The cybersecurity classified protection regime attracted significant attention when it was included in the PRC Cyber Security Law promulgated in 2017 (the "CSL"). The CSL mandates that Network Operators follow certain security requirements based on the levels of risk associated with their networks. However, the CSL did not provide much detail as to how the classification should work in practice, nor did it specify how the security obligations and requirements attached to different levels vary. The Ministry of Public Security, released a draft Regulations for Cybersecurity Classified Protection (the "Classified Protection Regulations") for public comment in June 2018. The Classified Protection Regulations provided some degree of guidance, but industry has been very interested to see more detailed technical guidance to ensure compliance with the general and vague requirements of the CSL in this area.
The publication in May 2019 of three new national standards, namely the Information Security Technology - Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019), the Information Security Technology - Evaluation Requirement for Classified Protection of Cybersecurity (GB/T 28448-2019), and the Information Security Technology – Technical Requirements of Security Design for Classified Protection of Cybersecurity (GB/T 25070-2019) (the "New Standards") are intended to bridge the practical compliance gap.
The three New Standards, although non-binding are critical to the interpretation of the Classified Protection requirements, and effectively bring these requirements forward to a "version 2.0", applicable to local companies and international businesses alike with operation in mainland China.
To read the full article, please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.