Chapter I General Provisions
Article 1 This Law is formulated with a view to guaranteeing the cybersecurity, safeguarding the cyberspace sovereignty, national security and public interests, protecting the legal rights and interests of citizens, legal persons and other organizations and promoting the sound development of the economic and social informationization.
Article 2 This Law shall apply to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity within the territory of the People's Republic of China.
Article 3 The state shall lay equal stress on cybersecurity and information-based development, follow the guidelines of active utilization, scientific development, legal management and security guarantee, promote the construction of network infrastructure construction and interconnection, encourage the innovation and application of network technologies, support the cultivation of cybersecurity talents, establish and improve the cybersecurity guarantee system, and enhance the capability to protect the cybersecurity.
Article 4 The state shall develop and continuously improve cybersecurity strategies, specify the basic requirements and major objectives of cybersecurity guarantee and put forward cybersecurity policies, tasks and measures in key fields.
Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People's Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal and criminal network activities in accordance with the law and maintain cyberspace security and order.
Article 6 The state shall advocate honest, faithful, healthy and civilized network conducts, advance the spreading of core socialist values and take measures to enhance the awareness and level of cybersecurity of the whole society, so as to form a favorable environment for promoting cybersecurity with the participation of the whole society.
Article 7 The state shall actively develop international exchange and cooperation in aspects of cyberspace administration, network technology R&D, formulation of standards thereof, crackdown on illegal crimes related to the network and others, promote the construction of a peaceful, safe, open and cooperative cyberspace and establish a multi-lateral, democratic and transparent network administration system.
Article 8 The national cyberspace administration is responsible for the overall coordination of cybersecurity work and relevant supervision and administration. The competent telecommunications departments of the State Council, public security departments and other relevant authorities shall be responsible for cybersecurity protection, supervision and administration within their respective functions and duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
Cybersecurity protection, supervision and administration duties and responsibilities of relevant departments of the local people's government at or above the county level shall be determined in accordance with the relevant provisions of the state.
Article 9 Network operators, in their operations and service activities, must abide laws and administrative regulations, respect social morality, observe business ethics, have good faith and honest, perform the cybersecurity protection obligations, accept the supervision by the government and the public, and undertake social responsibilities.
Article 10 For the construction and operation of the network or the provision of services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of the laws and administrative regulations and compulsory requirements of national standards to ensure the safe and stable operation of the network, effectively respond to cybersecurity incidents, prevent illegal and criminal activities related to the network and maintain the integrity, confidentiality and availability of network data.
Article 11 Network-related industry organizations shall, in accordance with their articles of association, enhance industrial self-regulation, formulate code of conducts on cybersecurity, direct their members to strengthen cybersecurity protection, raise the level of cybersecurity protection, and promote the sound development of the industry. 。
Article 12 The state shall protect the rights of citizens, legal persons and other organizations to use the network in accordance with the law, promote the popularity of network access, increase network service level, provide safe and convenient network services for the society and ensure the orderly and free flow of network information in accordance with the law.
Any individual and organization, in their use of the network, shall comply with the Constitution and laws, follow public order, respect social ethics, and shall not endanger the cybersecurity, or use the network to engage in any activity that endangers the national security, honor and interest, incites to subvert the state power or overthrow the socialist system, incites to split the country or undermine the state unity, advocates terrorism or extremism, propagates ethnic hatred or discrimination, spreads violent or pornographic information, fabricates or disseminates false information to disrupt the economic and social order, or infringes the reputation, privacy, intellectual property and other legal rights and interests of any other person.
Article 13 The state shall support the research and development of network products and services that are conducive to the healthy growth of minors, and punish the activities that damage the physical and mental health of minors by means of the network in accordance with the law, and provides a safe and healthy network environment for minors.
Article 14 Any individual or organization shall have the right to report the conduct endangering cybersecurity to the cyberspace administration, telecommunications department, public security departments and other departments. The department that receives the report shall timely handle such a report in accordance with the law, or timely transfer the report to the component department if it falls beyond its duties and responsibilities.
The relevant department shall keep confidential the information on the informer and protect its legal rights and interests.
Chapter 2 Cybersecurity Support and Promotion
Article 15 The state shall establish and improve cybersecurity standard system. The standardization administration and other relevant department of the State Council shall, according to their respective functions and duties, organize the formulation of and properly revise national and professional standards concerning the cybersecurity administration and the security of network products, services and operations.
The state support enterprises, research institutes, institutions of higher learning, network-related industry organizations to participate in the formulation of national and professional standards concerning the cybersecurity.
Article 16 The State Council and the people's governments of the province, autonomous region, and municipality directly under the Central Government shall make overall planning, increase the input, support key cybersecurity technology industries and projects as well as the research, development and application of cybersecurity technologies, popularize safe and reliable network products and services, protect the intellectual property rights of network technologies and support enterprises, research institutes and institutions of higher learning to participate in national innovation projects on cybersecurity technologies.
Article 17 The state shall advance the construction of a socialized service system for cybersecurity and encourage relevant enterprises and institutions to provide security services such as cybersecurity authentication, detection and risk assessment.
Article 18 The state shall encourage to develop the network data security protection and application technologies, promote the availability of public data resources, and boost the technological innovation and economic and social development.
The state shall support the innovation of cybersecurity management methods and the application of new network technologies to enhance the cybersecurity protection.
Article 19 The people's governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, direct, supervise and urge relevant units to properly carry out cybersecurity publicity and education.
The mass media shall offer cybersecurity publicity and education to the public in a targeted manner.
Article 20 The state shall support enterprises, institutions of higher learning, vocational schools and other education and training institutions to carry out cybersecurity-related education and training, take multiple measures to cultivate cybersecurity talents and promote the exchange of cybersecurity talents.
Chapter 3 Network Operation Security
Section 1 General Provisions
Article 21 The state shall implement the classified protection system for the cybersecurity. The network operators shall fulfill the following security protection obligations according to the requirements of the above system to protect the network from interference, damage or unauthorized access and prevent network data from being leaked, stolen or falsified:
(I) Develop internal security management system and operation specifications, appoint persons in charge of cybersecurity and fulfill cybersecurity protection responsibilities;
(II) Take technical measures to prevent computer virus, network attack, network invasion and other acts endangering cybersecurity;
(III) Take technical measures to monitor and record network operation status and cybersecurity incidents, and preserve relevant weblogs for at least six months in accordance with provisions;
(IV) Take measures such as classification of data, backup and encryption of important data; and
(V) Others as prescribed by the laws and administrative regulations.
Article 22 Network products and services shall comply with the compulsory requirements of relevant national standards. Providers of the network products and services shall not set up malware; where a provider discovers any security defect, vulnerability and other risk, it shall immediately take remedial measures, timely inform the users and report to the relevant competent departments in accordance with provisions.
Providers of the network products and services shall provide continuous security maintenance for their products and services and shall not terminate the provision of the security maintenance within the specified period or the period agreed by the parties.
Where the network products and services have the function of collecting the user's information, their providers shall explicitly inform their uses and obtain their consent. In case that any user's personal information is involved, the providers shall also comply with the provisions of this Law and relevant laws and administrative regulations on personal information protection.
Article 23 Key network equipment and dedicated cybersecurity product shall pass the security authentication by qualified institutions or conform to security detection requirements in accordance with compulsory requirements of relevant national standards before being sold or provided. National cyberspace administration shall, jointly with the relevant departments of the State Council, develop and release the catalogue of key network equipment and dedicated cybersecurity products, and promote the mutual recognition of security authentication and security detection results to avoid repeated authentication and detection.
Article 24 Where the network operators provide network access and domain name registration services and handle formalities for network access of fixed-line telephone and mobile phone for users, or provide information release, instant communication and other services for users, they shall request the users to provide real identity information when signing agreements with users or confirming the provision of services. Where any user fails to provide the real identity information, the network operator shall not provide him/her with relevant services.
The state shall implement the strategy of trusted identities in cyberspace, support the research and development of safe and convenient electronic identity authentication technologies and promote the mutual recognition between different electronic identity authentication technologies.
Article 25 Network operators shall develop emergency response plans for cybersecurity incidents and timely deal with system vulnerability, computer virus, network attack, network invasion and other security risks; in case of any incident endangering the cybersecurity, the relevant operator shall immediately initiate the emergency response plan, take corresponding remedial measures and report it to the relevant competent department in accordance with relevant provisions.
Article 26 Such activities as cybersecurity authentication, detection and risk assessment as well as the release of the cybersecurity information such as system vulnerability, computer virus, network attack and network invasion to the public shall comply with the relevant provisions of the state.
Article 27 No individual or organization shall engage in activities endangering cybersecurity such as illegal invasion into any other person's network, interference with the normal functions of any other's network and sealing of network data, or provide programs and tools dedicated for activities endangering cybersecurity such as network invasion, interference with normal functions and protective measures of the network and sealing of network data. Whoever knows that any other person is involved in any activity endangering the cybersecurity shall not offer technical support, advertising promotion, payment and settlement or other assistance to such a person.
Article 28 Network operators shall provide technical support and assistance for the public security organs and national security organs to carry out activities of national security safeguarding and crime investigation in accordance with the law.
Article 29 The state shall support the cooperation between network operators with respect to collection, analysis, notification and emergency response of cybersecurity information so as to enhance their capabilities to safeguard the security
Relevant industry organizations shall establish and improve regulations and cooperation mechanisms of cybersecurity protection in their industries, strengthen the analysis and assessment on cybersecurity risks, regularly give risk warnings to the members, and provide support and assistance for the members to cope with the cybersecurity risks.
Article 30 Information obtained by the cyberspace administration and relevant departments during their performance of cybersecurity protection duties and responsibilities can be used only for safeguarding cybersecurity, but not for other purposes.
Contents
Chapter I General Provisions
Chapter 2 Cybersecurity Support and Promotion
Chapter 3 Network Operation Security
Section 1 General Provisions
Section 2 Operation Security of Critical Information Infrastructures
Chapter 4 Network Information Security
Chapter 5 Monitoring, Warning and Emergency Response
Chapter 6 Legal Liabilities
Chapter 7 Supplementary Provisions
