Overview of

China’s
Cybersecurity
Law

IT Advisory
KPMG China
—
February 2017
 2
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
 Contents
Cybersecurity Law timeline 4

Challenges arising from the 5

Cybersecurity Law

Amendments to the draft 6

Cybersecurity Law

Highlights and interpretation of the 7

Cybersecurity Law

KPMG China’s cybersecurity 15

services

3
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cybersecurity Law timeline
Prior to the enactment of the Cybersecurity Law, China already had some laws, rules and regulations relating to
information security, such as Administrative Measures for Prevention and Treatment of Computer Viruses and
Administrative Measures for Hierarchical Protection of Information Security. The Cybersecurity Law, which indicates
that China is increasingly focussing on cybersecurity, was adopted by the National People’s Congress (NPC) in
November 2016 after a year of legislative proceedings, and will come into effect on 1 June 2017.

2017 The Cybersecurity Law will come into effect on 1 June 2017.

2016
The Cybersecurity Law of the People’s Republic of China was adopted at the 24th
November Session of the Standing Committee of the 12th National People's Congress on 7
November, with 154 affirmative votes and one abstention.

The Cybersecurity Law (Draft) for Second Deliberation was released on the National
July People’s Congress’ website for public comment.

The 12th National People's Congress deliberated the Cybersecurity Law (Draft) for the
June second time.

2015
Based on comments from the public and feedback from the NPC Standing Committee
July members and other parties, the Cybersecurity Law (Draft) was modified to create the
Cybersecurity Law (Draft for Second Deliberation).

June The 12th National People's Congress deliberated the Cybersecurity Law (Draft).

General Secretary of the CPC Central Committee and President Xi Jinping was
appointed as head of the Central Leading Group for Cyberspace Affairs, which was
2014 established in February 2014. “Maintain cybersecurity” was first written into the Report
on the Work of the Government during the National People's Congress and Chinese
People's Political Consultative Conference.

Earlier laws and regulations, which focus more on system and infrastructure security,
include:
• State Council - Regulations on Security Protection of Computer Information Systems,
Administrative Measures for Internet Information Services
Earlier • Ministry of Public Security - Administrative Measures for Prevention and Treatment of
Computer Viruses
• Ministry of Public Security and five other ministries - Administrative Measures for
Hierarchical Protection of Information Security
• NPC Standing Committee - Law on Guarding State Secrets

4
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Challenges arising from the Cybersecurity Law
Key considerations under the Cybersecurity Law

• The Law pays more attention to the protection of

personal information and individual privacy
• The Law standardises the collection and usage of
1 Personal information protection personal information
• Enterprises should focus not only on “data
security”, but also on “individual privacy
protection”, which is of greater significance

• The Law presents clear definitions of network

Security requirements for operators and security requirements
2 network operators • Most of the larger financial institutions may
become “network operators”

• The Law places greater demands on the

Critical information protection of key information infrastructure
3 infrastructure • The Law specifies the scope of key information
infrastructure

• Foreign enterprises and organisations normally

Restrictions on the transfer of need to transfer information outside China
4 personal information and • The Cybersecurity Law stipulates that sensitive
business data overseas data must be stored domestically

• Penalties for violating the Law are clearly stated,

and include the suspension of business activities
5 Penalties
• Serious illegal action may lead to the closing of
businesses or the revocation of licences
• The maximum fine may reach RMB1,000,000

5
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Amendments to the draft Cybersecurity Law
Comparison between the draft and final versions of the
Cybersecurity Law

The table below highlights the significant amendments to the draft Cybersecurity Law that are present in the final
version:

Article Final version Significant amendment

Article 31 Regarding cybersecurity protection, the state This article clarifies the industries and
emphasises the protection of critical information sectors in which the protection of critical
infrastructure in public communications and information infrastructure will be given
information services, energy, finance, priority.
transportation, water conservation, public
services and e-governance, as well as other
critical information infrastructure that could cause
serious damage to national security, the national
economy and public interest if destroyed,
functionality is lost or data is leaked.

Article 43 Individuals have the right to require network This article gives citizens greater rights
operators to correct errors in personal information to protect their personal information,
collected or stored by them. Network operators and increases the network operators’
should take measures to remove or correct the obligation to correct errors in a timely
errors. manner.

Article 46 Individuals or organisations are responsible for the This article emphasises that individuals
use of their networks, and shall not set up and organisations bear the
websites or communications groups for fraudulent responsibility for the use of their
purposes or other illegal activities. networks.

Article 76 (5) “Personal information” refers to all kinds of This article expands the scope of
information, recorded electronically or through other personal information protection from
means, that can determine the identity of natural “citizens” to “natural persons”.
persons independently or in combination with other
information, including, but not limited to, a natural
person’s name, date of birth, identification number,
personal biometric information, address and
telephone number.

Article 63 People who violate Article 27 of the Law and The maximum penalty for violating the
engage in activities that endanger cybersecurity Cybersecurity Law has been increased
may be detained for 5 to 15 days and may be fined to RMB1,000,000.
RMB100,000 - RMB1,000,000, depending on the
severity of the case.

6
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Highlights and interpretation of the Cybersecurity Law
Highlights of the Cybersecurity Law

Comprising 79 articles in seven chapters, the Cybersecurity Law contains a number of cybersecurity requirements,
including safeguards for national cyberspace sovereignty, protection of critical information infrastructure and data
and protection of individual privacy. The Law also specifies the cybersecurity obligations for all parties. Enterprises
and related organisations should prioritise the following highlights of the Cybersecurity Law:

Personal information The Cybersecurity Law clearly states requirements for the
protection collection, use and protection of personal information.

Critical information The Cybersecurity Law frequently mentions the protection of

infrastructure “critical information infrastructure”.

“Network operators” are the owners and administrators of

Network networks and network service providers. The Cybersecurity
operators Law clarifies operators’ security responsibilities.

The Cybersecurity Law requires personal

Preservation of
information/important data collected or generated in China to
sensitive information be stored domestically.

Certification of Critical cyber equipment and special cybersecurity products

, can only be sold or provided after receiving security
security products certifications.

Legal Enterprises and organisations that violate the

liabilities Cybersecurity Law may be fined up to RMB1,000,000.

7
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Personal information
protection
Network product and service providers that collect users’
Article 22 information are required to inform and obtain consent from the
users.
Collection of
personal Network operators are required to collect and use personal
Article 41
information information in a legal and proper manner.
Individuals and organisations must not steal or use other illegal
Article 44
means to obtain personal information.

KPMG interpretation:
• The articles above emphasise that personal information can only be collected when individuals
are informed and agree to the aims and scope of the collection.
• Citizens provide personal information for many purposes, including for education, healthcare,
public transportation and online-to-offline transactions. These articles standardise approaches
and methods for enterprises and related institutions to obtain personal information.

Network operators must gather and store personal information in

Article 41 accordance with the Law, administrative regulations and their
agreements with users.
Network operators must not disclose, tamper with or destroy
Article 42
Collection of collected personal information.
personal In an instance where a network operator has violated the Law’s
information Article 43 provisions, individuals have the right to request the operator to
delete their personal information.
Departments with legal responsibilities for cybersecurity
Article 45 supervision must ensure that all personal information obtained is
kept confidential.

KPMG interpretation:
• The articles above stipulate requirements for the protection of personal information, especially
for avoiding disclosure, damage and loss of personal information.
• Amidst a growing focus on telecom fraud and personal information leaks, the Cybersecurity Law
introduces stricter requirements on the protection of personal information owned by
organisations.
• Accurately identifying personal information owned by organisations, protecting the information
using technology and identifying potential information leak risks are becoming key priorities for
enterprises.

8
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Network operators
Definition of “network operators”
Article 76 of the Cybersecurity Law: “Network operators” refers to owners and administrators of
networks and network service providers.
Since the applicable scope of “network operators” has expanded significantly, enterprises and
institutions that provide services and conduct business activities through networks may also be
defined as “network operators”.
In addition to traditional telecom operators and internet firms, network operators may also include:
• Financial institutions that collect citizens’ personal information and provide online services, such
as banking institutions, insurance companies, securities companies and foundations.
• Providers of cybersecurity products and services.
• Enterprises that have websites and provide network services.

When creating and operating networks or providing services

through networks, technical and other necessary measures
should be taken to safeguard network operations, effectively
Article 10 respond to cybersecurity incidents and to prevent cybercrime.
These measures should also maintain the integrity,
Overall confidentiality and accessibility of network data, in accordance
security with the Law’s provisions and national standards.
requirements
The state will adopt a tiered system for cybersecurity protection.
Network operators are required to follow certain security
Article 21 procedures to safeguard networks from interference, destruction
or unauthorised access, and to prevent network data from being
leaked, tampered with or stolen.

KPMG interpretation:
The articles above stipulate the overall cybersecurity requirements for network operators. Article 21
introduces the following security requirements:
• Security administration: Network operators are required to clarify responsibilities within their
organisations, and ensure network security by implementing sound rules and regulations and
operational processes.
• Technology: Network operators shall adopt various technologies to prevent, combat and
investigate cyber-attacks to mitigate network risks.
• Data security: Network operators shall ensure data availability and confidentiality by backing up
and encrypting data.
Building an effective security administration system, finding rational technical solutions and
improving data protection capabilities are expected to be key priorities for network operators.

9
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Network operators
Network product or service providers must not set up malicious
programmes. Upon discovering a security flaw, vulnerability or
other risk in their product or service, network providers must take
Detailed remedial action immediately, inform users and report the issue to
cybersecurity Article 22 the relevant departments.
requirements Network product and service providers are required to conduct
security maintenance for their products and services. This
security maintenance must not be terminated during the period
stated in the agreements between parties.

KPMG interpretation:
This article is applicable to cybersecurity product manufacturers, security service suppliers and
other organisations that provide services through networks. These network operators are required
to respond to security flaws in their products and services and provide security maintenance.
Currently, some network security product and service providers do not respond quickly and
effectively to flaws in their products and services, which also impacts security maintenance. This
may create cybersecurity risks for users of their products and services.

10
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Critical information
infrastructure
Regarding cybersecurity protection, the state emphasises the protection
of critical information infrastructure in public communications and
information services, energy, finance, transportation, water conservation,
public services and e-governance, as well as other critical information
Article 31
infrastructure that may cause serious damage to national security, the
Security of national economy and public interest if destroyed, functionality is lost or
critical data is leaked. The State Council will convey the scope and security
protection measures for critical information infrastructure.
information
infrastructure Critical information infrastructure operators are required to evaluate
cybersecurity and other potential risks at least once a year, either on
their own or with the help of network security service providers.
Article 38
Operators must report the evaluation results and measures for
improvement to the relevant departments responsible for critical
information infrastructure protection.

KPMG interpretation:
The Cybersecurity Law mentions that the scope of critical information infrastructure and protection
procedures will be defined by the State Council, but the scope has not yet been clarified officially.
Enterprises can estimate the scope by considering factors like the number of users, information
leak risks, potential implications and the size of data centres.
Enterprises that are qualified to operate critical information infrastructure must regularly assess
their cyber risks in accordance with Article 38 of the Cybersecurity Law.

11
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Preservation of sensitive
information
Personal information and important data collected and generated by
critical information infrastructure operators in the PRC must be stored
Detailed domestically. For information and data that is transferred overseas due
to business requirements, a security assessment will be conducted in
cybersecurity Article 37
accordance with measures jointly defined by China’s cyberspace
requirements administration bodies and the relevant departments under the State
Council. Related provisions of other laws and administrative regulations
shall apply.

KPMG interpretation:
The article above sets out new requirements on the protection of sensitive information.
• Potential implications: Some enterprises need to transmit data to their headquarters, partners
and/or suppliers overseas. If these enterprises are qualified to operate critical information
infrastructure, they will need to reassess their approach regarding data transfers.
• Response: For personal information/important data that is stored overseas, the most direct and
effective way is to transfer and store the data locally in China. For personal
information/important data that is stored in China but needs to be transferred overseas, the
content and approach of the transfer should be adjusted to meet the new requirements.
• Implementation of the article: China’s cyberspace administrative bodies and other regulatory
bodies will introduce policies to clarify the requirements for domestically stored data. At present,
there are no official rules and regulations to support the implementation of the article.

12
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Certification of security
products
Critical network equipment and special cybersecurity products
can only be sold or provided after being certified by a qualified
establishment, and are in compliance with national standards.
Article 23
Detailed China’s cyberspace administrative bodies and the relevant
cybersecurity departments under the State Council will draft a catalogue of
requirements critical network equipment and special products.
Critical information infrastructure operators that purchase
Article 35 network products and services that might affect national security
must pass a national security review.

KPMG interpretation:
The articles above stipulate that providers can only sell their critical network equipment, products
or services after receiving security certifications. They may also need to pass a national security
review.
The security review/assessment is designed to ensure the security of personal information and
support the secure operations of critical information infrastructure described in the Cybersecurity
Law.
Providers of network equipment, products or services should actively respond to national security
reviews to avoid negative business implications as a result of failing to obtain security certifications.

13
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Interpretation of highlights: Legal liabilities
Network operators or providers of network products or services
that violate Paragraph 3 of Article 22, or Articles 41, 42 and 43 of
the Law will be required to correct their actions. They may be
issued warnings, have their illegal income confiscated and/or
Article 64 receive a fine of up to 10 times the illegal income amount. If there
is no illegal income, the fine could be up to RMB1,000,000. In
serious cases, the relevant departments can order the
Detailed suspension of business operations, shut down websites and
cybersecurity revoke business certificates or licences.
requirements
Network operators or providers of network products that violate
Article 37 of the Law will be ordered by the relevant departments
to correct their actions. The departments can issue warnings,
Article 66 confiscate illegal income and impose penalties ranging from
RMB50,000 to RMB500,000. They can also suspend business
operations, shut down websites and revoke business certificates
or licences.

KPMG interpretation:
The article above specifies the penalties that network operators, network product or service
providers and operators of critical information infrastructure may face if they violate certain articles
of the Cybersecurity Law.
Network operators, network product or service providers and operators of critical information
infrastructure should carefully follow the related provisions of the Cybersecurity Law to avoid being
penalised.

14
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG China’s Cybersecurity services
With many years of experience in cybersecurity advisory services, KPMG has a deep understanding
of the cybersecurity landscape in China, as well as the requirements of laws and regulations.
KPMG provides a variety of advisory services based on customer demands. The following four types
of services in cybersecurity management are provided by KPMG:

Governance Security architecture

Cyber in the boardroom Change programme
Risk management Identity & access management
Privacy & data protection Strategy & Security Education & awareness
Cyber resilience governance transformation Cloud / digital / mobile

Cyber exercise Cyber defence Assessments & Industry standard alignment

Application security services assurance
Cybersecurity in internal audit
Penetration testing Supply chain security
Incident response Cyber maturity assessment
Regulatory assessment

15
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Contacts

Henry Shek Richard Zhang

Partner Director
Tel: +852 2143 8799 Tel: +86 (21) 2212 3637
[email protected] [email protected]

Jason R.K. He Alvin Li

Director Associate Director
Tel: +86 (755) 2547 1129 Tel: +852 2978 8233
[email protected] [email protected]

Shane Wang Frank Xiao

Associate Director Associate Director
Tel: +86 (21) 2212 3651 Tel: +86 (10) 8508 5456
[email protected] [email protected]

Matrix Chau
Associate Director
Tel: +852 2685 7521
[email protected]

kpmg.com/cn

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date
it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional
advice after a thorough examination of the particular situation.

© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent
firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

16
© 2017 KPMG Advisory (China) Limited, a wholly foreign owned enterprise in China, is a member firm of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.