On 27 April 2020, the Cyberspace Administration of China (CAC) together with 11 other government departments published the Cybersecurity Review Measures, which applies to critical information infrastructure operators or CII Operators.
As a result of these measures that come into force on 1 June 2020, when a CII Operator purchases any network products or services with a potential effect on national security, this purchase must go through a cybersecurity review in accordance with the new measures.
Network products and services (NPSs) refer to core network devices, high-performance computers and servers, mass storage devices, large databases and application software, network security devices, cloud computing services, and other network products and services that have a significant impact on the security of the critical information infrastructure.
Each CII Operator is obliged to fully understand the NPSs to be purchased, and predict their potential impact on national security when in use. A sector-specific guidance may be published in the future, but currently it is up to the discretion of the CII Operator whether to file a review application to the designated CAC office.
Factors that will be considered during a review include:
- the risks that critical information infrastructure could be illegally controlled, interrupted or destroyed, and that important data can be breached, leaked or damaged when the NPSs are put into use;
- the ability of the critical information infrastructure to be able to function if the NPS supply is disrupted;
- important features of the NPSs, including safety, openness, transparency, diversity of sources, and reliability of supply channels, and the risks of the supply being disrupted due to political, diplomatic, and trade factors;
- the compliance status of NPS suppliers under relevant Chinese laws, administrative regulations, and departmental regulations; and
- other factors that may jeopardise the critical information infrastructure and national security.
When filing an application, a CII Operator is required to submit the purchase agreements and the following commitments of the supplier to demonstrate its cooperation with cybersecurity reviews: to refrain from illegally obtaining user data, to refrain from illegally controlling or manipulating user devices and to refrain from disrupting supply or necessary technical services without valid reasons.
These requirements apply to both domestic and foreign suppliers.
The applicant will be informed whether a cybersecurity review is necessary within ten working days after the application is accepted. Usually, a cybersecurity review will be completed within 45 working days, and can be extended up to 105 days in special circumstances. Government officials involved in cybersecurity reviews are obligated to keep any trade secrets disclosed to them confidential, and to protect the IP rights of the applicants.
The measures apply only to CII Operators, but the specific scope of the CII remains unclear. Sectoral authorities are still expected to identify the CII within their jurisdictions and provide more guidance to the public.
For more information on these measures, contact your regular CMS advisor or local CMS experts.