cybersecurity Law including cybersecurity provisions

On 1 June 2017, the Cybersecurity Law of China, which contains extensive cybersecurity regulations for those building, operating, maintaining, and using networks, as well as rules on cybersecurity supervision by the state, has been implemented. The law introduces a multi-level protection system, obligating network operators to implement a number of security measures, such as adopting internal cybersecurity policies, technical security systems, recording cybersecurity incidents, as well as classifying, encrypting, and backing up certain types of data. Further, the law prohibits a number of activities endangering cybersecurity, such as illegal intrusion into the networks of other parties, disrupting the normal functioning of the networks of other parties, and stealing network data. Operators of critical information infrastructure are subject to additional cybersecurity requirements, such as conducting background checks on individuals holding critical positions, providing education and technical training, and conducting disaster recovery backups and periodic drills. When critical information infrastructure operators use products or services which may endanger national security, they can be subject to a cybersecurity review. The law also establishes applicable fines for violations of its provisions.