Overview & Analysis
The Regulation on the Security Protection of Critical Information Infrastructure is the core administrative regulation governing China's CII protection regime. Its purpose is to strengthen priority protection for key network facilities and information systems by clarifying identification rules, operator obligations, supervisory responsibilities, and supporting measures. The Regulation makes clear that where damage, loss of function, or data leakage could seriously endanger national security, the national economy, people's livelihoods, or the public interest, those systems fall into a specially protected category. Structurally, the Regulation not only defines what CII is — it also imposes a detailed set of obligations on operators, including establishing dedicated security management bodies, building security measures in parallel with infrastructure planning and deployment, conducting annual testing and risk assessments, reporting incidents, managing vendors, prioritizing secure and trustworthy procurement, and taking explicit responsibility for personal information and data security.
Its importance for AI is substantial because many AI projects are not standalone software experiments — they are deployed on top of cloud environments, data platforms, industrial systems, operational systems, and sector-critical business infrastructure. For companies that fall within the CII perimeter, or are tightly integrated with it, AI becomes part of a broader CII security, data security, and business continuity problem rather than just an innovation project. The Regulation is closely linked to cybersecurity review, data security, and personal information protection requirements, and requires enterprises to build systematic governance capabilities across structure, supply chain, operations, incident response, and procurement control. For companies deploying AI infrastructure, sectoral AI systems, intelligent operations platforms, or high-impact automation in China, this Regulation is one of the foundational rules.
Plus any other network facilities or information systems where damage, loss of function, or data leakage could seriously endanger national security, the national economy, livelihoods, or public interests.
- Synchronous planning: Security measures must be planned, built, and put into use simultaneously with CII (Art. 12)
- Governance structure: Establish cybersecurity protection systems, accountability systems, and investment in people, funds, and materials; principal person in charge bears overall responsibility (Art. 13)
- Dedicated security body: Establish a specialized security management body; conduct security background checks on its leaders and key-position personnel (Art. 14)
- Annual assessment: Conduct cybersecurity testing and risk assessment at least once a year, promptly rectify security problems, and report to the protection work department (Art. 17)
- Incident reporting: Report major cybersecurity incidents or major threats to the protection work department and public security organ (Art. 18)
- Procurement controls: Priority procurement of secure and trustworthy products and services; security review required where procurement may affect national security (Art. 19)
- Vendor agreements: Sign security and confidentiality agreements with product/service providers, clarifying technical support and confidentiality obligations (Art. 20)
- Data protection: Maintain data integrity, confidentiality, and availability; establish personal information and data security protection systems (Arts. 6 & 15)
| Violation | Entity Fine | Responsible Person Fine | Additional Sanctions |
|---|---|---|---|
| General non-compliance (Arts. 39) | RMB 100K–1M | RMB 10K–100K | Warning + order to correct first |
| Failure to report major incident (Art. 40) | RMB 100K–1M | RMB 10K–100K | Warning + order to correct first |
| Procurement without security review (Art. 41) | 1×–10× procurement amount | RMB 10K–100K | Order to correct |
| Failure to cooperate with inspections (Art. 42) | RMB 50K–500K | RMB 10K–100K | Serious cases: further liability |
| Illegal intrusion/damage (Art. 43) | RMB 100K–1M | Detention up to 15 days | Admin penalty: 5-yr ban; criminal: lifetime ban from cybersecurity roles |
This Regulation becomes relevant whenever AI systems are embedded into, support, affect, or connect with key business operations, important network facilities, or core information systems in important sectors. For many multinationals, the question is not only whether they themselves are CII operators, but also whether they provide AI capabilities, cloud services, operational support, data platforms, or embedded algorithms to CII customers.
1. Deploying AI Systems in Important Sectors and Fields
If AI is deployed in finance, energy, transport, public services, telecoms, e-government, industrial control, or other CII-covered sectors — especially where it supports key core business, affects large-scale service availability, or could cause substantial social or economic harm if it fails — the AI system becomes part of the protected operating environment. It must be planned, assessed, monitored, and incorporated into emergency response, not managed as a standalone innovation project.
2. CII Operators Procuring AI-Related Network Products and Services
The Regulation requires operators to prioritize procurement of secure and trustworthy network products and services, and where procurement may affect national security, a security review must be conducted. In AI practice, this may cover cloud services, high-performance computing, large databases, AI platform software, operational tools, and model services. AI procurement is not merely a technical selection issue — it also raises questions of trustworthiness, supplier commitments, confidentiality agreements, and potential review triggers under the Cybersecurity Review Measures.
3. AI Projects Processing Personal Information, Important Data, or Sectoral Operational Data
The Regulation expressly requires operators to maintain data integrity, confidentiality, and availability, and to establish personal information and data security protection systems. For AI projects, this matters whenever training, inference, monitoring, logging, profiling, prediction, optimization, or automated decision-making depends on large-scale data — especially operational and sensitive data. Data flows, access rights, vendor exposure, and incident response must be handled through a CII-security lens, not only through ordinary privacy-compliance review.
4. AI Design, Construction, Operations, or Maintenance Depending on Third-Party Providers
The Regulation requires operators to implement security management over services related to design, construction, operation, and maintenance, and to sign security and confidentiality agreements with providers clearly allocating support and confidentiality obligations. For companies using third-party foundation models, SaaS AI tools, systems integrators, managed service providers, or outsourcing teams, third-party governance must be part of AI governance — especially where the third party may touch production systems, sensitive data, remote maintenance interfaces, or critical model components.
5. AI Systems That Could Affect Business Continuity or Trigger Major Cybersecurity Incidents
The Regulation requires regular monitoring, testing, risk assessment, and emergency drills, and imposes reporting obligations when major cybersecurity incidents or threats arise. For AI in automated operations, industrial optimization, intelligent dispatch, intelligent diagnosis, risk control, and other high-impact settings, model error, system failure, data leakage, or external attack may be viewed as incidents affecting CII security — triggering internal escalation and external reporting duties including to the protection work department and public security organ.
The way to balance compliance and speed is not to run every AI project through a heavyweight process, but to identify early which AI initiatives may sit inside or close to the CII perimeter, then apply higher standards of governance, procurement, third-party management, operational control, and incident response to those cases.
Assess Whether the Project Sits Inside the CII Impact Zone
Require each China AI project to undergo a short upfront assessment: Is it deployed in an important sector? Does it support key core business? Is it coupled with sectoral core information systems or public service platforms? Could an outage cause meaningful social, economic, or public impact? Even if the company has not been formally notified as a CII operator, the exercise is worthwhile wherever major customers, platform environments, or business scenarios are clearly close to the CII perimeter.
Build Security Measures into AI Systems from the Outset
Article 12 requires security measures to be planned, built, and put into use simultaneously with the infrastructure. For AI projects, reject a "launch first, control later" mindset. Build identity and access control, logging and monitoring, data segregation, model rollback, human override, environment segmentation, vendor access control, and emergency planning into the design phase. This aligns with Chinese regulatory expectations and reduces rework after deployment.
Integrate AI Governance into Existing Cybersecurity and Data-Governance Structures
The Regulation requires operators to establish cybersecurity systems, accountability structures, dedicated security management bodies, and personal information and data security protection systems. For multinationals, the fastest path is often to add AI-specific controls into the company's existing China cybersecurity, data security, privacy, and IT risk-management framework — reusing existing roles and approvals while adding extra controls only for higher-risk AI scenarios.
Go Deeper on Vendor and Third-Party Model Management
Articles 19–20 require priority procurement of secure and trustworthy products, security reviews for national-security-sensitive procurement, and security and confidentiality agreements with all providers. In AI practice, procurement and engineering teams should jointly review vendor supply continuity, potential remote access to critical systems, exposure to training data or sensitive business data, local/isolated deployment capability, and ability to meet Chinese customer and regulator security requirements.
Establish Annual Assessment, Remediation, and Emergency Drill Mechanisms
Article 17 requires at least annual cybersecurity testing and risk assessment, prompt remediation of identified issues, and reporting to protection work departments. Management can operationalize this as: annual security and resilience reviews for important AI systems, focused reassessments of higher-risk models or platforms, remediation tracking for identified issues, and tabletop or switchover drills in critical business scenarios. This supports compliance while improving business readiness for AI failure modes.
Define Escalation and Reporting Rules for Major AI Incidents
Article 18 requires prompt reporting of major cybersecurity incidents or threats. Particularly serious cases include whole outages, main function failures, important-data leakage, large-scale personal-information leakage, and significant economic loss. For AI, define in advance which events trigger escalation — model error disrupting key operations, anomalous automated behavior, sensitive data leaking through AI logs, third-party maintenance mistakes affecting production — and build these into the China incident-response process.
Ensure the Dedicated Security Body Is Involved in AI Decisions
Article 16 requires that personnel from the dedicated security management body participate in decisions related to cybersecurity and informatization. The China CISO, cybersecurity lead, or equivalent function should not appear only at final approval — they should participate at AI project selection, architecture design, vendor onboarding, major change management, migration, and decommissioning. This helps avoid late-stage structural vetoes after business and technology teams have already committed.
If You Serve CII Customers, Prepare to Operate at a Near-CII Standard
Even if the company itself is not the formally designated operator, an AI product or service deeply embedded in a CII customer environment will often be expected to meet security standards close to those of a CII operator. Treat such cases as "near-CII" projects and prepare stricter documentation, testing, access controls, vendor disclosures, support processes, and localization capability in advance. This is often key to winning customer trust and reducing delays during security reviews, tenders, and contract negotiations.
For multinational companies, this Regulation does not mean AI is impossible to deploy in China. It means AI has to be managed within a more mature infrastructure-governance framework. The most effective approach is to identify early which AI projects fall inside or close to the CII perimeter and then apply more intensive architecture review, vendor management, data protection, operational control, and emergency governance to those cases — allowing companies to preserve innovation speed while entering China's important sectors and higher-value AI use cases more confidently.
Complete Regulatory Text
Table of Contents
- Chapter I — General Provisions (Articles 1–7)
- Chapter II — Identification of Critical Information Infrastructure (Articles 8–11)
- Chapter III — Responsibilities and Obligations of Operators (Articles 12–21)
- Chapter IV — Safeguards and Promotion (Articles 22–38)
- Chapter V — Legal Liability (Articles 39–49)
- Chapter VI — Supplementary Provisions (Articles 50–51)
Relevant departments of provincial-level people's governments shall implement security protection and supervision and administration for critical information infrastructure within their respective duties.
No individual or organization may carry out activities that illegally intrude into, interfere with, or damage critical information infrastructure, or otherwise endanger the security of critical information infrastructure.
The formulation of identification rules shall mainly take into account the following factors:
(1) the importance of the network facilities and information systems to the key core business of the relevant industry or field;
(2) the degree of harm that may result if the network facilities and information systems are damaged, lose function, or suffer data leakage;
(3) the consequential impact on other industries and fields.
(1) Establishing and improving cybersecurity management and evaluation systems, and formulating security protection plans;
(2) Organizing and promoting cybersecurity protection capabilities, and carrying out cybersecurity monitoring, testing, and risk assessment;
(3) In accordance with national and industry emergency plans, formulating the entity's emergency plan, regularly organizing emergency drills, and handling cybersecurity incidents;
(4) Identifying key cybersecurity positions, organizing assessments, and proposing rewards and punishments;
(5) Organizing cybersecurity education and training;
(6) Fulfilling responsibilities for the protection of personal information and data security, and establishing and improving systems for their protection;
(7) Implementing security management over services related to design, construction, operation, and maintenance of critical information infrastructure;
(8) Reporting cybersecurity incidents and important matters in accordance with regulations.
Where particularly major cybersecurity incidents occur or are discovered — such as an overall interruption in the operation of critical information infrastructure or a failure of its main functions, leakage of national basic information and other important data, large-scale leakage of personal information, relatively major economic losses, or spread of illegal information over a relatively broad range — the protection work department shall promptly report to the national cyberspace administration and the public security department of the State Council.
Persons who receive public security administration penalties for CII violations may not engage in cybersecurity management or key network operation positions for 5 years; persons who receive criminal penalties may never engage in such positions.
关键信息基础设施安全保护条例
(国务院令第745号,2021年7月30日公布,自2021年9月1日起施行)
来源:中国政府网
目 录
省级人民政府有关部门依据各自职责对关键信息基础设施实施安全保护和监督管理。
任何个人和组织不得实施非法侵入、干扰、破坏关键信息基础设施的活动,不得危害关键信息基础设施安全。
制定认定规则应当主要考虑下列因素:
(一)网络设施、信息系统等对于本行业、本领域关键核心业务的重要程度;
(二)网络设施、信息系统等一旦遭到破坏、丧失功能或者数据泄露可能带来的危害程度;
(三)对其他行业和领域的关联性影响。
(一)建立健全网络安全管理、评价考核制度,拟订关键信息基础设施安全保护计划;
(二)组织推动网络安全防护能力建设,开展网络安全监测、检测和风险评估;
(三)按照国家及行业网络安全事件应急预案,制定本单位应急预案,定期开展应急演练,处置网络安全事件;
(四)认定网络安全关键岗位,组织开展网络安全工作考核,提出奖励和惩处建议;
(五)组织网络安全教育、培训;
(六)履行个人信息和数据安全保护责任,建立健全个人信息和数据安全保护制度;
(七)对关键信息基础设施设计、建设、运行、维护等服务实施安全管理;
(八)按照规定报告网络安全事件和重要事项。
发生关键信息基础设施整体中断运行或者主要功能故障、国家基础信息以及其他重要数据泄露、较大规模个人信息泄露、造成较大经济损失、违法信息较大范围传播等特别重大网络安全事件或者发现特别重大网络安全威胁时,保护工作部门应当在收到报告后,及时向国家网信部门、国务院公安部门报告。
关键信息基础设施中的密码使用和管理,还应当遵守相关法律、行政法规的规定。
