Regulation on Protecting the Security of Critical Information Infrastructure
Document Number:Order No. 745 of the State Council of the People's Republic of China
Area of Law: Network Security Management
Level of Authority: Administrative Regulations
Issuing Authority: State Council
Date Issued:07-30-2021
Effective Date:09-01-2021
Status: Effective
中华人民共和国国务院令
Order of the State Council of the People's Republic of China
(第745号)
(No. 745)
《关键信息基础设施安全保护条例》已经2021年4月27日国务院第133次常务会议通过,现予公布,自2021年9月1日起施行。
The Regulation on Protecting the Security of Critical Information Infrastructure, as adopted at the 133rd executive meeting of the State Council on April 27, 2021, is hereby issued and shall come into force on September 1, 2021.
总理 李克强
Premier: Li Keqiang
2021年7月30日
July 30, 2021
关键信息基础设施安全保护条例
Regulation on Protecting the Security of Critical Information Infrastructure
第一条 为了保障关键信息基础设施安全,维护网络安全,根据《中华人民共和国网络安全法》,制定本条例。
Article 1 This Regulation is formulated in accordance with the Cybersecurity Law of the People's Republic of China in order to ensure the security of critical information infrastructure (hereinafter referred to as “CII”) and maintain cybersecurity.
第二条 本条例所称关键信息基础设施,是指公共通信和信息服务、能源、交通、水利、金融、公共服务、电子政务、国防科技工业等重要行业和领域的,以及其他一旦遭到破坏、丧失功能或者数据泄露,可能严重危害国家安全、国计民生、公共利益的重要网络设施、信息系统等。
Article 2 For the purposes of this Regulation, “CII” means any of network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology and industry for national defense—that may seriously endanger national security, national economy and people's livelihood, and public interests in the event that they are damaged or lose their functions or their data are leaked.
第三条 在国家网信部门统筹协调下,国务院公安部门负责指导监督关键信息基础设施安全保护工作。国务院电信主管部门和其他有关部门依照本条例和有关法律、行政法规的规定,在各自职责范围内负责关键信息基础设施安全保护和监督管理工作。
Article 3 Under the overall coordination of the national cyberspace administration, the public security department under the State Council shall be responsible for guiding and supervising the CII security protection. The telecommunications department and other relevant departments under the State Council shall be responsible for the security protection, supervision, and administration in respect of CII within their respective responsibilities in accordance with the provisions of this Regulation and relevant laws and administrative regulations.
省级人民政府有关部门依据各自职责对关键信息基础设施实施安全保护和监督管理。
第四条 关键信息基础设施安全保护坚持综合协调、分工负责、依法保护,强化和落实关键信息基础设施运营者(以下简称运营者)主体责任,充分发挥政府及社会各方面的作用,共同保护关键信息基础设施安全。
Article 4 The CII security protection shall adhere to overall coordination, division of responsibilities, and law-based protection. CII operators (hereinafter referred to as “CIIO”) shall be required to assume primary responsibilities, and the role of the people's governments and non-government sectors shall be fully leveraged, so as to jointly protect the CII security.
第五条 国家对关键信息基础设施实行重点保护,采取措施,监测、防御、处置来源于中华人民共和国境内外的网络安全风险和威胁,保护关键信息基础设施免受攻击、侵入、干扰和破坏,依法惩治危害关键信息基础设施安全的违法犯罪活动。
Article 5 The state shall give priority to the protection of CII specifically by taking measures to monitor, defend against, and handle cyber security risks and threats originating inside and outside the People's Republic of China so as to protect the CII from attack, intrusion, interference, and sabotage, and punishing in accordance with the law illegal and criminal activities endangering the CII security.
任何个人和组织不得实施非法侵入、干扰、破坏关键信息基础设施的活动,不得危害关键信息基础设施安全。
第六条 运营者依照本条例和有关法律、行政法规的规定以及国家标准的强制性要求,在网络安全等级保护的基础上,采取技术保护措施和其他必要措施,应对网络安全事件,防范网络攻击和违法犯罪活动,保障关键信息基础设施安全稳定运行,维护数据的完整性、保密性和可用性。
Article 6 A CIIO shall, in accordance with the provisions of this Regulation, applicable laws, and administrative regulations, as well as the mandatory requirements of national standards, and on the basis of the classified cybersecurity protection, take technical protection and other necessary measures to cope with cybersecurity events, guard against cyber-attacks and illegal and criminal activities, ensure the safe and stable operation of the CII, and maintain data integrity, confidentiality, and availability.
第七条 对在关键信息基础设施安全保护工作中取得显著成绩或者作出突出贡献的单位和个人,按照国家有关规定给予表彰。
Article 7 Entities and individuals that have made outstanding achievements or contributions in the CII security protection shall be commended in accordance with the relevant provisions of the state.
Chapter II The determination of CII
第八条 本条例第二条涉及的重要行业和领域的主管部门、监督管理部门是负责关键信息基础设施安全保护工作的部门(以下简称保护工作部门)。
Article 8 The competent authorities and supervision and administration departments of important industries and fields set forth in Article 2 of this Regulation are the departments responsible for the CII security protection (hereinafter referred to as the “protection departments”).
第九条 保护工作部门结合本行业、本领域实际,制定关键信息基础设施认定规则,并报国务院公安部门备案。
Article 9 The protection department shall develop the rules for the determination of CII according to the actual conditions of the industry and field concerned, and file them with the public security department under the State Council.
(一)网络设施、信息系统等对于本行业、本领域关键核心业务的重要程度;
(二)网络设施、信息系统等一旦遭到破坏、丧失功能或者数据泄露可能带来的危害程度;
(3) Relevance to other industries and fields.
第十条 保护工作部门根据认定规则负责组织认定本行业、本领域的关键信息基础设施,及时将认定结果通知运营者,并通报国务院公安部门。
Article 10 The protection department shall be responsible for organizing the determination of CII in the industry and field concerned according to the determination rules, and inform the CIIO of the determination results in a timely manner and notify the public security department under the State Council of the same.
第十一条 关键信息基础设施发生较大变化,可能影响其认定结果的,运营者应当及时将相关情况报告保护工作部门。保护工作部门自收到报告之日起3个月内完成重新认定,将认定结果通知运营者,并通报国务院公安部门。
Article 11 If any CII has undergone a major change, which may affect its determination results, the CIIO shall report the relevant information to the protection department in a timely manner. The protection department shall complete the re-determination within three months of receipt of such report, inform the CIIO of the determination results, and notify the public security department under the State Council of the same.
Chapter III Responsibilities and Obligations of CIIOs
第十二条 安全保护措施应当与关键信息基础设施同步规划、同步建设、同步使用。
Article 12 Security protection measures shall be planned, constructed, and used in tandem with the planning, construction, and use of CII.
第十三条 运营者应当建立健全网络安全保护制度和责任制,保障人力、财力、物力投入。运营者的主要负责人对关键信息基础设施安全保护负总责,领导关键信息基础设施安全保护和重大网络安全事件处置工作,组织研究解决重大网络安全问题。
Article 13 A CIIO shall establish and improve a cybersecurity protection system and a responsibility system to ensure the input of human, financial, and material resources. The head of a CIIO shall assume overall responsibility for the CII security protection, lead the CII security protection and the handling of major cybersecurity events, and make arrangements for research into and solution of major cybersecurity problems.
第十四条 运营者应当设置专门安全管理机构,并对专门安全管理机构负责人和关键岗位人员进行安全背景审查。审查时,公安机关、国家安全机关应当予以协助。
Article 14 A CIIO shall set up a special security management organization, and conduct security background check on the head of such organization and the personnel in key positions. Public security organs and state security organs shall provide assistance in such check.
第十五条 专门安全管理机构具体负责本单位的关键信息基础设施安全保护工作,履行下列职责:
Article 15 The special security management organization shall be responsible for the CII security protection of the entity to which it belongs, and perform the following responsibilities:
(一)建立健全网络安全管理、评价考核制度,拟订关键信息基础设施安全保护计划;
(二)组织推动网络安全防护能力建设,开展网络安全监测、检测和风险评估;
(三)按照国家及行业网络安全事件应急预案,制定本单位应急预案,定期开展应急演练,处置网络安全事件;
(四)认定网络安全关键岗位,组织开展网络安全工作考核,提出奖励和惩处建议;
(5) Organizing education and training in cybersecurity;
(六)履行个人信息和数据安全保护责任,建立健全个人信息和数据安全保护制度;
(七)对关键信息基础设施设计、建设、运行、维护等服务实施安全管理;
(8) Reporting cybersecurity events and important matters as required.
第十六条 运营者应当保障专门安全管理机构的运行经费、配备相应的人员,开展与网络安全和信息化有关的决策应当有专门安全管理机构人员参与。
Article 16 A CIIO shall ensure the operating expenses of the special security management organization, staff the organization, and involve certain individuals of thereof in decision-making related to cybersecurity and informatization.
第十七条 运营者应当自行或者委托网络安全服务机构对关键信息基础设施每年至少进行一次网络安全检测和风险评估,对发现的安全问题及时整改,并按照保护工作部门要求报送情况。
Article 17 A CIIO shall conduct cybersecurity inspection and risk assessment of its CII at least once a year directly or through a cybersecurity service provider. It shall take timely corrective action against the security problems found, and submit the information according to the requirements of the protection department.
第十八条 关键信息基础设施发生重大网络安全事件或者发现重大网络安全威胁时,运营者应当按照有关规定向保护工作部门、公安机关报告。
Article 18 When a major cybersecurity event occurs to CII or a major cybersecurity threat is found, the CIIO shall, as required, report the same to the protection department and the public security organ.
第十九条 运营者应当优先采购安全可信的网络产品和服务;采购网络产品和服务可能影响国家安全的,应当按照国家网络安全规定通过安全审查。
Article 19 A CIIO shall give priority to purchasing safe and credible network products and services; If the purchase of network products and services may affect national security, it shall pass the security review in accordance with the national cybersecurity provisions.
第二十条 运营者采购网络产品和服务,应当按照国家有关规定与网络产品和服务提供者签订安全保密协议,明确提供者的技术支持和安全保密义务与责任,并对义务与责任履行情况进行监督。
Article 20 When purchasing network products and services, the CIIO shall sign a security and confidentiality agreement with network product and service providers in accordance with relevant provisions of the state, in which the technical support and security and confidentiality obligations and responsibilities of the providers shall be specified, and oversee the performance of such obligations and responsibilities.
第二十一条 运营者发生合并、分立、解散等情况,应当及时报告保护工作部门,并按照保护工作部门的要求对关键信息基础设施进行处置,确保安全。
Article 21 In case of a merger, split-up, dissolution, or otherwise of a CIIO, it shall report the same to the protection department in a timely manner, and dispose of its CII as required by the protection department to ensure security.
Chapter IV Guarantee and Promotion
第二十二条 保护工作部门应当制定本行业、本领域关键信息基础设施安全规划,明确保护目标、基本要求、工作任务、具体措施。
Article 22 The protection department shall develop the security plan for the CII in the industry and field concerned, which shall specify protection objectives, basic requirements, tasks, and specific measures.
第二十三条 国家网信部门统筹协调有关部门建立网络安全信息共享机制,及时汇总、研判、共享、发布网络安全威胁、漏洞、事件等信息,促进有关部门、保护工作部门、运营者以及网络安全服务机构等之间的网络安全信息共享。
Article 23 The national cyberspace administration shall coordinate the efforts of relevant departments to establish a cybersecurity information-sharing mechanism, whereby to promptly collect, analyze, share and publish information on, among others, cyber security threats, vulnerabilities, and events, and thus facilitate the sharing of cybersecurity information among relevant departments, protection departments, CIIOs, and cybersecurity service agencies.
第二十四条 保护工作部门应当建立健全本行业、本领域的关键信息基础设施网络安全监测预警制度,及时掌握本行业、本领域关键信息基础设施运行状况、安全态势,预警通报网络安全威胁和隐患,指导做好安全防范工作。
Article 24 The protection department shall establish and improve a system for cybersecurity monitoring and early warning of the CII in the industry and field concerned, keep abreast of the operation status and security situation on the CII in the industry and field, and give an early warning of and notify cybersecurity threats and hidden dangers, and guide the security work.
第二十五条 保护工作部门应当按照国家网络安全事件应急预案的要求,建立健全本行业、本领域的网络安全事件应急预案,定期组织应急演练;指导运营者做好网络安全事件应对处置,并根据需要组织提供技术支持与协助。
第二十六条 保护工作部门应当定期组织开展本行业、本领域关键信息基础设施网络安全检查检测,指导监督运营者及时整改安全隐患、完善安全措施。
Article 26 The protection department shall regularly organize and carry out cybersecurity inspection and testing in respect of the CII in the industry and field concerned, and guide and supervise CIIOs in rectifying potential safety hazards in a timely manner and improving safety measures.
第二十七条 国家网信部门统筹协调国务院公安部门、保护工作部门对关键信息基础设施进行网络安全检查检测,提出改进措施。
Article 27 The national cyberspace administration shall coordinate the efforts of the public security department and the protection department under the State Council to carry out cybersecurity inspection and testing in respect of the CII, and put forward improvement measures.
有关部门在开展关键信息基础设施网络安全检查时,应当加强协同配合、信息沟通,避免不必要的检查和交叉重复检查。检查工作不得收取费用,不得要求被检查单位购买指定品牌或者指定生产、销售单位的产品和服务。
第二十八条 运营者对保护工作部门开展的关键信息基础设施网络安全检查检测工作,以及公安、国家安全、保密行政管理、密码管理等有关部门依法开展的关键信息基础设施网络安全检查工作应当予以配合。
Article 28 A CIIO shall cooperate with the protection department in the cybersecurity inspection and testing in respect of its CII , and with public security, national security, confidentiality administration, password management, and other relevant departments in the cybersecurity inspection in respect of its CII in accordance with the law.
第二十九条 在关键信息基础设施安全保护工作中,国家网信部门和国务院电信主管部门、国务院公安部门等应当根据保护工作部门的需要,及时提供技术支持和协助。
Article 29 With regard to the CII security protection, the national cyberspace administration and the telecommunications and public security departments under the State Council shall provide timely technical support and assistance according to the needs of the protection department.
第三十条 网信部门、公安机关、保护工作部门等有关部门,网络安全服务机构及其工作人员对于在关键信息基础设施安全保护工作中获取的信息,只能用于维护网络安全,并严格按照有关法律、行政法规的要求确保信息安全,不得泄露、出售或者非法向他人提供。
Article 30 The cyberspace administration, public security, security protection, and other relevant departments, as well as cybersecurity service agencies and their staff may use the information obtained in the course of CII security protection solely for maintaining cybersecurity, ensure the security of such information in strict accordance with the relevant laws and administrative regulations, and refrain from divulging, selling or illegally providing such information to others.
第三十一条 未经国家网信部门、国务院公安部门批准或者保护工作部门、运营者授权,任何个人和组织不得对关键信息基础设施实施漏洞探测、渗透性测试等可能影响或者危害关键信息基础设施安全的活动。对基础电信网络实施漏洞探测、渗透性测试等活动,应当事先向国务院电信主管部门报告。
Article 31 Without the approval of the national cyberspace administration and the public security department under the State Council or the authorization of the protection department and a CIIO, no individual or organization may carry out vulnerability detection, penetration testing, or any other activity that may affect or endanger the security of any CII. Any vulnerability detection or penetration testing for basic telecommunications networks shall be subject to the prior reporting to telecommunications department under the State Council.
第三十二条 国家采取措施,优先保障能源、电信等关键信息基础设施安全运行。
Article 32 The state shall take measures to give priority to ensuring the safe operation of the CII in industries such as energy and telecommunications.
能源、电信行业应当采取措施,为其他行业和领域的关键信息基础设施安全运行提供重点保障。
第三十三条 公安机关、国家安全机关依据各自职责依法加强关键信息基础设施安全保卫,防范打击针对和利用关键信息基础设施实施的违法犯罪活动。
Article 33 Public security and national security organs shall strengthen the CII security protection according to their respective responsibilities, and guard against and crack down on illegal and criminal activities targeting and using CII.
第三十四条 国家制定和完善关键信息基础设施安全标准,指导、规范关键信息基础设施安全保护工作。
Article 34 The state shall develop and improve the CII security standards, and guide and regulate the CII security protection.
第三十五条 国家采取措施,鼓励网络安全专门人才从事关键信息基础设施安全保护工作;将运营者安全管理人员、安全技术人员培训纳入国家继续教育体系。
Article 35 The state shall take measures to encourage cybersecurity professionals to engage in the CII security protection. The training of CIIOs' security management personnel and security-related technical personnel shall be included in the national continuing education system.
第三十六条 国家支持关键信息基础设施安全防护技术创新和产业发展,组织力量实施关键信息基础设施安全技术攻关。
Article 36 The state shall support the technological innovation and industrial development for the CII security protection, and organize the relevant personnel to strive to make technological breakthroughs in the CII security.
第三十七条 国家加强网络安全服务机构建设和管理,制定管理要求并加强监督指导,不断提升服务机构能力水平,充分发挥其在关键信息基础设施安全保护中的作用。
Article 37 The state shall strengthen the improvement and management of cybersecurity service agencies, develop management requirements and strengthen supervision and guidance, constantly improve the capacity of service agencies, and maximize their role in the CII security protection.
第三十八条 国家加强网络安全军民融合,军地协同保护关键信息基础设施安全。
Article 38 The state shall strengthen military and civilian integration in cybersecurity, and the military and local governments shall coordinate each other in the CII security protection.
第三十九条 运营者有下列情形之一的,由有关主管部门依据职责责令改正,给予警告;拒不改正或者导致危害网络安全等后果的,处10万元以上100万元以下罚款,对直接负责的主管人员处1万元以上10万元以下罚款:
Article 39 Where any CIIO falls under any of the following circumstances, the relevant competent authorities shall, according to their responsibilities, order the CIIO to take corrective action and give it a warning; if the CIIO refuses to do so or causes any consequences such as endangering cybersecurity, it shall be fined not less than 100,000 yuan but not more than 1 million yuan, and its directly responsible person in charge shall be fined not less than 10,000 yuan but not more than 100,000 yuan:
(一)在关键信息基础设施发生较大变化,可能影响其认定结果时未及时将相关情况报告保护工作部门的;
(二)安全保护措施未与关键信息基础设施同步规划、同步建设、同步使用的;
(3) Failing to establish and improve a cybersecurity protection system and a responsibility system;
(4) Failing to set up a special security management organization;
(五)未对专门安全管理机构负责人和关键岗位人员进行安全背景审查的;
(六)开展与网络安全和信息化有关的决策没有专门安全管理机构人员参与的;
(八)未对关键信息基础设施每年至少进行一次网络安全检测和风险评估,未对发现的安全问题及时整改,或者未按照保护工作部门要求报送情况的;
(九)采购网络产品和服务,未按照国家有关规定与网络产品和服务提供者签订安全保密协议的;
(十)发生合并、分立、解散等情况,未及时报告保护工作部门,或者未按照保护工作部门的要求对关键信息基础设施进行处置的。
第四十条 运营者在关键信息基础设施发生重大网络安全事件或者发现重大网络安全威胁时,未按照有关规定向保护工作部门、公安机关报告的,由保护工作部门、公安机关依据职责责令改正,给予警告;拒不改正或者导致危害网络安全等后果的,处10万元以上100万元以下罚款,对直接负责的主管人员处1万元以上10万元以下罚款。
Article 40 Where a CIIO fails to report to the protection department and the public security organ as required when a major cybersecurity event occurs or a major cybersecurity threat is discovered in its CII, the protection department and the public security organ shall order it to take corrective action and give a warning according to their responsibilities; if it refuses to do so or causes any consequences such as endangering cybersecurity, it shall be fined not less than 100,000 yuan but not more than 1 million yuan, and the directly responsible person in charge shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
第四十一条 运营者采购可能影响国家安全的网络产品和服务,未按照国家网络安全规定进行安全审查的,由国家网信部门等有关主管部门依据职责责令改正,处采购金额1倍以上10倍以下罚款,对直接负责的主管人员和其他直接责任人员处1万元以上10万元以下罚款。
Article 41 Where a CIIO purchases network products and services that may affect national security and fails to conduct a security review of them, the national cyberspace administration and other relevant competent departments shall order it to take corrective action according to their responsibilities and impose a fine of not less than 1 time but not more than 10 times the purchase amount, and its directly responsible person in charge and other directly liable persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
第四十二条 运营者对保护工作部门开展的关键信息基础设施网络安全检查检测工作,以及公安、国家安全、保密行政管理、密码管理等有关部门依法开展的关键信息基础设施网络安全检查工作不予配合的,由有关主管部门责令改正;拒不改正的,处5万元以上50万元以下罚款,对直接负责的主管人员和其他直接责任人员处1万元以上10万元以下罚款;情节严重的,依法追究相应法律责任。
Article 42 Where a CIIO fails to cooperate with the protection department in the cybersecurity inspection and testing on its CII and with public security, state security, confidentiality administration, and password management and other relevant departments in the cybersecurity inspection on its CII in accordance with the law, the relevant competent department shall order it to take corrective action; if it refuses to do so, it shall be fined not less than 50,000 yuan but not more than 500,000 yuan, and its directly responsible person in charge and other directly liable persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan; if any circumstances are involved, it shall be held legally liable in accordance with the law.
第四十三条 实施非法侵入、干扰、破坏关键信息基础设施,危害其安全的活动尚不构成犯罪的,依照《中华人民共和国网络安全法》有关规定,由公安机关没收违法所得,处5日以下拘留,可以并处5万元以上50万元以下罚款;情节较重的,处5日以上15日以下拘留,可以并处10万元以上100万元以下罚款。
Article 43 Where anyone commits any acts such as illegally hacking into, interfering with, or damaging any CII or endangering its security, which does not constitute a crime, the public security organ shall, in accordance with the relevant provisions of the Cybersecurity Law of the People's Republic of China, confiscate his or her illegal income and detain him or her for less than five days, and in addition impose a fine of not less than 50,000 yuan but not more than 500,000 yuan; if any serious circumstances are involved, he or she shall be detained for not less than five days but not more than 15 days, and in addition impose a fine of not less than 100,000 yuan but not more than 1 million yuan.
单位有前款行为的,由公安机关没收违法所得,处10万元以上100万元以下罚款,并对直接负责的主管人员和其他直接责任人员依照前款规定处罚。
If an entity commits any acts as described in the preceding paragraph, the public security organ shall confiscate its illegal gains and impose a fine of not less than 100,000 yuan but not more than 1 million yuan, and its directly responsible person in charge and other directly liable persons shall be punished pursuant to the preceding paragraph.
违反本条例第五条第二款和第三十一条规定,受到治安管理处罚的人员,5年内不得从事网络安全管理和网络运营关键岗位的工作;受到刑事处罚的人员,终身不得从事网络安全管理和网络运营关键岗位的工作。
Those who receive any public security administration punishment by violation of the provisions of paragraph 2 of Article 5 and Article 31 of this Regulation shall be barred from working in key positions related to cybersecurity management and network operation for five years; those who are subject to criminal punishment shall be barred from working in key positions related to cybersecurity management and network operation for life.
第四十四条 网信部门、公安机关、保护工作部门和其他有关部门及其工作人员未履行关键信息基础设施安全保护和监督管理职责或者玩忽职守、滥用职权、徇私舞弊的,依法对直接负责的主管人员和其他直接责任人员给予处分。
Article 44 Where any cyberspace administration, public security, security protection or other relevant department and any of their staff members fail to perform their responsibilities for security protection, supervision and administration of CII, or any of their staff members neglects his duties, abuse his powers, or engages in malpractices for personal gains, the directly responsible person in charge and other directly responsible persons shall be subject to disciplinary action in accordance with the law.
第四十五条 公安机关、保护工作部门和其他有关部门在开展关键信息基础设施网络安全检查工作中收取费用,或者要求被检查单位购买指定品牌或者指定生产、销售单位的产品和服务的,由其上级机关责令改正,退还收取的费用;情节严重的,依法对直接负责的主管人员和其他直接责任人员给予处分。
Article 45 Where the public security organ, the protection department, and other relevant departments collect fees in carrying out the cybersecurity inspection in respect of any CII, or require the entity under inspection to purchase products and services of designated brands or designated production and sales entities, the authorities at a higher level shall order them to take corrective action and refund the collected fees; if the circumstances are serious, the directly responsible person in charge and other directly responsible persons shall be given sanctions as prescribed by law.
第四十六条 网信部门、公安机关、保护工作部门等有关部门、网络安全服务机构及其工作人员将在关键信息基础设施安全保护工作中获取的信息用于其他用途,或者泄露、出售、非法向他人提供的,依法对直接负责的主管人员和其他直接责任人员给予处分。
Article 46 Where the cyberspace administration, public security, security protection, and other relevant departments and cybersecurity service agencies and their staff members use the information obtained in the CII security protection for other purposes or divulge, sell or illegally provide such information to others, the directly responsible person in charge and other directly responsible persons shall be given sanctions as prescribed by law.
第四十七条 关键信息基础设施发生重大和特别重大网络安全事件,经调查确定为责任事故的,除应当查明运营者责任并依法予以追究外,还应查明相关网络安全服务机构及有关部门的责任,对有失职、渎职及其他违法行为的,依法追究责任。
Article 47 Where any CII has undergone a major or particularly major cybersecurity event, which, after investigation, is determined to be an accident involving liability, the CIIO's liability shall be ascertained, for which it shall be held accountable in accordance with the law; in addition, the liability of relevant cybersecurity service agencies and relevant departments shall be ascertained and those who commit dereliction and neglect of duty or other illegal acts shall be punished in accordance with the law.
第四十八条 电子政务关键信息基础设施的运营者不履行本条例规定的网络安全保护义务的,依照《中华人民共和国网络安全法》有关规定予以处理。
Article 48 Where any CIIO of e-government CII fails to fulfill its obligations concerning cybersecurity protection stipulated in this Regulation, it shall be punished in accordance with the applicable provisions of the Cybersecurity Law of the People's Republic of China.
第四十九条 违反本条例规定,给他人造成损害的,依法承担民事责任。
Article 49 Anyone who violates the provisions of this Regulation and causes damage to others shall bear civil liability in accordance with the law.
违反本条例规定,构成违反治安管理行为的,依法给予治安管理处罚;构成犯罪的,依法追究刑事责任。
Chapter VI Supplemental Provisions
第五十条 存储、处理涉及国家秘密信息的关键信息基础设施的安全保护,还应当遵守保密法律、行政法规的规定。
Article 50 The protection of the security of CII for storing and processing state secrets shall also comply with the provisions of laws and administrative regulations on confidentiality.
关键信息基础设施中的密码使用和管理,还应当遵守相关法律、行政法规的规定。
Article 51 This Regulation shall come into force on September 1, 2021.
©Pkulaw:(www.pkulaw.com) provides various professional solutions in such fields as legal information, law knowledge and legal software. Pkulaw provides you with abundant reference materials. When you invoke articles of laws and regulations, please check them with the standard texts. You are welcome to view all our products and services.
Pkulaw Express: How to quickly find information you need? What are the new features of Pkulaw V6?
Scan QR Code for instant access to the original text
Original Link: https://www.pkulaw.com/en_law/34a2a5e14df5feb9bdfb.html
