CII

Definition

CII (Critical Information Infrastructure, 关键信息基础设施) is a classification under the People's Republic of China's Cybersecurity Law (CSL) for information systems whose destruction or compromise would seriously harm national security, livelihood, or public interest. Designation as CII triggers the strictest cybersecurity, data-localization, and oversight requirements in China's regulatory framework.

What it means

CII designation is sector-specific and determined by sector regulators (e.g., MIIT for telecommunications, NRTA for media, PBOC for banking). Sectors typically considered for CII designation include energy, finance, transport, water supply, healthcare, public services, government, telecommunications, defense, and "important internet platforms" under recent guidance.

CII operators face enhanced obligations: data localization (personal information and important data collected and generated in operations must be stored within mainland China), cross-border transfer requires CAC security assessment, procurement of network products and services may require security review, annual security assessment is mandatory, and incident reporting obligations are accelerated.

For international firms entering China, CII designation is often a structural concern — even if the firm's own systems would not be designated CII, partnerships with Chinese-resident CII operators trigger flow-through obligations. The CII pillar covers the identification framework and operational obligations in depth.

Related terms

- PIPL - DSL - MLPS

Authoritative sources

- Cybersecurity Law of the People's Republic of China (CSL) - CII Security Protection Regulation (2021)

---

End of glossary-batch-3/article.md (4 terms: UN-R 155, PIPL, DSL, CII).