Article 1 In order to strengthen the security management of Internet information services and new applications of relevant new technologies that have the attribute of public opinion or the ability to mobilize society, regulate Internet information service activities, and safeguard national security, social order and public interests, according to the Network Security Law of the People's Republic of China and the Measures for the Administration of Internet Information Services These Provisions are formulated in the Administrative Measures for the Security Protection of International Networking of Computer Information Networks.

Article 2 The Internet information service with the attribute of public opinion or the ability of social mobilization referred to in these Provisions includes the following situations:

（1） Launch information services such as forums, blogs, microblogs, chat rooms, distribution groups, public accounts, short videos, webcasts, information sharing, and applets or attach corresponding functions;

（2） Open other Internet information services that provide public opinion expression channels or have the ability to mobilize the public to engage in specific activities.

Article 3 If an Internet information service provider is under any of the following circumstances, it shall conduct its own security assessment in accordance with these Provisions and be responsible for the assessment results:

（1） The information service with the attribute of public opinion or the ability of social mobilization is online, or the information service adds relevant functions;

（2） The use of new technologies and new applications causes major changes in the functional attributes of information services, technology realization methods, basic resource allocation, etc., resulting in major changes in the attributes of public opinion or social mobilization capabilities;

（3） The number of users has increased significantly, leading to significant changes in the public opinion attribute or social mobilization capacity of information services;

（4） The spread of illegal and harmful information indicates that existing security measures are difficult to effectively prevent and control network security risks;

（5） Other situations in which the network information department at or above the prefecture level or the public security organ notifies in writing of the need for security assessment.

Article 4 An Internet information service provider may conduct security assessment by itself or entrust a third party security assessment institution to do so. 　

Article 5 When conducting security assessment, Internet information service providers shall comprehensively assess the legality of information services and new technologies and applications, the effectiveness of implementing the security measures prescribed by laws, administrative regulations, departmental rules and standards, and the effectiveness of preventing and controlling security risks, and focus on the following:

（1） Determine the person in charge of security management, information reviewers or the establishment of security management organization appropriate to the services provided;

（2） Measures for verification of user's real identity and retention of registration information;

（3） Log information such as user's account number, operation time, operation type, network source address and target address, network source port, client hardware characteristics, and retention measures for information records released by users;

（4） Prevention and disposal of illegal and harmful information in user accounts and distribution group names, nicknames, profiles, notes, logos, information publishing, forwarding, comments, distribution groups and other service functions and relevant record keeping measures;

（5） Personal information protection and technical measures to prevent the spread of illegal and harmful information and the risk of losing control of social mobilization function;

（6） Establish a complaint and reporting system, publish information such as complaint and reporting methods, and timely accept and handle complaints and reports;

（7） The establishment of a working mechanism to provide technical and data support and assistance for the network information departments to perform their duties of supervision and management of Internet information services according to law;

（8） The establishment of a working mechanism to provide technical and data support and assistance for public security organs and national security organs to safeguard national security and investigate and deal with crimes in accordance with the law.

Article 6 If an Internet information service provider finds any potential security hazard in the security assessment, it shall rectify it in a timely manner until the relevant potential security hazard is eliminated.

If the safety assessment results in compliance with laws, administrative regulations, departmental rules and standards, a safety assessment report shall be prepared. The safety assessment report shall include the following contents:

（1） Basic information about the functions, service scope, software and hardware facilities, deployment location and relevant licenses of Internet information services;

（2） Implementation of safety management system and technical measures and risk prevention and control effect;

（3） Safety assessment conclusion;

（4） Other relevant information that should be explained.

Article 7 The Internet information service provider shall submit the security assessment report to the local city level Internet information department and public security organ through the national Internet security management service platform.

Under the circumstances of Item 1 and Item 2 of Article 3 of these Provisions, Internet information service providers shall submit security assessment reports before information services, new technologies and applications go online or functions are added; In case of any circumstance specified in Items 3, 4 and 5 of Article 3 of the Regulations, the safety assessment report shall be submitted within 30 working days from the date of occurrence of the relevant circumstance.

Article 8 The network information department at or above the prefecture level and the public security organ shall review the safety assessment report in writing according to their respective responsibilities.

If the contents and items of the security assessment report are found missing, or the security assessment method is obviously inappropriate, the Internet information service provider shall be ordered to re assess within a time limit.

If the content of the security assessment report is found unclear, the Internet information service provider may be ordered to provide supplementary explanations.

Article 9 The network information department and the public security organ shall carry out on-site inspection of Internet information service providers according to their respective responsibilities if they deem it necessary according to the written review of the security assessment report.

In principle, the network information department and the public security organ shall jointly carry out the on-site inspection, and shall not interfere with the normal business activities of Internet information service providers.

Article 10 With regard to Internet information services that have greater security risks and may affect national security, social order and public interests, the network information departments at or above the provincial level and the public security organs shall organize experts to review them. When necessary, they can carry out on-site inspections with the relevant local departments.

Article 11 The network information department and the public security organ shall carry out on-site inspection in accordance with the provisions of relevant laws, administrative regulations and departmental rules.

Article 12 The network information department and the public security organ shall establish a monitoring and management system, strengthen network security risk management, and urge Internet information service providers to fulfill their network security obligations according to law.

If it is found that an Internet information service provider with the attribute of public opinion or the ability of social mobilization fails to carry out security assessment in accordance with the provisions, the network information department and the public security organ shall notify it to carry out security assessment in accordance with the provisions.

Article 13 Where the network information department and the public security organ find that the Internet information service provider with the attribute of public opinion or the ability of social mobilization refuses to carry out security assessment in accordance with these Provisions, they shall remind the public of the security risks of the Internet information service through the national Internet security management service platform, and supervise and inspect the Internet information service according to their respective responsibilities, If an illegal act is found, it shall be dealt with according to law.

Article 14 The network information department shall coordinate the security assessment of Internet information services with the attribute of public opinion or the ability of social mobilization, and the security assessment of the public security organ shall be regularly reported to the network information department.

Article 15 The network information departments, public security organs and their staff members shall strictly keep confidential the state secrets, business secrets and personal information they have learned in performing their duties, and shall not disclose, sell or illegally provide them to others.

Article 16 The security assessment of new technologies and applications of Internet news information services shall be carried out in accordance with the Administrative Provisions on Security Assessment of New Technologies and Applications of Internet News Information Services.

Article 17 These Provisions shall come into force as of November 30, 2018.