中英对照2021关键信息基础设施安全保护条例.docx

RegulationonProtectingtheSecurityofCriticalInformationInfrastructureDocumentNumber：OrderNo.745oftheStateCouncilofthePeople'sRepublicofChinaAreaofLaw:NetworkSecurityManagement1.evelofAuthority：AdministrativeRegulationsIssuingAuthority：StateCouncilDateIssued：07-30-2021EffectiveDate:09-01-2021Status:EffectiveOrderoftheStateCouncilofthePeople'sRepublicofChina(No.745)TheRegulationonProtectingtheSecurityofCriticalInformationInfrastructure,asadoptedatthe133rdexecutivemeetingoftheStateCouncilonApril27,2021,isherebyissuedandshallcomeintoforceonSeptember1,2021.Premier:LiKeqiangJuly30,2021RegulationonProtectingtheSecurityofCriticalinformationInfrastructureChapterIGeneralProvisions中华人民共和国国务院令（第745号）关键信息基础设施安全保护条例已经2021年4月27日国务院第133次常务会议通过，现予公布，自2021年9月1日起施行。总理李克强2021年7月30日关键信息基础设施安全保护条例第一章总则Article1ThisRegulationisformulatedinaccordancewith第一条为了保障关键信息基础设施安全，维护网络安全，根据中华人民共和国网络安全法，制定本条例。theCybersecurityLawofthePeople'sRepublicofChinainordertoensurethesecurityofcriticalinformationinfrastructure(hereinafterreferredtoas4tCI,)andmaintaincybersecurity.第二条本条例所称关键信息基础设施，是指公共 通信和信息服务、能源、交通、水利、金融、公共服务、 电子政务、国防科技工业等重要行业和领域的，以及其他 一旦遭到破坏、丧失功能或者数据泄露，可能严重危害国 家安全、国计民生、公共利益的重要网络设施、信息系统 等。Article2ForthepurposesofthisRegulation,4tCI,meansanyofnetworkfacilitiesandinformationsystemsinimportantindustriesandfieldssuchaspubliccommunicationandinformationservices,energy,transportation,waterconservancy,finance,publicservices,e-govemment,andscience,technologyandindustryfornationaldefensethatmayseriouslyendangernationalsecurity,nationaleconomyandpeople'slivelihood,andpublicinterestsintheeventthattheyaredamagedorlosetheirfunctionsortheirdataareleaked.第三条在国家网信部门统筹协调下，国务院公安 部门负责指导监督关键信息基础设施安全保护工作。国务 院电信主管部门和其他有关部门依照本条例和有关法律、 行政法规的规定，在各自职责范围内负责关键信息基础设 施安全保护和监督管理工作。Article3Undertheoverallcoordinationofthenationalcyberspaceadministration,thepublicsecuritydepartmentundertheStateCouncilshallberesponsibleforguidingandsupervisingtheCilsecurityprotection.ThetelecommunicationsdepartmentandotherrelevantdepartmentsundertheStateCouncilshallberesponsibleforthesecurityprotection,supervision,andadministrationinrespectofCIIwithintheirrespectiveresponsibilitiesinaccordancewiththeprovisionsofthisRegulationandrelevantlawsandadministrativeregulations.省级人民政府有关部门依据各自职责对关键信息基础设施 实施安全保护和监督管理。Therelevantdepartmentsoftheprovincialpeople,sgovernmentshallimplementsecurityprotection,supervision,andadministrationinrespectofCIIaccordingtotheirrespectiveresponsibilities.Article4TheCIIsecurityprotectionshalladheretooverallcoordination,divisionofresponsibilities,andlaw-basedprotection.CIIoperators(hereinafterreferredtoasuCIIOm)shallberequiredtoassumeprimaryresponsibilities,andtheroleofthepeople'sgovernmentsandnon-govemmentsectorsshallbefullyleveraged,soastojointlyprotecttheCIIsecurity.Article5TheslateshallgiveprioritytotheprotectionofCIIspecificallybytakingmeasurestomonitor,defendagainst,andhandlecybersecurityrisksandthreatsoriginatinginsideandoutsidethePeople'sRepublicofChinasoastoprotecttheCIIfromattack,intrusion,interference,andsabotage,andpunishinginaccordancewiththelawillegalandcriminalactivitiesendangeringtheCllsecurity.Noindividualororganizationmayengageinanyactivityofillegallyhackinginto,interferingwith,ordamaginganyCIIorendangertheCIIsecurity.Article6ACIIOshall,inaccordancewiththeprovisionsofthisRegulation,applicablelaws,andadministrativeregulations,aswellasthemandatoryrequirementsofnationalstandards,andonthebasisoftheclassifiedcybersecurityprotection,taketechnicalprotectionandothernecessarymeasurestocopewithcybersecurityevents,guardagainstcyber-attacksandillegalandcriminalactivities,ensurethesafeandstableoperationoftheCU,andmaintaindataintegrity,confidentiality,andavailability.第四条关键信息基础设施安全保护坚持综合协调、分工负责、依法保护，强化和落实关键信息基础设施运营者（以下简称运营者）主体责任，充分发挥政府及社会各方面的作用，共同保护关键信息基础设施安全。第五条国家对关键信息基础设施实行重点保护，采取措施，监测、防御、处置来源于中华人民共和国境内外的网络安全风险和威胁，保护关键信息基础设施免受攻击、侵入、干扰和破坏，依法惩治危害关键信息基础设施安全的违法犯罪活动。任何个人和组织不得实施非法侵入、干扰、破坏关键信息基础设施的活动，不得危害关键信息基础设施安全。第六条运营者依照本条例和有关法律、行政法规的规定以及国家标准的强制性要求，在网络安全等级保护的基础上，采取技术保护措施和其他必要措施，应对网络安全事件，防范网络攻击和违法犯罪活动，保障关键信息基础设施安全稳定运行，维护数据的完整性、保密性和可用性。Article7EntitiesandindividualsthathavemadeoutstandingachievementsorcontributionsintheCIIsecurityprotectionshallbecommendedinaccordancewiththerelevantprovisionsofthestate.ChapterIIThedeterminationofCIIArticle 8 ThecompetentauthoritiesandsupervisionandadministrationdepartmentsofimportantindustriesandfieldssetforthinArticle2ofthisRegulationarethedepartmentsresponsiblefortheCIIsecurityprotection(hereinafterreferredtoastheprotectiondepartments").Article 9 TheprotectiondepartmentshalldeveloptherulesforthedeterminationofCIIaccordingtotheactualconditionsoftheindustryandfieldconcerned,andfilethemwiththepublicsecuritydepartmentundertheStateCouncil.IndevelopingtherulesforthedeterminationofCU,thefollowingfactorsshallbetakenintoaccount:(1) Theimportanceof,amongothers,networkfacilitiesandinformationsystemstokeycorebusinessesintheindustryandfieldconcerned;(2) Theextentofpossibledamage,amongothers,tonetworkfacilitiesandinformationsystems,oncetheyaredamagedorlosetheirfunctionsortheirdataareleaked;and第七条对在关键信息基础设施安全保护工作中取得显著成绩或者作出突出贡献的单位和个人，按照国家有关规定给予表彰。第二章关键信息基础设施认定第八条本条例第二条涉及的重要行业和领域的主管部门、监督管理部门是负责关键信息基础设施安全保护工作的部门（以下简称保护工作部门）。第九条保护工作部门结合本行业、本领域实际，制定关键信息基础设施认定规则，并报国务院公安部门备案。制定认定规则应当主要考虑下列因素：（一）网络设施、信息系统等对于本行业、本领域关键核心业务的重要程度；(3) Relevance to other industries and fields.（）对其他行业和领域的关联性影响。（二）网络设施、信息系统等一旦遭到破坏、丧失功能或者数据泄露可能带来的危害程度；Article 10 TheprotectiondepartmentshallberesponsiblefororganizingthedeterminationofCIIintheindustryandfieldconcernedaccordingtothedeterminationrules,andinformtheCIIOofthedeterminationresultsinatimelymannerandnotifythepublicsecuritydepartmeniundertheStaleCouncilofthesame.Article 11 IfanyCIIhasundergoneamorchange,whichmayaffectitsdeterminationresults,theCIIOshallreporttherelevantinformationtotheprotectiondepartmentinatimelymanner.Theprotectiondepartmentshallcompletetheredeterminationwithinthreemonthsofreceiptofsuchreport,informtheCIIOofthedeterminationresults,andnotifythepublicsecuritydepartmentundertheStateCouncilofthesame.ChapterIIIResponsibilitiesandObligationsofCIIOsArticle 12 Securityprotectionmeasuresshallbeplanned,constructed,andusedintandemwiththeplanning,construction,anduseofCILArticle 13 ACIIOshallestablishandimproveacybersecurityprotectionsystemandaresponsibilitysystemtoensuretheinputofhuman,financial,andmaterialresources.TheheadofaCIIOshallassumeoverallresponsibilityfortheCIIsecurityprotection,leadtheCIIsecurityprotectionandthehandlingofmajorcybersecurityevents,andmakearrangementsforresearchintoandsolutionofmajor第十条保护工作部门根据认定规则负责组织认定本行业、本领域的关键信息基础设施，及时将认定结果通知运营者，并通报国务院公安部门。第H-一条关键信息基础设施发生较大变化，可能影响其认定结果的，运营者应当及时将相关情况报告保护工作部门。保护工作部门自收到报告之日起3个月内完成重新认定，将认定结果通知运营者，并通报国务院公安部门。第三章运营者责任义务第十二条安全保护措施应当与关键信息基础设施同步规划、同步建设、同步使用。第十三条运营者应当建立健全网络安全保护制度和责任制，保障人力、财力、物力投入。运营者的主要负责人对关键信息基础设施安全保护负总责，领导关键信息基础设施安全保护和重大网络安全事件处置工作，组织研窕解决重大网络安全问题。cybersecurityproblems.Article 14 ACIIOshallsetupaspecialsecuritymanagementorganization,andconductsecuritybackgroundcheckontheheadofsuchorganizationandthepersonnelinkeypositions.Publicsecurityorgansandstatesecurityorgansshallprovideassistanceinsuchcheck.Article 15 ThespecialsecuritymanagementorganizationshallberesponsiblefortheCIIsecurityprotectionoftheentitytowhichitbelongs,andperformthefollowingresponsibilities:(1) Establishingandimprovingacybersecuritymanagementandevaluationsystem,anddrawingupaCIIsecurityprotectionplan;(2) Organizingtheimprovementofcybersecurityprotectioncapacity,andcarryingoutcybersecuritymonitoring,testing,andriskassessment;(3) Developingthecontingencyplansoftheentitybasedonthenationalandindustrycontingencyplansforcybersecurityevents,regularlycarryingoutemergencydrills,andhandlingcybersecurityevents;(4) Determiningkeypositionsinrespectofcybersecurity,organizingtheevaluationofcybersecurity-re1atedwork,andputtingforwardsuggestionsforrewardsandpunishments;第十四条运营者应当设置专门安全管理机构，并对专门安全管理机构负责人和关键岗位人员进行安全背景审查。审查时，公安机关、国家安全机关应当予以协助。第十五条专门安全管理机构具体负责本单位的关键信息基础设施安全保护工作，履行下列职责：（一）建立健全网络安全管理、评价考核制度，拟订关键信息基础设施安全保护计划：（二）组织推动网络安全防护能力建设，开展网络安全监测、检测和风险评估；（三）按照国家及行业网络安全事件应急预案，制定本单位应急预案，定期开展应急演练，处置网络安全事件：（四）认定网络安全关键岗位，组织开展网络安全工作考核，提出奖励和惩处建议；(5) Organizingeducationandtrainingincybersecurity;（五）组织网络安全教育、培训I；(6) Fulfillingtheresponsibilityforprotectingthesecurityofpersonalinformationanddata,andestablishingandimprovingasecurityprotectionsystemforpersonalinformationanddata;(7) Implementingsecuritymanagementforthedesign,construction,operation,maintenance,andothersen,icesinrespectofCU;and(8) Reportingcybersecurityeventsandimportantmailersasrequired.Article 16 ACIIOshallensuretheoperatingexpensesofthespecialsecuritymanagementorganization,stafftheorganization,andinvolvecertainindividualsofthereofindecision-makingrelatedtocybersecurityandinformatization.Article 17 ACIIOshallconductcybersecurityinspectionandriskassessmentofitsClIatleastonceayeardirectlyorthroughacybersecurityserviceprovider.Itshalltaketimelycorrectiveactionagainstthesecurityproblemsfound,andsubmittheinformationaccordingtotherequirementsoftheprotectiondepartment.Article 18 WhenamajorcybersecurityeventoccurstoCIIoramajorcybersecuritythreatisfound,theCIIOshall,asrequired,reportthesametotheprotectiondepartmentandthepublicsecurityorgan.Intheeventofaparticularlyseriouscybersecurityeventoraparticularlyseriouscybersecuritythreat,suchastheoverall（六）履行个人信息和数据安全保护责任，建立健全个人信息和数据安全保护制度：（七）对关键信息基础设施设计、建设、运行、维护等服务实施安全管理；（八）按照规定报告网络安全事件和重要事项。第十六条运营者应当保障专门安全管理机构的运行经费、配备相应的人员，开展与网络安全和信息化有关的决策应当有专门安全管理机构人员参与。第十七条运营者应当自行或者委托网络安全服务机构对关键信息基础设施每年至少进行一次网络安全检测和风险评估，对发现的安全问题及时整改，并按照保护工作部门要求报送情况。第十八条关键信息基础设施发生重大网络安全事件或者发现重大网络安全威胁时，运营者应当按照有关规定向保护工作部门、公安机关报告。发生关键信息基础设施整体中断运行或者主要功能故障、国家基础信息以及其他重要数据泄露、较大规模个人信息interruptionoftheoperationofCIIorfailureofitsmajorfunctions,leakageofnationalbasicinformationandotherimportantdata,large-scaleleakageofpersonalinformation,significanteconomicloss,andwidespreadofillegalinformation,theprotectiondepartmentshall,afterreceiptofthereport,reportthesametothenationalcyberspaceadministrationandthepublicsecuritydepartmentundertheStateCouncilinatimelymanner.Article 19 ACIIOshallgiveprioritytopurchasingsafeandcrediblenetworkproductsandservices;Ifthepurchaseofnetworkproductsandservicesmayaffectnationalsecurity,itshallpassthesecurityreviewinaccordancewiththenationalcybersecurityprovisions.Article 20 Whenpurchasingnetworkproductsandservices,theCIIOshallsignasecurityandconfidentialityagreementwithnetworkproductandserviceprovidersinaccordancewithrelevantprovisionsofthestate,inwhichthetechnicalsupportandsecurityandconfidentialityobligationsandresponsibilitiesoftheprovidersshallbespecified,andoverseetheperformanceofsuchobligationsandresponsibilities.Article 21 Incaseofamerger,split-up,dissolution,orotherwiseofaC110,itshallreportthesametotheprotectiondepartmentinatimelymanner,anddisposeofitsClIasrequiredbytheprotectiondepartmenttoensuresecurity.泄露、造成较大经济损失、违法信息较大范围传播等特别重大网络安全事件或者发现特别重大网络安全威胁时，保护工作部门应当在收到报告后，及时向国家网信部门、国务院公安部门报告。第十九条运营者应当优先采购安全可信的网络产品和服务；采购网络产品和服务可能影响国家安全的，应当按照国家网络安全规定通过安全审查。第二十条运营者采购网络产品和服务，应当按照国家有关规定与网络产品和服务提供者签订安全保密协议，明确提供者的技术支持和安全保密义务与责任，并对义务与责任履行情况进行监督。Chapter IV Guarantee and Promotion第四章保障和促进第二一条运营者发生合并、分立、解散等情况，应当及时报告保护工作部门，并按照保护工作部门的要求对关键信息基础设施进行处置，确保安全。Article 22 TheprotectiondepartmentshalldevelopthesecurityplanfortheClIintheindustryandfieldconcerned,whichshallspecifyprotectionobjectives,basicrequirements,tasks,andspecificmeasures.Article 23 Thenationalcyberspaceadministrationshallcoordinatetheeffortsofrelevantdepartmentstoestablishacybersecurityinformation-sharingmechanism,wherebytopromptlycollect,analyze,shareandpublishinformationon,amongothers,cybersecuritythreats,vulnerabilities,andevents,andthusfacilitatethesharingofcybersecurityinformationamongrelevantdepartments,protectiondepartments,CIIOs,andcybersecurityserviceagencies.Article 24 TheprotectiondepartmentshallestablishandimproveasystemforcybersecuritymonitoringandearlywarningoftheCIIintheindustryandfieldconcerned,keepabreastoftheoperationstatusandsecuritysituationontheCIIintheindustryandfield,andgiveanearlywarningofandnotifycybersecuritythreatsandhiddendangers,andguidethesecuritywork.Article 25 Theprotectiondepartmentshall,accordingtotherequirementsofthenationalcontingencyplansforcybersecurityevents,establishandimprovethecontingencyplansforcybersecurityeventsfortheindustryandfieldconcerned,andorganizeemergencydrillsregularly.TheprotectiondepartmentshallguideCIlOsonhowtoeffectivelyrespondtocybersecurityevents,andarrangetheprovisionoftechnicalsupportandassistanceasneeded.第二十二条保护工作部门应当制定本行业、本领域关键信息基础设施安全规划，明确保护目标、基本要求、工作任务、具体措施。第二十三条国家网信部门统筹协调有关部门建立网络安全信息共享机制，及时汇总、研判、共享、发布网络安全威胁、漏洞、事件等信息，促进有关部门、保护工作部门、运营者以及网络安全服务机构等之间的网络安全信息共享。第二十四条保护工作部门应当建立健全本行业、本领域的关键信息基础设施网络安全监测预警制度，及时掌握本行业、本领域关键信息基础设施运行状况、安全态势，预警通报网络安全威胁和隐患，指导做好安全防范工作。第二十五条保护工作部门应当按照国家网络安全事件应急预案的要求，建立健全本行业、本领域的网络安全事件应急预案，定期组织应急演练；指导运营者做好网络安全事件应对处置，并根据需要组织提供技术支持与协助。Article 26 TheprotectiondepartmentshallregularlyorganizeandcarryoutcybersecurityinspectionandtestinginrespectoftheCIIintheindustryandfieldconcerned,andguideandsuperviseClIOsinrectifyingpotentialsafetyhazardsinatimelymannerandimprovingsafetymeasures.Article 27 ThenationalcyberspaceadministrationshallcoordinatetheeffortsofthepublicsecuritydepartmentandtheprotectiondepartmentundertheStateCounciltocarryoutcybersecurityinspectionandtestinginrespectoftheCU,andputforwardimprovementmeasures.RelevantdepartmentsshallstrengthencoordinationandinformationcommunicationwhencarryingoutcybersecurityinspectioninrespectoftheCII,soastoavoidunnecessaryinspection,crossandrepeatedinspection.Nofeeshallbechargedfortheinspection,andtheentityunderinspectionshallnotberequiredtopurchaseproductsandservicesofdesignatedbrandsordesignatedproductionorsalesentities.Article 28 ACIIOshallcooperatewiththeprotectiondepartmentinthecybersecurityinspectionandtestinginrespectofitsCII,andwithpublicsecurity,nationalsecurity,confidentialityadministration,passwordmanagement,andotherrelevantdepartmentsinthecybersecurityinspectioninrespectofitsCIIinaccordancewiththelaw.Article 29 WithregardtotheCIIsecurityprotection,thenationalcyberspaceadministrationandthetelecommunicationsandpublicsecuritydepartmentsunderthe第二十六条保护工作部门应当定期组织开展本行业、本领域关键信息基础设施网络安全检查检测，指导监督运营者及时整改安全隐患、完善安全措施。第二十七条国家网信部门统筹协调国务院公安部门、保护工作部门对关键信息基础设施进行网络安全检查检测，提出改进措施。有关部门在开展关键信息基础设施网络安全检查时，应当加强协同配合、信息沟通，避免不必要的检查和交叉重复检查。检查工作不得收取费用，不得要求被检查单位购买指定品牌或者指定生产、销售单位的产品和服务。第二十八条运营者对保护工作部门开展的关键信息基础设施网络安全检查检测工作，以及公安、国家安全、保密行政管理、密码管理等有关部门依法开展的关键信息基础设施网络安全检查工作应当予以配合。第二十九条在关键信息基础设施安全保护工作中，国家网信部门和国务院电信主管部门、国务院公安部门等应当根据保护工作部门的需要，及时提供技术支持和StateCouncilshallprovidetimelytechnicalsupportandassistanceaccordingtotheneedsoftheprotectiondepartment.Article 30 Thecyberspaceadministration,publicsecurity,securityprotection,andotherrelevantdepartments,aswellascybersecurityserviceagenciesandtheirstaf