The “Regulation on Network Data Security Management” will come into effect on January 1, 2025.

The “Cybersecurity Law”, the “Data Security Law”, and the “Personal Information Protection Law” are the three fundamental laws in the field of information security. Based on those laws, the “Regulation on Network Data Security Management” further clarifies the relevant provisions, which has been be promulgated on September 24, 2024 and will come into effect on January 1, 2025.

This regulation is very important and there are many points worth paying attention to. Due to space limitations, we only select those points related to network data processors.

  1. Requirements for Network Data Security Systems

Regarding the technical measures, Article 9 of the Regulation adds examples of technical measures such as backup access control, security authentication, and other necessary measures, which provides more choices and guidance for enterprises. Enterprises can design rules and measures that are in line with their own situation by combining the security technology and management requirements for network data collection, storage, use, processing, transmission, provision, disclosure, and other data processing stipulated in GB/T 41479-2022 “Information Security Technology – Network Data Processing Security Requirements”.

  1. Obligation to Report Security Risks of Network Products and Services

The three fundamental laws have not stipulated the reporting time limit for security incidents. Previously, the “Regulations on the Management of Security Vulnerabilities of Network Products” issued by the Ministry of Industry and Information Technology, the State Internet Information Office and the Ministry of Public Security in September 2021, required network product providers to submit relevant vulnerability information to the network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology within 2 days after they found or was informed that the network products provided had security vulnerabilities. Article 10 of the Regulation explicitly requires network data processors to report risks such as vulnerabilities involving national security and public interests within 24 hours.

It should be noted that enterprises should also pay attention to whether there are reporting time limit requirements in their location. For example, according to 4.1.1 of the “Shanghai Network Security Incident Emergency Plan”, the unit where a network security incident occurs shall report orally within half an hour and in writing within one hour to the Shanghai Cyberspace Administration Duty Room, Shanghai Emergency Response Center, and the local network security authority where the incident occurred; and major network security incidents or special circumstances should be reported immediately.

  1. Emergency Plan System for Network Data Incidents

Article 11 of the Regulation specifies three obligations of enterprises in the emergency response plan system for network data security incidents:

  • Reporting obligation.

2) Notification obligation. The Regulation stipulates that only when it causes harm to the legitimate rights and interests of individuals and organizations, it is necessary to notify the affected individuals and organizations.

3) The obligation to report suspected illegal or criminal clues.

In addition, some local regulations and national standards have made provisions for the response requirements of network security incidents, such as the “Shanghai Network Security Incident Emergency Plan”, GB/T 20985 “Information Technology Security Technology Information Security Incident Management”, GB/T 38645 “Information Security Technology Network Security Incident Emergency Drill Guide”, etc.

  1. Requirements for network data exchange with third parties

According to Article 12 of the Regulations, as the transmitting party, when transmitting network data (limited to personal information and important data) to third parties, it is required to sign a contract, supervise the receiving party, and keep records for 3 years.

Articles 14-17 of the Regulations provide clear provisions on the obligations of the receiving party. It worth to be noted that when providing services to state organs, the Regulation expands the regulatory scope from state organs to key information infrastructure operators, the participation of network data processors in the construction, operation, and maintenance of other public infrastructure and public service systems within the regulatory scope.

  1. Regarding the Evaluation of Automated Data Collection Technology

Article 18 of the Regulation provides rules regarding the use of automated tools such as web crawlers to access and collect network data, which is the first time to clarify such rules. Generally speaking, behaviors such as bypassing the robots protocol, cracking the natural encryption rules of a website (such as cracking the encryption algorithm of an app), and violating the technical protection measures of a website (such as using forged IP, ID, etc. to avoid system IP barriers and other technical protection measures) are more likely to be considered as illegal intrusion into someone else’s network. Regarding the prohibition to interfere the normal operation of network services, due to the difficulty in defining a unified standard for the normal operation of different network services, the Regulation requires enterprises to assess the impact on network services on their own.