On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020.

Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security.  To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors.  On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures.  The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.

Highlights of the final version of the Measures appear below.

Scope of Network Products and Services:  Under the Measures, “network products and services” that may be subject to this cybersecurity review include a wide range of products and services, including “core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services,” and other network products or services that have an important impact on CII.

Eleven Agencies to Form Interagency Review Body:  The Measures establish a high-level interagency cybersecurity review body.  Led by CAC, the review body will consist of members from eleven government agencies (“Members”), including the National Development and Reform Commission, the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China (“PBOC”), the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration (“SCA”).  Presumably, Members from the above agencies will focus on different regulatory aspects when conducting the cybersecurity review.  For example, PBOC will likely focus more on the procurement of CII operators in the financial industry, whilst SCA may be responsible for reviewing the procurement of encryption products or services, and MIIT may oversee any telecom-related procurement.

Obligations for CII Operators:  

(1) Predicting National Security Risks and Initiating Cybersecurity Review Process  Under the Measures, CII operators seeking to procure network products or services must first “predict” the potential national security risks associated with such products or services.  If the assessment identifies national security risks, then the CII operator must apply for a cybersecurity review by the Cybersecurity Review Office.  The Measures suggest that sectoral agencies responsible for the protection of CII should issue further guidance on the self-assessment of such risks.

(2) Implication on Providers of Network Products and Services  The Measures require CII operators to specify in their procurement agreements that the provider of network products or services shall assist with the cybersecurity review, and commit that it will not engage in conduct such as (i) illegally collecting users’ personal information, (ii) illegally controlling or manipulating users’ equipment, or (iii) interrupting the supply of products or necessary technical support services without justification.  It is unclear whether providers of network products or services—in addition to providing assistance to CII operators—may proactively participate in the review process to ensure that the procurement of products of services by CII operators are in compliance with the Measures.

Substantive Review Criteria:  The final version of the Measures enumerates a list of risks that will be the focus of the cybersecurity review and, for the most part, remain substantively similar to the risks listed in the Draft Measures.  For example, one important risk item that remains unchanged is the evaluation of the possibility of supply disruptions due to “political, diplomatic, and trade” factors.  However, in contrast to the Draft Measures, the finalized Measures no longer consider the risk of impact to (i) China’s national defense and related CII technologies and property, or (ii) products or services subject to funding or control by foreign governments.  Note that technical specifications or standards in consideration of the enumerated risks are not yet available; rather, only general principles are set forth, thereby creating difficulties and uncertainties for companies that desire a clear path forward with respect to compliance with the cybersecurity review under the Measures.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.