On April 27, 2020, the Cyberspace Administration of China (“CAC”) and eleven other government agencies jointly released the Measures on Cybersecurity Review (Measures) (网络安全审查办法). The Measures take effect on June 1, 2020 The Measures covers facilities that handle large amounts of data, as well as cloud computing services. It is possible for foreign suppliers to pass the review process and provide products and services to these facilities. According to the review requirements, the infrastructure operators may prefer using domestic products just to avoid any trouble. In addition, one of the reviewing factors outlined in the Measures, which is the “… reliability of supply channels, and the risk of supply disruption due to political, diplomatic, and trade factors,” may exclude American suppliers, as the Trump administration has tightened export controls to China amidst the U.S.-China tech war.
According to the Measures, cybersecurity review will apply to a wide range of products and services of critical information infrastructure (CII) operators, including core network equipment, high-capability computers and servers, high-capacity data storage, large databases and applications, network security equipment, cloud computing services, and other services or products that will have an important impact on CII safety (Article 20).
The Measures establish an interagency Cybersecurity Review Office, consisting of members of the Cybersecurity Administration of China (CAC), the National Development and Reform Commission (NDRC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration (Article 4)
The Measures require CII operators to predict the potential national security risks associated with products or services they plan to purchase, and apply for a cybersecurity review by the Cybersecurity Review Office if there is or may be any national security risk. More guidance on the self-assessment will be issued later by agencies in charge of the specific file (Article 5).
In the case of a cybersecurity review, CII operators shall, in procurement documents or agreement, require the provider of network services or products to cooperate with the review process, and promise they will not engage in activities including (i) illegally collecting users’ personal information, (ii) illegally controlling or manipulating users’ equipment, or (iii) interrupting the supply of products or necessary technical support services without justifications (Article 6).
To apply for cybersecurity review, CII operators shall submit an application form, self-assessment report, procurement agreement, and other materials needed for the review (Article 7). After receiving the application materials, the Cybersecurity Review Office shall decide whether a review is needed within 10 days and notify the CII operator (Article 8).
The Cybersecurity Review Office shall consider five elements in a national security risk review: (Article 9)
- The risk of CII being illegally controlled, interfered with, or destroyed, and the risk of important data being stolen, leaked, or damaged;
- The damage of any supply disruption of products and services to the continuing operation of CII;
- The safety, openness, transparency, diversity of the product and service, reliability of supply channels, and the risk of supply disruption due to political, diplomatic, and trade factors
- Product and service providers’ compliance with Chinese laws, administrative regulations, and departmental regulations
- Any Other factors that may jeopardize the security of CII and national security.
It is worth noting that the final version took out two factors that appeared in the draft version: (1) China’s national defense and related CII technologies and property, and (2) products or services subject to funding or control by foreign governments.
Primary review shall be finished within 30 working days, which could be extended for another 15 working days in complicated cases. The primary review results and recommendations shall be sent to relevant agencies to solicit comments (Article 10). Relevant agencies shall provide a written opinion within 15 working days (Article 11). If the opinions of relevant agencies and the Cybersecurity Review Office are consistent, the Cybersecurity Review Office will notify the applicant of their conclusion in writing.
If the opinion from relevant agencies is different from the conclusion of the Cybersecurity Review Office, the review will enter a special review procedure. During the special review procedure, the Cybersecurity Review Office shall work with relevant agencies and reach a conclusive recommendation. Such recommendation shall be approved by the CAC before becoming final and sent to the applicant (Article 12). The special review shall be finished within 45 working days, but can be extended in special cases (Article 13).
The Measures also require relevant agencies and officers to protect corporate business secrets, intellectual property rights and other undisclosed information, and not to disclose them to a third party or for purpose other than cybersecurity review (Article 16). If CII operators, product or service providers believe that the reviewers are not objective or fair during the review process, or fail to undertake confidentiality obligations, they may report to the Cybersecurity Review Office or relevant departments (Article 17).