Today, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Security Review of Network Products and Services (Trial) (“the Measures”), with an effective date of June 1, 2017 (official Chinese version available here).  The issuance of the Measures marks a critical first step toward implementing China’s Cybersecurity Law (“the Law”), which was promulgated on November 7, 2016 and will take effect on June 1, 2017 (the same date as the Measures).

More specifically, the long-anticipated Measures offer guidance on how CAC is planning to conduct cybersecurity reviews of network products and services procured by entities in a range of key sectors and other operators of Critical Information Infrastructure (“CII”), if the procurement “may affect China’s national security.”

A draft form of the Measures was released in February 2017 for public comment (see Covington’s alert on the draft Measures here).  Since then, international stakeholders have been submitting comments to the CAC and changes in the final version reflect some of these comments.  The Measures, however, still lack clarity with respect to certain aspects of the review process, both in terms of substantive criteria and procedure.  Companies that may be subject to such reviews will likely need further guidance from the agencies once the Measures take effect.

This post identifies two key changes in the final version.

Narrowed scope of review

In the final version, only procurement of “important network products and services” related to network and information systems that implicate China’s national security will be subject to the cybersecurity review (Article 2).  The reference to “public welfare” in the previous draft has been removed, but the term “important network products and services” is still undefined.  This change could potentially significantly narrow the scope of the review if national security is not interpreted expansively.

The final version clarifies that network products and services supplied to two types of entities should be subject to the review process:

  • Entities in key sectors such as telecommunication and information services, energy, transportation, water conservation, finance, utilities and e-government; and
  • Other operators of CII.

The final version, however, no longer creates a two-tier system, but requires uniformly that for these entities, any procured network products and services that may affect national security have to pass the review (Article 10).  Whether a procurement may affect China’s national security will be determined by “departments that are in charge of protecting these CII,” which is likely to be industry regulators in the key sectors identified above.

Emphasis on supply chain risks

The final version of the Measures puts greater emphasis on supply chain risks, which was not clearly spelled out in the previous draft:

  • The cybersecurity review is intended to cover both “network products and services,” and their supply chain (Article 3);
  • “Supply chain security risks associated with the manufacturing, testing, delivery and technical support of products and key parts” were identified as a category of risks that the agencies must assess in the review process (Article 4.2); and

Designated third-party evaluation centers should focus their assessment on whether “network products and services” and their supply chain are “secure,” “controllable,” and “transparent (in relation to the security mechanism and technologies).”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.