Today, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Security Review of Network Products and Services (Trial) (“the Measures”), with an effective date of June 1, 2017 (official Chinese version available here).  The issuance of the Measures marks a critical first step toward implementing China’s Cybersecurity Law (“the Law”), which was promulgated on November 7, 2016 and will take effect on June 1, 2017 (the same date as the Measures).

More specifically, the long-anticipated Measures offer guidance on how CAC is planning to conduct cybersecurity reviews of network products and services procured by entities in a range of key sectors and other operators of Critical Information Infrastructure (“CII”), if the procurement “may affect China’s national security.”

A draft form of the Measures was released in February 2017 for public comment (see Covington’s alert on the draft Measures here).  Since then, international stakeholders have been submitting comments to the CAC and changes in the final version reflect some of these comments.  The Measures, however, still lack clarity with respect to certain aspects of the review process, both in terms of substantive criteria and procedure.  Companies that may be subject to such reviews will likely need further guidance from the agencies once the Measures take effect.

This post identifies two key changes in the final version.

Narrowed scope of review

In the final version, only procurement of “important network products and services” related to network and information systems that implicate China’s national security will be subject to the cybersecurity review (Article 2).  The reference to “public welfare” in the previous draft has been removed, but the term “important network products and services” is still undefined.  This change could potentially significantly narrow the scope of the review if national security is not interpreted expansively.

The final version clarifies that network products and services supplied to two types of entities should be subject to the review process:

  • Entities in key sectors such as telecommunication and information services, energy, transportation, water conservation, finance, utilities and e-government; and
  • Other operators of CII.

The final version, however, no longer creates a two-tier system, but requires uniformly that for these entities, any procured network products and services that may affect national security have to pass the review (Article 10).  Whether a procurement may affect China’s national security will be determined by “departments that are in charge of protecting these CII,” which is likely to be industry regulators in the key sectors identified above.

Emphasis on supply chain risks

The final version of the Measures puts greater emphasis on supply chain risks, which was not clearly spelled out in the previous draft:

  • The cybersecurity review is intended to cover both “network products and services,” and their supply chain (Article 3);
  • “Supply chain security risks associated with the manufacturing, testing, delivery and technical support of products and key parts” were identified as a category of risks that the agencies must assess in the review process (Article 4.2); and

Designated third-party evaluation centers should focus their assessment on whether “network products and services” and their supply chain are “secure,” “controllable,” and “transparent (in relation to the security mechanism and technologies).”