MIIT seeks opinions on the Guidelines for Operational Safety Assessments of New Internet Industry Businesses
This article was originally posted in the Gongkong news center and is part of a new series aimed at raising awareness of China's Industry 4.0 Initiative.
On June 9, the MIIT is seeking opinions on the new Guidelines for Operational Safety Assessments of New Internet Industry Businesses that help to regulate new Internet businesses such as Internet telecom operators to maintain network information security and promote the healthy development of the Internet industry.
The operations mentioned in the Guidelines refer to the operations of telecom operators that have operating licenses to provide Internet services, as well as other new telecom businesses that employ new Internet technologies that have yet to be recorded under the Telecom Categories List.
The safety assessments mentioned in the Guidelines refer to mitigation measures against network information security risks that could trigger on the telecom operators' end.
For telecom operators with new Internet businesses that have operated for more than three years are categorised under daily supervision and management and will not be assessed under the new guidelines.
The drafted Guidelines has a total of 31 provisions, with the main provisions as the following:
(A) To clearly define the scope of the Guidelines
The Guidelines apply to Internet safety assessments of telecom operators in China. In conjunction with the People's Republic of China Telecommunications Regulations, the guidelines define new Internet services as services of telecom operators that have operating licenses to provide Internet services, as well as other new telecom businesses that employ new Internet technologies that have yet to be recorded under the Telecom Categories List.
(B) To outline pre-conditions for safety assessments to be conducted
Telecom operators that propose new Internet services to the public, should undergo safety assessments for the new Internet services. Assessed aspects include personal information protection, network safety and information security as well as comprehensiveness of information management systems. Telecom operators can choose to arrange for self-assessments or commission an external professional organization for assessment. The assessment shall particularly assess major changes in technological and operational changes, business capabilities or user scale that could create significant risks for network information security.
(C) To establish the safety assessment reporting system
The Guidelines stipulate that telecom operators to submit relevant security assessments to the Telecommunications Regulatory Authority within 45 days of launching new Internet services by providing written evaluation reports and other materials. If the Telecommunications Regulatory Authority deem that the assessment does not comply with relevant regulations and standards, telecom operators are required to make corrections or re-evaluate and assess the material submitted within 30 days.
(D) To improve the supervision and inspection system
The Guidelines require regulatory authorities to actively supervise and monitor the safety assessment telecom operators with new Internet services and detect major network information security risks. In circumstances where the operators fails to promptly carry out safety assessments, authorities are to question the person in charge. The Guideline also establish a Internet security assessment reporting system requiring regulatory agencies to regularly publish security assessments of new Internet businesses. At the same time, Telecommunications Regulatory Authorities are strictly instructed to not charge any fees for the security assessments in order not to impede the normal operation or service activities of these new businesses.
(E) To promote innovation and development.
The guidelines encourage telecommunication service operators to innovate in providing Internet services and enhance the level of development of the Internet industry. Given active innovation in the Internet industry, in order to facilitate business innovation and entrepreneurship, new Internet servicers that have operated for more than three years are no longer stipulated to follow the safety assessments of the Guidelines.
In addition, the Guidelines also clearly specifies the legal responsibility for breaching security assessment requirements.