What is a Critical Information Infrastructure (CII)?

//What is a Critical Information Infrastructure (CII)?

You may be wondering whether you have anything that can be declared a Critical Information Infrastructure (CII). It’s an interesting question. You might well have CII. What does this mean for you? What are the practical consequences?

What falls within the definition of Critical Information Infrastructure?

The Cybercrimes and Cybersecurity Bill defines Critical Information Infrastructure very broadly. It is any data, database, network, communications infrastructure, (or part thereof), or anything associated with them that has been declared a CII.

Critical Information Infrastructures also include the things listed above, which are in the possession or under the control of the State (national, provincial or local), and anyone exercising a public power or performing a public function.

Examples of possible CIIs are the infrastructure (or part) of:

  • a bank
  • Home Affairs
  • JSE
  • a medical scheme

Basically, anything State Security thinks that if lost, could cause harm to people, the economy or the country.

What does it mean if I have CII?

Before you have been declared to have CII, you may make written representations to the Minister of State Security. If you have Critical Information Infrastructure, the Minister can make directives on how to access CIIs, store and archive information in CIIs and even the minimum security standards necessary. You have to comply with these directives.

What if I don’t?

There are some consequences for the owner of CII if they if they fail to take the steps specified by the Minister:

  • Minister can order them to take the specified steps
  • they can be guilty of an offence
  • Minister can recover costs from them if he carries out the steps on their behalf

To find out more attend one of our Cyber Crime and Security Workshop.