Details of the Cyber Security Law of the People's Republic of China:
Chapter I General Principles
first
This Law is formulated in order to ensure network security, safeguard the sovereignty of cyberspace, national security and public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations, and promote the healthy development of economic and social informatization.
second
This Law is applicable to the construction, operation, maintenance and use of networks in People's Republic of China (PRC), as well as the supervision and management of network security.
essay
The state adheres to the principle of paying equal attention to network security and information construction, following the principles of active utilization, scientific development, management according to law and ensuring security, promoting the construction and interconnection of network infrastructure, encouraging the innovation and application of network technology, supporting the training of network security personnel, establishing and improving the network security guarantee system and improving the network security protection capability.
Article 4
The state formulates and constantly improves the network security strategy, defines the basic requirements and main objectives of ensuring network security, and puts forward the network security policies, tasks and measures in key areas.
Article 5
The state takes measures to monitor, defend and respond to cyber security risks and threats from China people and at home and abroad, protect key information infrastructure from attacks, invasions, interference and destruction, punish illegal and criminal activities on the Internet according to law, and maintain the security and order of cyberspace.
Article 6
The state advocates honest, trustworthy, healthy and civilized network behavior, promotes the dissemination of socialist core values, takes measures to improve the awareness and level of network security of the whole society, and forms a good environment for the whole society to participate in promoting network security.
Article 7
The state actively carries out international exchanges and cooperation in cyberspace governance, research and development of network technologies and standards, and combating cybercrime, and promotes the construction of a peaceful, safe, open and cooperative cyberspace and the establishment of a multilateral, democratic and transparent network governance system.
Article 8
The National Network Information Department is responsible for coordinating network security and related supervision and management. The State Council telecommunications authorities, public security departments and other relevant departments are responsible for network security protection, supervision and management within the scope of their respective responsibilities and in accordance with this Law and relevant laws and administrative regulations. The responsibilities of network security protection and supervision and management of relevant departments of local people's governments at or above the county level shall be determined in accordance with relevant state regulations.
Article 9
Network operators must abide by laws and administrative regulations, respect social ethics, abide by business ethics, be honest and trustworthy, fulfill their obligations of network security protection, accept government and social supervision, and assume social responsibilities.
Article 10
Through network construction, operation or service provision, technical measures and other necessary measures shall be taken in accordance with the provisions of laws, administrative regulations and mandatory requirements of national standards to ensure the safe and stable operation of the network, effectively respond to network security incidents, prevent network illegal and criminal activities, and maintain the integrity, confidentiality and availability of network data.
Article 11
In accordance with the articles of association, network-related industry organizations strengthen industry self-discipline, formulate norms of network security behavior, guide members to strengthen network security protection, improve the level of network security protection, and promote the healthy development of the industry.
Article 12
The state protects the rights of citizens, legal persons and other organizations to use the Internet according to law, promotes the popularization of network access, improves the level of network services, provides safe and convenient network services for the society, and ensures the orderly and free flow of network information according to law. When using the Internet, any individual or organization shall abide by the constitutional law, observe public order and respect social morality, and shall not endanger network security, use the Internet to endanger national security, honor and interests, incite subversion of state power and overthrow the socialist system, incite secession, undermine national unity, publicize terrorism and extremism, publicize ethnic hatred and discrimination, disseminate violent, obscene and pornographic information, fabricate and disseminate false information, and disrupt economic order.
Article 13
The state supports the research and development of network products and services that are conducive to the healthy growth of minors, punishes the use of the network to engage in activities that endanger the physical and mental health of minors, and provides a safe and healthy network environment for minors.
Article 14
Any individual or organization has the right to report acts endangering network security to the departments of network information, telecommunications and public security. The department that receives the report shall promptly handle it according to law; If it does not belong to the responsibilities of this department, it shall be transferred to the department that has the right to handle it in time. The relevant departments shall keep confidential the relevant information of informants and protect their legitimate rights and interests.
Chapter II Network Security Support and Promotion
Article 15
The state establishes and improves the network security standard system. The State Council standardization administrative department and other relevant departments in the State Council shall, according to their respective functions and duties, organize the formulation and timely revision of national standards and industry standards related to network security management and network products, services and operation safety. The state supports enterprises, scientific research institutions, universities and network-related industry organizations to participate in the formulation of national and industry standards for network security.
Article 16
The State Council and the people's governments of provinces, autonomous regions and municipalities directly under the Central Government should make overall plans, increase investment, support key network security technology industries and projects, support the research, development and application of network security technology, promote safe and reliable network products and services, protect the intellectual property rights of network technology, and support enterprises, research institutions and universities to participate in the national network security technology innovation project.
Article 17
The state promotes the construction of socialized network security service system and encourages relevant enterprises and institutions to carry out network security services such as certification, testing and risk assessment.
Article 18
The state encourages the development of network data security protection and utilization technology, promotes the opening of public data resources, and promotes technological innovation and economic and social development. The state supports the innovation of network security management methods and the application of new network technologies to improve the level of network security protection.
Article 19
People's governments at all levels and their relevant departments shall organize and carry out regular publicity and education on network security, and guide and urge relevant units to do a good job in publicity and education on network security. The mass media should carry out targeted publicity and education on network security for the society.
Article 20
The state supports enterprises, institutions of higher learning, vocational schools and other education and training institutions to carry out education and training related to network security, adopt various ways to cultivate network security talents, and promote the exchange of network security talents.
Chapter III Network Operation Security
Article 21
The state implements a network security level protection system. Network operators shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations, protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked or stolen or tampered with: (1) formulate internal security management systems and operating procedures, determine the person in charge of network security, and implement network security protection responsibilities; (two) to take technical measures to prevent computer viruses and network attacks, network intrusion and other acts that endanger network security; (three) to take technical measures to monitor and record the network operation status and network security incidents, and keep the relevant network logs for not less than six months in accordance with the regulations; (four) take measures such as data classification, important data backup and encryption; (5) Other obligations stipulated by laws and administrative regulations.
Article 22
Network products and services shall meet the mandatory requirements of relevant national standards. Providers of network products and services shall not set up malicious programs; When it is found that there are risks such as security defects and loopholes in its network products and services, it shall immediately take remedial measures, inform users in a timely manner according to regulations, and report to the relevant competent departments. Network products and service providers should provide continuous security maintenance for their products and services; The provision of safety maintenance shall not be terminated within the time limit stipulated or agreed by both parties. If a network product or service has the function of collecting user information, its provider shall express it to the user and obtain consent; Where personal information of users is involved, the provisions of this law and relevant laws and administrative regulations on the protection of personal information shall also be observed.
Article 23
Network key equipment and network security special products shall be sold or provided in accordance with the mandatory requirements of relevant national standards, and only after passing the safety certification of qualified institutions or meeting the safety inspection requirements. The national network information department shall, jointly with the relevant departments of the State Council, formulate and publish the catalogue of key network equipment and special products for network security, promote mutual recognition of safety certification and safety testing results, and avoid repeated certification and testing.
Article 24
Network operators handle network access and domain name registration services for users, handle network access procedures such as fixed telephones and mobile phones, or provide users with services such as information release and instant messaging. When signing an agreement with users or confirming the provision of services, users should be required to provide real identity information. If the user does not provide true identity information, the network operator shall not provide relevant services for him. The state implements the network trusted identity strategy, supports the research and development of safe and convenient electronic authentication technology, and promotes mutual recognition between different electronic authentications.
Article 25
Network operators should formulate emergency plans for network security incidents and respond to security risks such as system vulnerabilities, computer viruses, network attacks and network intrusions in a timely manner; In the event of an incident that endangers network security, immediately start the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities as required.
Article 26
To carry out network security authentication, detection, risk assessment and other activities, and to release network security information such as system vulnerabilities, computer viruses, network attacks and network intrusions to the society, we should abide by the relevant provisions of the state.
Article 27
No individual or organization may engage in illegal intrusion into other people's networks, interfere with the normal functions of other people's networks, steal network data and other activities that endanger network security; Do not provide programs and tools specially used to engage in activities that endanger network security, such as invading the network, interfering with the normal functions and protective measures of the network, and stealing network data; Knowing that others are engaged in activities that endanger network security, they shall not provide technical support, advertising promotion, payment and settlement services.
Article 28
Network operators shall provide technical support and assistance for the activities of public security organs and state security organs to safeguard national security and investigate and deal with crimes according to law.
Article 29
The state supports network operators to cooperate in the collection, analysis, notification and emergency response of network security information, so as to improve the security capability of network operators. Relevant industry organizations should establish and improve the norms and cooperation mechanisms of network security protection in their own industries, strengthen the analysis and evaluation of network security risks, regularly give risk warnings to members, and support and assist members in coping with network security risks.
Article 30
The information obtained by the network information department and relevant departments in performing their duties of network security protection can only be used for the needs of maintaining network security and shall not be used for other purposes.
Article 31
On the basis of the network security level protection system, the state gives priority protection to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and other key information infrastructures that may seriously endanger national security, national economy and people's livelihood and public interests. The specific scope of key information infrastructure and security protection measures shall be stipulated by the State Council. The state encourages network operators outside the key information infrastructure to voluntarily participate in the key information infrastructure protection system.
Article 32
In accordance with the division of responsibilities stipulated by the State Council, the department responsible for the security protection of key information infrastructure shall prepare and organize the implementation of the security planning of key information infrastructure in its own industry and field, and guide and supervise the security protection of key information infrastructure.
Article 33
The construction of key information infrastructure should ensure that it has the performance of supporting the stable and continuous operation of the business, and ensure that the safety technical measures are planned, constructed and used simultaneously.
Article 34
In addition to the provisions of Article 21 of this Law, the operators of key information infrastructure shall also perform the following security protection obligations: (1) set up special security management institutions and security management leaders to conduct security background checks on the leaders and personnel in key positions; (2) Conducting cyber security education, technical training and skill assessment for employees on a regular basis; (3) Disaster recovery backup of important systems and databases; (four) to formulate emergency plans for network security incidents and conduct regular drills; (5) Other obligations stipulated by laws and administrative regulations.