China publishes security review measures for network products and services

The Cyberspace Administration of China (“CAC”) published the Security Review Measures for Network Products and Services (Trial) (the “Measures”) on 2 May 2017. This is only two months after the period during which the public could provide comments on the first draft of the Measures ended. The Measures are the first implementation rules to be published following the issuance of the People’s Republic of China Cybersecurity Law (the “Cybersecurity Law”) and will take effect from the same date as the Cybersecurity Law on 1 June 2017.

Network products and services subject to security reviews

According to Article 2 of the Measures, all important network products and services purchased for networks and information systems that are pertinent to national security will be subject to cybersecurity reviews. Although the Measures do not define ‘important network products and services’ or ‘networks and information systems that are pertinent to the national security’, Article 10 of the Measures does provide some relevant explanation.

According to Article 10, if national security might be affected by any network products or services purchased for public communication and information services, energy, transportation, water conservancy, finance, public services, electronic government systems and other important industries and sectors, or purchased by the operators of other critical information infrastructure (“CII”), such network products or services must pass cybersecurity reviews. Whether national security will be affected by a particular network product or service will be decided by the government authorities responsible for the protection of CII.

Under the Cybersecurity Law, security reviews only apply to network products and services that are purchased by CII operators and that might affect national security. Considering Article 2 and Article 10 of the Measures together, the scope of security reviews under the Measures is not strictly consistent with the requirements under the Cybersecurity Law. The government is formulating a catalogue identifying the scope of CII. We expect that this catalogue will provide further clarification as to the scope of the security reviews.

Main requirements and procedures for security reviews

Article 4 of the Measures provides that a cybersecurity review will focus on whether network products or services are secure and controllable. A cybersecurity review is required to consider (i) the inherent security risks of the products or services, or the risks of the products and services being illegally controlled or disturbed, or their operation being illegally terminated, (ii) the supply chain risks involved in the manufacture, testing, delivery and technical support of the products or their critical components, (iii) risks of the product or service suppliers’ manipulating their positions to illegally collect, store, process or use users’ information, or to damage cybersecurity or users’ interests and (iv) other risks that might endanger national security.

According to the Measures, the government will establish a cybersecurity review committee responsible for formulating important policies concerning cybersecurity reviews. The government will also establish a cybersecurity review office to take responsibility for organising the specific reviews, which will be conducted by designated third-party institutions and experts. The Measures do not specify how the third-party institutions will be designated or the steps that an applicant should follow to have products or services reviewed. Further implementation rules could be published in the next few months, together with the technical standards or specifications applicable to network products and services.

The results of cybersecurity reviews will be published periodically but all other information obtained by third-party institutions, experts and other relevant parties is required to be kept confidential and should not be used for any other purposes beyond cybersecurity reviews.