[CII (Critical Information Infrastructure / 关键信息基础设施)](/knowledge/glossary/cii/) is the classification under China's [Cybersecurity Law (CSL)](/knowledge/china-compliance/mlps/) for information systems whose destruction or compromise would seriously harm national security, livelihood, or the public interest. CII designation triggers the strictest cybersecurity, data-localization, and operational-oversight requirements in China's regulatory framework. For overseas operators and partners, CII designation is typically a structural concern even when the operator's own systems would not be designated — partnerships with Chinese-resident CII operators trigger flow-through obligations on the partner organization. ## CII designation — how it works CII designation is **sector-specific** and determined by sector regulators rather than through a single national process. The 2021 *Security Protection Regulations for Critical Information Infrastructure* establish the framework; sector regulators (MIIT for telecommunications, NRTA for media, PBOC for banking, others) maintain identification rules and designation lists for their respective sectors. Sectors typically considered for CII designation include: - Public communication and information services (telecommunications, radio, television, internet) - Energy (power, oil, gas) - Transport (rail, civil aviation, water transport) - Water supply - Finance (banking, securities, insurance, payment) - Public services (healthcare, social security, water, gas, electricity) - E-government - Defense industry - Important internet platforms (added under recent guidance) Designation is a regulatory determination — operators are notified of designation by their sector regulator. There is no self-designation process. ## CII operator obligations CII operators face enhanced obligations relative to non-CII operators under the same sector's general cybersecurity expectations: ### Data localization Personal information and important data collected and generated in CII operations within mainland China **must be stored within mainland China**. Cross-border transfer requires CAC Security Assessment with no SCC or certification alternative. ### Procurement security review CII operators must conduct security review before procurement of network products and services that may affect national security. Review is typically conducted in coordination with the relevant CAC office under the *Cybersecurity Review Measures*. ### Annual security assessment Mandatory annual security assessment, with results reportable to the relevant authority. The assessment scope is broader than non-CII assessment and includes governance, risk management, and operational-resilience evaluation. ### Designated security responsible person CII operators must designate a chief security responsible person with seniority and authority appropriate to the role. The designated person carries personal regulatory accountability. ### Incident reporting Accelerated incident-reporting obligations — material incidents reportable within hours rather than days for non-CII systems. ### Backup and emergency-response capability CII operators must maintain demonstrable backup and emergency-response capability appropriate to the operational impact of system failure. ## Flow-through obligations on CII partners For overseas operators that partner with CII operators — supplying network products or services to CII operators, processing CII-operator data, integrating with CII-operator systems — flow-through obligations apply: - **Procurement security review** participation — the CII operator's procurement review extends to the supplier's security posture - **Background check requirements** for supplier personnel with access to CII-relevant systems - **Data handling requirements** matching CII operator's data-classification regime - **Audit and inspection rights** for the CII operator and (in some cases) the sector regulator Overseas operators considering partnerships with potentially-CII Chinese entities should assess flow-through risk before contracting — the operational implications often exceed what the contractual relationship initially suggests. ## CII interaction with MLPS, PIPL, and DSL CII designation interacts with the other compliance pillars: | Framework | Interaction with CII | |---|---| | MLPS 2.0 | CII operators typically classified at Grade 3 or Grade 4 under MLPS | | PIPL | CII operators have stricter cross-border transfer obligations for personal information | | DSL | CII operations typically involve Important Data, triggering DSL Important Data obligations | | Cybersecurity Review Measures | Procurement security review process applies to CII operator procurement | CII designation is best understood as an overlay that strengthens existing obligations under the other pillars rather than a parallel framework. ## CII for overseas operators For overseas operators entering the China market, CII has several practical implications: - **Overseas-operated systems are rarely directly designated CII** — CII operates against PRC-domiciled systems; overseas-only operations are typically outside the direct designation scope - **Subsidiary systems can be designated CII** — wholly-owned Chinese subsidiaries operating in CII-relevant sectors are inside the designation scope - **Partnership and supply relationships create flow-through exposure** — even for overseas operators whose own systems are not designated - **Hosting-partner relationships can carry CII implications** — Chinese hosting partners that support CII operators have flow-through expectations on their own supplier relationships ## Frequently asked questions ### How do we know if we will be designated CII? CII designation is made by the sector regulator. The framework-level identification rules suggest considering: sector classification, the operational scale of the system, the consequence of compromise, and the integration of the system with other CII-classified operations. For overseas operators considering a Chinese subsidiary in a CII-relevant sector, consultation with the sector regulator before operation is typical. ### Can we operate in China without CII designation? Yes — most overseas commercial operations do not trigger CII designation. CII is reserved for systems whose compromise would seriously harm national security or public interest. General commercial SaaS, consumer IoT, and most B2B operations fall outside CII scope. ### What's the practical difference between CII and non-CII operation in the same sector? CII operation imposes stricter data localization (no SCC alternative for cross-border transfer), procurement security review on supplier selection, annual security assessment, accelerated incident reporting, and designated-responsible-person regulatory accountability. The operational cost difference is material — typically multi-quarter additional compliance work compared to non-CII operation in the same sector. ### Does CII designation transfer if we acquire a Chinese CII operator? Designation attaches to the operating entity. Acquisition that maintains the operating entity preserves designation. Restructuring that dissolves the operating entity into a different entity requires re-assessment by the sector regulator. ### Related - [What is CII?](/knowledge/glossary/cii/) - [PIPL pillar](/knowledge/china-compliance/pipl/) - [DSL pillar](/knowledge/china-compliance/dsl-important-data/) - [MLPS pillar](/knowledge/china-compliance/mlps/) - [Cross-Border Data Transfer pillar](/knowledge/china-compliance/cross-border-data-transfer/) --- *Placeholder — pending founder + China-licensed legal review. CII designation criteria, sector-regulator references, and current designation list status must be verified against current sector-regulator publications before publication.*