When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured by operators of critical information infrastructure must clear a “national security review,” but left that term unexplained.  Last week, the nation’s leading internet regulator—the Cyberspace Administration of China (“CAC”)—stepped in to elaborate, at least in part.

On February 4, CAC issued a draft regulation outlining the contours of the “cybersecurity review” required by the new law and opened a one-month window for receiving public comments (see original Chinese here and our analysis here).  The name change (“cybersecurity” in lieu of “national security”) seems purely cosmetic; consistent with the Cybersecurity Law, the review process focuses on safeguarding China’s national security in cyberspace.  To that end, the draft regulation sheds light on some of CAC’s priorities, while raising new questions about what businesses must do to comply.

First, the regulations appear to contemplate a two-tier compliance system: Government agencies, Communist Party organs, and entities in “key sectors” would be prohibited from procuring any network products and services that have not passed the cybersecurity review, while other critical infrastructure operators would enjoy greater leeway, though any procurement that “may affect national security” is still subject to review.  Although the “key sectors” with the strictest obligations include sectors “such as” finance, telecommunications, and energy, it is unclear whether other sectors will join their ranks.  As for other sectors, the regulations do not explain how regulators will determine if certain procurement activities “may affect national security.”

Second, the agencies will focus on ensuring that products and services are “secure and controllable.”  This standard, the draft regulations explain, aims to mitigate several distinct risks—the risk that products or services will be “unlawfully controlled, interfered with, or interrupted”; the risks associated with “research and development, delivery, and technical support”; the risks that products or services will become a means to “illegally collect, store, process, or utilize users’ data”; and the risk that providers will leverage user reliance to “engage in unfair competitive practices or otherwise harm consumers.”  The “secure and controllable” standard, then, encompasses not only the more obvious goal of guarding against hacking or interference, but also a distinct and more expansive interest in protecting consumers and their data.  Additionally, to be “secure and controllable” also requires adequate protection against “possible harms to national security and the public interest,” terms that leave ample room for interpretation.

Lastly, the regulations sketch out the cybersecurity review’s core elements—“laboratory testing, on-site inspection, online monitoring, and review of background information.”  What each of these elements means in practice, however, remains to be seen.

Public comments are due by March 4.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.