2. Does the CSL apply to your business in China?
The Cyber Security Law of the People’s Republic of China (CSL)
entered into force on the 1st of June 2017. The CSL is the last of a
trio of laws dealing with cybersecurity, including National Security
Law (1st of July 2015) and Anti-Terrorism Law (1st of January
2016). It has signicant implications with regards to data privacy
and data transfer for EU SMEs doing business in China.
The CSL is rather wide in scope, targeting topics such as: the
internet security and the protection of private and sensitive
information. The legal framework of the CSL is not very detailed
and it is combined with provisions dispersed in various laws and
regulations. To implement the CSL, multiple implementation
regulations were released and further regulations are still
pending. As the CSL evolves fast through amendments, you
should keep yourself up do date with the latest regulations, to
Adoption of the CSL can be seen as a reection of the industrial
policy evolution in China, in particular along with the recent
encouragement towards domestic innovation and development
of domestic digital ecosystem as well as reduction of dependency
on foreign technology when critical infrastructures are involved.
From the IP protection perspective, the CSL on one hand serves
as guiding measures relating to network security and trade
secret protection, but on the other hand, the obligations the
CSL poses on EU SMEs have implications on the use of data,
particularly in R&D collaborations.
This guide provides you with an overview of the CSL, its
implications to data privacy and IP protection and oers SMEs
tips on how to eectively protect their IP.
The CSL is applicable to Chinese companies as well as to
any international entities doing business in China. In case
you qualify either as a “network operator” or a “critical
information infrastructure operator”, you must comply with
the obligations imposed by the CSL since according to the
law, network operators and critical information infrastructure
operators are required to full certain technical security
measures and procedures to protect networks.
Network operators and Critical information
The CSL dierentiates two types of entities: “network operators”
and “critical information infrastructure (CII) Operators”.
Network operators are the owners or administrators of a
network, as well as the providers of any network services.
The denition is so wide that even if the law clearly targets
IT companies, this category could be applicable to any
business who operates a website in China. So, if you have
a website in China you must comply with the CSL. Network
Operators are required to full certain technical security
measures and procedures to protect networks, which will
be explained below.
Critical information infrastructure (CII) operators
Critical Information Infrastructure (CII) Operators are also
network operators, but with an infrastructure “that, in the event
of damage, loss of function, or data leakage, might seriously
endanger national security, national welfare or the livelihood
of the people, or the public interest”. The majority of CII
Operators belong to the public sector (energy, transportation,
water conservancy, nance, e-government, public services etc.)
with some belonging to the private sector, in particular:
；Companies providing telecom and information services
(for example, providing telecommunications networks,
radio and television networks, the Internet as well as
providing cloud computing, big data services etc.),
；Companies engaged in research and production in areas
such as national defence, chemistry, food and drugs, and
other key industries, etc.
In case you can identify your company in this category, more
stringent regulations will apply to your business.
If you operate a website in China, you can be
considered a network operator and must comply
with the obligations of the Cyber Security Law.
Compliance with Cyber Security Law and
its impact on IP protection