Cyber Law in Asia

China

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes: the Cyberspace Administration of China.

Is oversight provided on a centralized or sectoral basis?

Sectoral. The CAC interviews representatives of operators and indicates when their practices are not in line with policy; the MIIT issues notifications to carry out administrative checks on security in telecommunications and internet entities; local telecommunications authorities notify entities that fail to implement security obligations; and authorities for various industries supervise privacy violations, e.g., the People's Bank of China in the banking industry. See Hongquan Yang, Privacy Data Protection and Cybersecurity Law Review (2019) at pg.130-31.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

At least seven sectors: public communication and information services, power, traffic, water resources, finance, public service, e-government.  See Hongquan Yang at pg. 133. 

How do they designate within these sectors?

Unclear. As of yet, China has not passed sufficient regulations to fully define which sectors fall under CII, much less how they designate within these sectors. However, it looks likely to be the whole sector. Yang, Hongquan, China, 133.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes.  The CSL defines a number of strict data localization rules and other regulations for, in particular, CII. Further requirements are tiered by risk level. See Hongquan Yang at pg. 127-28.

Does it take a risk-based approach?

Yes. CII, considered the highest risk, has the most extensive security requirements. The Specification's standards around personal information protection are also risk-based. The draft Multi-Level Protection Scheme (MLPS) defines different risk levels based on the potential damage to Chinese society. See Dan Swinhoe, China’s MLPS 2.0: Data grab or legitimate attempt to improve domestic cybersecurity?, CSO (Oct. 18, 2019).

Do the security measures enable the use of international standards?

Not directly.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

An entity can comply with both; however, Chinese law requires significant action above and beyond the NIST CSF, especially as it relates to data localization and government action. See Dan Swinhoe, China’s MLPS 2.0: Data grab or legitimate attempt to improve domestic cybersecurity?, CSO (Oct. 18, 2019).

Do they include prescriptive or technology-based security measures?

Likely yes. High-risk data must be managed under infrastructure and network approved by the Chinese government, which would likely be technology-biased. See Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (Oct. 13, 2019).

Incident Reporting

Are there mandatory incident reporting requirements?

Yes. The Cybersecurity Law requires reporting on incidents in which personal information is leaked, lost, or distorted. Cybersecurity Law of the People’s Republic of China (CSL), Article 42 (Effective June 1, 2017).  Furthermore, the Regulation for the Protection of Computer Information Systems requires reporting any case arising from a computer system within 24 hours. Regulations on Safeguarding Computer Information Systems, Article 14 (Feb. 1996).

Are there clear thresholds above which an incident should be reported?

No, thresholds are not clear.

How do they determine the timeline within which an incident must be reported?

The Regulation for the Protection of Computer Information Systems requires within 24 hours, but it is less clear of the timeline under the CSL.

Threat Information Sharing

Have they established a national threat information sharing entity?

China established China National cyber Threat Intelligence Collaboration (CNTIC) in 2017 but there is little public information available about it. CNTIC was supposed to be administered by the Ministry of Industry and Information Technology, MIIT. See Jian Jie, China’s first cyber threat intelligence sharing platform expected to further upgrade nation’s cyber defense, People's Daily Overseas New Media (Jan. 18, 2019).

Does this entity share information out to industry, as well as receiving information?

Unclear

Is threat information sharing mandatory for any private sector entity?

Unclear, at least as it relates to non-incidents. This may change with new drafts of related regulations.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Yes.  The Regulation on Internet Security Supervision and Inspection by Public Security Organs requires allowing on-site inspection, at which at least two local police officers and local agency staff must be present. Inspectors have full access to the data and the hardware, and can copy any data they find.

Are there requirements to cede control of facilities in an emergency situation?

Likely yes, given the requirement to allow physical access to facilities and access to data.

Are there requirements to provide source code or other decryption capabilities?

Yes.  Article 18 of the Anti-Terrorism Law requires telecom and internet providers to provider decryption and other support and assistance for prevention and investigation of terrorist activities. See Glyn Moody, China’s new anti-terror law: No backdoors, but decryption on demand, Ars Technica (Dec. 29, 2015).

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

Currently, de jure localization requirements focus on data localization but for practical purposes, businesses need a local presence in office or personnel.

Are there requirements to localize data?

Yes: The CSL requires the localization of CII data, and particular industries have also passed data localization restrictions, including banking, insurance, credit investigation, mail, medicine, taxis, map services, and civil aviation.  See Hongquan Yang at pg. 131-313.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes: Penalties for violating the Law are clearly stated, and include a maximum fine of up to RMB1,000,000. See Overview of China’s Cybersecurity Law (Feb. 2017).

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes.  Penalties for violating the Law are clearly stated, and include: the suspension of business activities and/or the closing of businesses or the revocation of licences. See Overview of China’s Cybersecurity Law (Feb. 2017).

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

 

The Cybersecurity Law (CSL) was enacted by the Standing Committee of the National People's Congress on November 7, 2016 and was implemented on June 1, 2017.  See English translation.

Japan

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes:  NISC (National center of Incident readiness and Strategy for Cybersecurity).  See Cybersecurity Policy at 4, 50-51.

Is oversight provided on a centralized or sectoral basis?

Centralized with sectoral intermediaries. See Cybersecurity Policy at Annex 4-2, 61.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

14 Sectors: Information and communications; finance; aviation; airports; railway; electric power supply; gas supply; government and administration; medical; water; logistics; chemical industries; credit cards; and petroleum industries.  See Summary of Cyber Security Policy (Revised July 25, 2018).

How do they designate within these sectors?

Within sectors, the Cybersecurity Policy designates applicable CI operators.  See Cybersecurity Policy, Annex 1, 54.  These operators are subject to change when the Cybersecurity Policy is revised.

There are examples of critical information systems within each sector and under applicable operator, see id., but those examples are not exclusive.  CI services are defined as "Services and/or a set of procedures provided by CI operators necessary to utilize those services that are designated as those to be protected in particular for each CI sector, taking into account the extent of their impact on national life and economic activities." Id. at Annex 5, 63.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. "Safety principles" are broken into those 1) prescribed by law; 2) recommended by law; 3) stipulated by industrial organizations; and 4) stipulated by CI operators themselves. Legal requirements are sector-specific. See Guidelines for Establishing Safety Principles, 2.  

 

Does it take a risk-based approach?

Yes. The Guidelines for Safety Principles instruct CI operators to analyze their specific security risks, risk attitude, and risk tolerance, among other factors, to determine an appropriate way to manage their security.  See Guidelines for Establishing Safety Principles, 11-12.

Do the security measures enable the use of international standards?

Yes. The Guidelines for Safety Principles specifically reference ISO/IEC 27000 and IEC 62443-2-1 as security management standards. See Guidelines for Establishing Safety Principles, 12.

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Yes.  The Guidelines for Safety Principles specifically reference, for example, the Framework for Improving Critical Infrastructure Cybersecurity from NIST as a reference providing security management measures.  See Guidelines for Establishing Safety Principles, 12.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

Generally, yes. Relevant laws by sector require some incident reporting, including, for example, reporting suspension of business under Article 28 of the Telecommunications Business Act. See Cybersecurity Policy, Annex 2, page 55. 

Are there clear thresholds above which an incident should be reported?

It depends on the sector.  As above, incident reporting requirements are dictated by sector-specific laws.  These reports are generally described as reporting "outages."  See Cybersecurity Policy, Annex 2, 55.

How do they determine the timeline within which an incident must be reported?

Varies by sector.

Threat Information Sharing

Have they established a national threat information sharing entity?

​Yes:  NISC (National center of Incident readiness and Strategy for Cybersecurity).  See Cybersecurity Policy, 4, 50-51. 

Does this entity share information out to industry, as well as receiving information?

Yes, if the Cabinet Secretiariat determines information falls under the following:

"(i) Cases where the obtained information is regarding a security hole, program bug, etc. and it is recognized that serious problems related to said information may occur at other CI operators

"(ii) Cases where there is a cyber-attack or advance notice of such an attack, where there are predicted damages from a disaster, or where it is otherwise recognized that the information poses a risk to the critical information systems of other CI operators

"(iii) Other cases where information sharing is considered to be effective for CI operators' cybersecurity measures."

See Cybersecurity Policy, 52.

Is threat information sharing mandatory for any private sector entity?

Yes.  CI operators are to report events in any of the following circumstances:

"(i) Cases where the relevant event requires a report to responsible ministries for CI under laws and regulations

"(ii) Cases where stakeholders recognize the relevant event's serious impact on national life and CI services, and where the relevant CI operator considers it appropriate to share information of said event

"(iii) Other cases where the relevant CI operator considers it appropriate to share information on the relevant event."

See Cybersecurity Policy, 50.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No.

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Not generally applicable, but there may be sectoral.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Not generally applicable, but there may be sectoral.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Cybersecurity Policy was first enacted on April 18, 2017 and was revised July 25, 2018.  The Guidelines for Safety Principles went into effect on April 4, 2018.

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.