On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here). These Measures will take effect on June 1, 2020.
Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security. To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures. The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.
Highlights of the final version of the Measures appear below.
Scope of Network Products and Services: Under the Measures, “network products and services” that may be subject to this cybersecurity review include a wide range of products and services, including “core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services,” and other network products or services that have an important impact on CII.
Eleven Agencies to Form Interagency Review Body: The Measures establish a high-level interagency cybersecurity review body. Led by CAC, the review body will consist of members from eleven government agencies (“Members”), including the National Development and Reform Commission, the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China (“PBOC”), the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration (“SCA”). Presumably, Members from the above agencies will focus on different regulatory aspects when conducting the cybersecurity review. For example, PBOC will likely focus more on the procurement of CII operators in the financial industry, whilst SCA may be responsible for reviewing the procurement of encryption products or services, and MIIT may oversee any telecom-related procurement.
Obligations for CII Operators:
(1) Predicting National Security Risks and Initiating Cybersecurity Review Process Under the Measures, CII operators seeking to procure network products or services must first “predict” the potential national security risks associated with such products or services. If the assessment identifies national security risks, then the CII operator must apply for a cybersecurity review by the Cybersecurity Review Office. The Measures suggest that sectoral agencies responsible for the protection of CII should issue further guidance on the self-assessment of such risks.
(2) Implication on Providers of Network Products and Services The Measures require CII operators to specify in their procurement agreements that the provider of network products or services shall assist with the cybersecurity review, and commit that it will not engage in conduct such as (i) illegally collecting users’ personal information, (ii) illegally controlling or manipulating users’ equipment, or (iii) interrupting the supply of products or necessary technical support services without justification. It is unclear whether providers of network products or services—in addition to providing assistance to CII operators—may proactively participate in the review process to ensure that the procurement of products of services by CII operators are in compliance with the Measures.
Substantive Review Criteria: The final version of the Measures enumerates a list of risks that will be the focus of the cybersecurity review and, for the most part, remain substantively similar to the risks listed in the Draft Measures. For example, one important risk item that remains unchanged is the evaluation of the possibility of supply disruptions due to “political, diplomatic, and trade” factors. However, in contrast to the Draft Measures, the finalized Measures no longer consider the risk of impact to (i) China’s national defense and related CII technologies and property, or (ii) products or services subject to funding or control by foreign governments. Note that technical specifications or standards in consideration of the enumerated risks are not yet available; rather, only general principles are set forth, thereby creating difficulties and uncertainties for companies that desire a clear path forward with respect to compliance with the cybersecurity review under the Measures.