Draft cybersecurity law standards are published to guide the practice

During the last week of August 2017, the National Information Security Standardization Technical Committee (the so-called TC260) published a series of draft technical standards to solicit public opinions. All these draft standards are closely related to the implementation of the PRC Cybersecurity Law (the “Law”).

The draft standards cover different aspects of the Law, which mainly include:

• Data protection: Security Requirements for Data Exchange Service; Data Security Capability Maturity Model; and Guide for De-Identifying Personal Information.
• Cross-border transfer of data: Guidelines for Data Cross-Border Transfer Security Assessment.
• Critical Information Infrastructure: Guide to Security Inspection and Evaluation of Critical Information Infrastructure; Indicator System of Critical Information Infrastructure Security Assurance.
• Operation security: Evaluation Criteria for Disaster Recovery Service Capability; Requirements for Disaster Recovery Service Capability; and Security Techniques Requirement for Network Storage.
• Network products and services: General Security Requirements of Network Products and Services; and Evaluation Criteria for ICS Products Security.
• Cloud computing: Security Guide of Government Website Cloud Computing Services; and Technology Requirement for Website Security Cloud Protection Platform.

While the Law sets out the general requirements at a very high level. All these draft standards provide detailed rules, procedures and specifications to guide the practice. The public will have until mid-October to submit comments on these drafts. We will keep following the developments and share further analysis once the final versions of the standards are published.

Please click here for the Chinese versions of the draft standards.