This timeline systematically documents the evolution of China’s legal and policy framework for the protection of Critical Information Infrastructure (CII). It begins with the promulgation of the Regulations on the Security Protection of Computer Information Systems in 1994, follows the formal introduction of the CII concept in the Cybersecurity Law of 2016, and extends to the issuance and implementation of the Regulation on the Security Protection of Critical Information Infrastructure in 2021. Together, these developments illustrate China’s transition from a legal vacuum to a gradually institutionalized regime in the field of CII protection.;xNLx;;xNLx;To reflect the multidimensional nature of this process, the timeline categorizes key entries into five color-coded types: ;xNLx;(Orange) Law: Statutory legislation enacted by the National People’s Congress or its Standing Committee;;xNLx;(Yellow) Beyond Statute: Subordinate legal instruments such as administrative regulations and ministerial rules;;xNLx;(Bright Yellow) Law-Making Activity: Legislative milestones including draft releases, public consultations, and policy design documents;;xNLx;(Green) Event: Major real-world developments, institutional adjustments, or strategic announcements;;xNLx;(Blue) International Practice: Foreign laws and practices related to CII protection that have influenced China's regulatory choices. ;xNLx;This classification highlights not only the domestic construction of China’s CII legal regime, but also the impact of international models on the country’s rulemaking process. ;xNLx;In terms of governance approach, China has adopted a state-centered model, characterized by top-down legislation and administrative enforcement. This approach places strong emphasis on national security, centralized oversight, and vertical control, contrasting with the decentralized frameworks seen in some other jurisdictions that rely more heavily on market mechanisms, contractual arrangements, and sectoral self-regulation.;xNLx;;xNLx;It is worth noting that due to policy considerations, Chinese authorities and official media rarely disclose concrete cases of cyberattacks or system failures involving critical infrastructure. Nonetheless, by analyzing official documents, legislative developments, and international trends, one can reasonably infer the underlying risk factors and policy motivations that have driven China’s regulatory responses. Accordingly, this timeline tries to provides analytical insight into external influences and internal logic of China's CII protection .
On February 18, 1994, the State Council of the People's Republic of China issued the Regulations on the Protection of Computer Information System Security. This regulation marked one of China’s earliest efforts to establish a legal framework for information system security. Article 4 of the regulation emphasizes that the primary focus of security protection shall be on computer information systems serving national affairs, economic development, national defense, and cutting-edge scientific and technological sectors. This laid the groundwork for prioritizing the protection of critical national digital infrastructure.
China officially entered the full-function Internet era when the Computer Network Information Center of the Chinese Academy of Sciences successfully exchanged emails with counterparts in the United States. This milestone marked the beginning of China’s modern Internet age.
In 1997, China’s Criminal Law formally established the offenses of Illegal Intrusion into Computer Information Systems and Sabotage of Computer Information Systems, marking the country’s initial steps in criminalizing cyber-related activities under national legislation.
In 1998, the Ministry of Public Security established the Public Information Network Security Supervision Bureau to strengthen cybersecurity governance over the internet. This marked a key step in institutionalizing the state's capacity to regulate online activities and enhance oversight of internet-based risks.
On December 28, 2000, the Standing Committee of the National People’s Congress issued the Decision on Safeguarding Internet Security—China’s first nationwide legal document focused exclusively on internet safety and order. This quasi-legislative decision aimed to address the growing social, economic, and security challenges brought by the rapid development of the Internet. It criminalized a wide range of online activities that threatened national security, social stability, market order, and individual rights, including cyber intrusion, virus dissemination, subversive content, fraud, IP infringement, and online obscenity. The decision also mandated administrative and civil liabilities for non-criminal online violations and called on public authorities and internet service providers to enhance security awareness, technical defenses, and monitoring. This marked a foundational step in China’s legal approach to protecting the security of cyberspace and critical online infrastructure.
South Korea enacted the Act on the Protection of Information and Communications Infrastructure, one of the earliest national laws focusing on CII. It mandates risk assessment, protective measures, and response planning to safeguard critical information and communications systems from electronic threats.
As part of the Homeland Security Act of 2002, the Critical Infrastructure Information Act (CII Act) was enacted to enhance information sharing between the private sector and the federal government. The Act authorized the creation of the Protected Critical Infrastructure Information (PCII) Program, a federal initiative designed to encourage owners and operators of critical infrastructure to voluntarily share security-related information with the Department of Homeland Security (DHS). To support this effort, Title 6 of the Code of Federal Regulations, Part 29 (6 CFR Part 29) was later issued as the Procedures for Handling Critical Infrastructure Information. It established uniform guidelines for the receipt, handling, marking, storage, and use of voluntarily submitted CII data. The PCII protections ensure that such information is exempt from public disclosure laws, protected from regulatory use, and shielded from civil litigation—thus fostering a trusted environment for public-private cooperation in national infrastructure security.
In 2005, following the establishment of the National Information Security Center (NISC), Japan introduced the First Action Plan on Information Security Measures for Critical Information Infrastructure. Based on the "Basic Orientation for Countermeasures Necessary for Protecting Critical Infrastructure from IT Outages," the plan formalized cybersecurity responsibilities for both the government and CII providers. It built upon earlier initiatives such as the 2000 Special Action Plan on Cyber-terrorism Countermeasures, and set in motion coordinated efforts across 10 critical sectors to minimize IT disruptions and strengthen national CII resilience through public-private collaboration, threat analysis, and cross-sectoral exercises.
On June 22, 2007, China’s Ministry of Public Security, the National Administration for the Protection of State Secrets, the State Encryption Management Bureau, and the State Council Informatization Office jointly issued the Regulations on the Classified Protection of Information Security (also known as the “Multi-Level Protection Scheme,” or MLPS). This regulation established a national framework for classifying and protecting information systems based on their potential impact on national security, public interests, and citizens' rights. It introduced the principles of self-classification, self-protection, and government oversight, and divided systems into five security levels, with progressively stricter requirements for higher levels. The regulation assigned oversight responsibilities to multiple agencies and covered a comprehensive range of issues, including technical standards, product procurement, system assessments, compliance auditing, and legal liability. It laid the technical and institutional groundwork for the later development of China's Critical Information Infrastructure (CII) protection regime, and became a cornerstone in the early stages of China's cybersecurity legal framework.
In 2008, the Public Information Network Security Supervision Bureau was renamed the Cybersecurity Administration Bureau under the Ministry of Public Security. Around the same time, cybersecurity divisions were established within local public security departments. This period saw a rapid expansion of the cyber police force, continual refinement of law enforcement procedures for cyberspace, and a notable enhancement in the capacity of cyber police to perform their duties—contributing to a more orderly and secure cyberspace environment.
On June 8, 2010, the State Council Information Office of the People's Republic of China released a white paper titled "The Internet in China", which outlined the growing cybersecurity challenges facing the country. According to the report, by 2009: Over 1 million computer IP addresses in China were under foreign control; Approximately 42,000 websites were hacked and defaced; Each month, around 18 million computers were infected by the "Ficker" worm virus network, accounting for about 30% of global infected machines. Data provided by the Ministry of Public Security revealed that over the past five years: The number of viruses spreading on the Chinese Internet increased by more than 80% annually on average; 8 out of every 10 computers connected to the Internet were controlled by hackers; The number of criminal cases related to hacking and cyberattacks accepted by public security authorities grew at an average annual rate of 110%. These illegal cyber activities pose serious threats to society. They not only compromise the security of computer information systems and data, but also endanger national security, undermine public interest, and violate the legitimate rights and interests of individuals, corporations, and other organizations.
The Cyberspace Administration of China (CAC) was established in May 2011. Its primary responsibilities include implementing policies and regulations related to internet information dissemination, promoting the rule of law in cyberspace governance, and guiding, coordinating, and supervising relevant departments in managing online content. The CAC is also tasked with investigating and handling illegal or non-compliant websites in accordance with national laws and regulations, aiming to maintain a secure, orderly, and clean online environment.
On June 20, 2011, the Supreme People's Court and the Supreme People's Procuratorate jointly adopted the Interpretation on Several Issues Concerning the Application of Law in Handling Criminal Cases Involving the Endangerment of Computer Information System Security (hereinafter referred to as the Interpretation). It was passed by the 1524th meeting of the Judicial Committee of the Supreme People's Court and the 63rd meeting of the 11th Procuratorial Committee of the Supreme People’s Procuratorate, and came into effect on September 1, 2011.
Since April 2012, a foreign-based hacker group known as OceanLotus (also known as APT32) has launched well-organized and sophisticated cyberattacks against Chinese entities, including maritime authorities, oceanic construction departments, research institutes, and shipping enterprises. According to threat intelligence reports, the campaign is assessed to be an Advanced Persistent Threat (APT) operation supported by a foreign government, indicating a high level of technical capability, persistence, and strategic intent.
On December 28, 2012, the 30th Meeting of the Standing Committee of the 11th National People's Congress adopted the Decision on Strengthening the Protection of Online Information. This Decision, enacted in legal form, aims to safeguard the security of personal and organizational information, establish a system of online identity management, and clarify the rights, obligations, and responsibilities of all relevant parties. It also empowers government authorities with necessary regulatory tools and plays a significant role in promoting the healthy and orderly development of the Internet in China.
In October 2013, the Cybersecurity Law of the People's Republic of China was officially included in the legislative plan of the 12th National People’s Congress, marking the beginning of a comprehensive legislative effort to regulate cyberspace governance. Between 2014 and 2016, legislative bodies conducted extensive research to identify regulatory needs, drafted the initial outline, developed preliminary institutional frameworks, and sought feedback from relevant departments and experts, ultimately forming a complete draft of the Cybersecurity Law.
On February 27, 2014, the Central Leading Group for Cyberspace Affairs was officially established, marking a major step in centralizing China’s internet governance structure. At the group’s inaugural meeting, President Xi Jinping emphasized the need for unified leadership, strategic coordination, and policy planning across all areas of cybersecurity and informatization. The establishment of this high-level body signaled the beginning of a new phase in China’s internet governance. 2014 came to be seen as the starting point for a national, strategic approach to cyberspace management. Significant progress followed in areas such as institutional reform, legal system development, environmental governance, talent cultivation, and international cooperation, laying the groundwork for a more systematic and state-led model of digital governance in China.
On July 2, 2014, the Administrative Measures for Network and Information Security in the Power Industry were issued to strengthen oversight and regulate cybersecurity practices within China’s power sector. These measures were formulated in accordance with the Regulations on the Protection of Computer Information Systems of the People’s Republic of China and other relevant national policies, marking an early effort to formalize cybersecurity management in critical infrastructure industries. On November 16, 2022, the National Energy Administration released the updated Administrative Measures for Cybersecurity in the Power Industry, which took effect immediately upon issuance and will remain valid for five years. The 2014 version was simultaneously repealed.
Japan enacted the Basic Act on Cybersecurity, the country’s first comprehensive law dedicated to cybersecurity. The Act clearly defines the responsibilities of national and local governments, as well as providers of critical social infrastructure, in maintaining cybersecurity. It aims to promote a coordinated and effective national cybersecurity policy, ensuring the protection of infrastructure vital to citizens' daily lives and economic activities.
Germany’s Bundestag passed the IT Security Act (IT-Sicherheitsgesetz), requiring operators of critical infrastructure to comply with minimum IT security standards and to report significant cybersecurity incidents to the Federal Office for Information Security (BSI). This law laid the foundation for Germany’s structured approach to CII protection.
In July 2015, in accordance with directives from the Central Leading Group for Cyberspace Affairs (now the Central Cyberspace Affairs Commission), the Ministry of Industry and Information Technology (MIIT) established its Cybersecurity Administration Bureau. This bureau was designated to take charge of network and data security, the protection of critical information infrastructure, and the coordination of efforts to address cybersecurity threats.
Effective from November 1, 2015, Amendment (IX) to the Criminal Law of the People's Republic of China introduced the crime of "Refusing to Fulfill Information Network Security Management Obligations." This provision establishes that if a network operator fails to take corrective actions after being ordered to do so by a regulatory authority, such refusal may constitute a criminal offense. This clause serves not only as a substantive condition for criminal liability, but also as a regulatory mandate to administrative agencies, signaling that they must actively participate in the governance of the digital economy. It reflects the criminal law's coordinating function in empowering administrative bodies to act within the cybersecurity domain. Moreover, many cybercrimes in China are premised on a violation of "state regulations"—a term that encompasses administrative regulations, measures, decisions, and orders issued by the State Council. These references provide the legal-theoretical basis for the criminal law to mobilize administrative agencies in enforcing cybersecurity norms and addressing violations effectively.
In the Legislative Work Plan of the State Council for 2016, issued by the General Office of the State Council on March 17, 2016, the Regulation on the Security Protection of Critical Information Infrastructure (CII Protection Regulation) was included only as a "research project" at the end of the list. This placement reflected the early stage of legislative attention being given to CII protection at that time, despite increasing awareness of cybersecurity risks associated with critical sectors.
The CyberSecurity Association of China (CSAC) was officially established in Beijing on March 25, 2016. It is a national, industry-based, and non-profit social organization voluntarily formed by institutions, enterprises, and individuals engaged in the cybersecurity-related sectors of industry, education, research, and application within China. The Association operates under the guidance and supervision of its competent authority—the Cyberspace Administration of China—and the Ministry of Civil Affairs, which serves as the registration and regulatory body for social organizations.
On April 19, 2016, President Xi Jinping chaired a symposium on cybersecurity and informatization, delivering a landmark speech that underscored the strategic importance of protecting Critical Information Infrastructure (CII) in China. He called for in-depth research and effective measures to safeguard national CII, emphasizing that sectors such as finance, energy, electricity, telecommunications, and transportation form the “central nervous system” of the national economy and society. These sectors, he warned, are top targets for cyberattacks and represent the most critical components of cybersecurity. President Xi highlighted that traditional defenses such as physical network isolation are no longer foolproof: Power dispatch commands could be maliciously altered, Financial data could be stolen, Cross-network intrusions could bypass isolated systems. These risks, he stressed, are high-impact and potentially devastating, with the capacity to trigger large-scale disruptions such as transportation paralysis, financial disorder, or power grid failure. His remarks marked a pivotal moment in elevating CII protection as a national security priority.
The European Union adopted the Directive (EU) 2016/1148 on security of network and information systems—commonly known as the NIS Directive—on July 6, 2016. The directive officially entered into force on August 8, 2016, and EU Member States were required to transpose it into national law by May 9, 2018. As the EU’s first comprehensive cybersecurity law, the NIS Directive laid the legal foundation for Critical Information Infrastructure (CII) protection across the Union. It established national cybersecurity strategies, designated competent authorities and CSIRTs, and imposed security and incident reporting obligations on operators of essential services in key sectors such as energy, transport, banking, health, water, and digital infrastructure. It also promoted cross-border cooperation and information sharing among EU member states.
On October 20, 2016, during the 9th ASEAN-Japan Information Security Policy Meeting, ASEAN member states and Japan jointly released the Critical Information Infrastructure Protection (CIIP) Guidelines Ver.3.0. These non-binding guidelines aim to assist ASEAN countries in developing national policies to safeguard critical information infrastructure (CII). The document emphasizes public-private cooperation, information sharing, crisis management, and the establishment of security standards, serving as a foundational reference for regional efforts in CII protection.
On November 7, 2016, the Cybersecurity Law was officially passed at the 24th Session of the Standing Committee of the 12th National People’s Congress, establishing a legal foundation for cyberspace governance in China.
On June 27, 2017, the Cyberspace Administration of China released the National Cybersecurity Incident Emergency Plan, serving as the overarching framework for China’s national cybersecurity emergency response system. The plan defines and classifies cybersecurity incidents, and establishes a four-tier classification system based on the severity of harm and negative impact. This tiered approach lays the foundation for a structured and effective national response mechanism. As the top-level guidance document, the plan provides a reference for government agencies at all levels to develop corresponding emergency plans tailored to the severity of cybersecurity incidents, thereby enhancing preparedness, coordination, and risk mitigation across the country’s cyber infrastructure.
On July 12, 2017, the Cyberspace Administration of China (CAC) released the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Public Comment). This regulation, commonly referred to as the CII Security Protection Regulations, serves as a crucial supporting measure under the Cybersecurity Law. As a subordinate regulation, it provides more detailed implementation rules for protecting Critical Information Infrastructure (CII), clarifying responsibilities, enforcement mechanisms, and technical standards. The draft reflects China's commitment to strengthening the legal framework for national cybersecurity and protecting systems vital to national security, economic stability, and public welfare.
The UK introduced the Network and Information Systems Regulations 2018, aimed at improving the cybersecurity of essential services in sectors such as energy, transport, water, healthcare, and digital infrastructure. It established obligations for operators of essential services and digital service providers, aligning closely with the CII concept.
China’s Cybersecurity Law came into effect on June 1, 2017. It set forth comprehensive rules on network operation, data protection, and critical information infrastructure security, signaling a new era of legally regulated cyberspace in China.
On September 19, 2018, the “Critical Information Infrastructure Security” sub-forum was held in Shanghai as part of China’s National Cybersecurity Awareness Week. The forum brought together representatives from government, industry, and academia to discuss the security challenges facing key sectors such as power, transportation, telecommunications, and finance. The event followed the implementation of Chapter III, Section 2 of the Cybersecurity Law, which formally introduced operational security requirements for Critical Information Infrastructure (CII). Participants highlighted the rising risk of targeted cyberattacks on CII and emphasized the need to align cybersecurity protection with infrastructure planning and development. Speakers from the Cyberspace Administration of China, Shanghai authorities, and major enterprises called for a coordinated CII protection framework, stronger technical defenses, improved monitoring systems, and enhanced data protection practices. The forum underscored that CII security had become a core element of national and urban safety planning, particularly in the context of smart city development.
On October 26, 2019, the Standing Committee of the 13th National People’s Congress adopted the Cryptography Law of the People’s Republic of China, which came into effect on January 1, 2020. As China’s first comprehensive legislation on cryptography, the law aims to regulate the use and management of encryption technologies, safeguard cybersecurity, and protect national and public interests. Article 27 specifically addresses the protection of Critical Information Infrastructure (CII). It requires CII operators to use commercial cryptographic measures for protection and to conduct or commission security evaluations of cryptographic applications. These evaluations must align with existing systems such as CII security assessments and cybersecurity grading, to avoid redundant reviews. In cases where CII operators procure network products or services involving commercial encryption that may affect national security, such procurement is subject to a national security review in accordance with the Cybersecurity Law.
On July 12, 2021, the Ministry of Industry and Information Technology (MIIT), the Cyberspace Administration of China (CAC), and the Ministry of Public Security (MPS) jointly issued a notice releasing the Regulation on the Management of Security Vulnerabilities in Network Products. The regulation came into effect on September 1, 2021. Aimed at safeguarding the secure and stable operation of network products and critical network systems, the regulation provides detailed rules for the discovery, reporting, remediation, and disclosure of security vulnerabilities. It establishes a full-lifecycle tracking mechanism for managing risks associated with security vulnerabilities in network products.
After being included in the national legislative plan for three consecutive years and undergoing extensive refinement, the regulations were officially released on August 17, 2021.
the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) has detected a series of cyberattacks targeting Chinese enterprises. A foreign hacking group exploited vulnerabilities in the SonarQube software to infiltrate systems and steal source code data from critical sectors such as finance and healthcare. The stolen data was then illegally sold on overseas platforms. CNCERT coordinated with the affected companies to conduct on-site investigations, ultimately determining that the attacks originated from abroad.
On November 7, 2022, the State Administration for Market Regulation, the Cyberspace Administration of China, and the Cybersecurity Bureau of the Ministry of Public Security jointly held a promotion and interpretation conference in Beijing for the newly issued national standard titled Information Security Technology—Security Requirements for Critical Information Infrastructure (GB/T 39204-2022). The standard serves as a foundational component for the national system of standards on critical information infrastructure (CII) protection and is designed to guide operators in implementing effective cybersecurity measures.
National Energy Administration issued the updated Administrative Measures for Cybersecurity in the Power Industry, which came into effect immediately and will remain valid for five years. Upon release, the previous 2014 Administrative Measures for Network and Information Security in the Power Industry were officially repealed.
We'd love to hear from you. Please send questions or feedback to the below email addresses.
Before contacting us, you may wish to visit our FAQs page which has lots of useful info on Tiki-Toki.
We can be contacted by email at: hello@tiki-toki.com.
You can also follow us on twitter at twitter.com/tiki_toki.
If you are having any problems with Tiki-Toki, please contact us as at: help@tiki-toki.com
Close