DaHui Lawyers

English  |  中文

rss feed


Search This Section

15 May 2020

China Releases Cybersecurity Review Measures

On 13 April 2020, the Cyberspace Administration of China (“CAC”), in conjunction with eleven other government departments,[1] issued the Measures for Cybersecurity Review (“Measures”), which will come into effect on 1 June 2020 and replace the current Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”).[2] Compared to the Trial Measures, the Measures provide a little more clarity on the scope of review, further elaborate the review procedure and criteria, and address liability for failure to comply with the Measures. 

Scope: Who Is Affected

The Measures impose obligations on certain Critical Information Infrastructure (“CII”) operators (“CIIOs”) for when they intend to purchase any network product or service that affects or may affect state security. The Measures state the requirements for cybersecurity review apply to CIIOs identified by the relevant government department for CII protection.  Official enumerations of the CIIOs subject to the Measures will likely come from the various authorities with regulatory responsibilities over specific industries.[3] In a press conference held by CAC regarding the Measures,[4] it stated that network operators engaging in the following industries should consider applying for cybersecurity review: telecommunications, broadcasting, energy, finance, road and waterway transportation, railway, civil aviation, postal service, hydraulic engineering, emergency management, healthcare, social security, and national defense technology. Based on the above, an operator engaging in one of the above-mentioned industries should conduct self-assessment (see below) and consult authorities with regulatory responsibilities in the relevant industry (even if it has not been identified as a CIIO by such authorities) concerning the requirements for cybersecurity review when it purchases a network product or service that affects or may affect state security.

Likewise, not all network products or services will fall under the scope of the Measures. Unfortunately, the scope is not entirely clear in this respect, as the Measures provide that applicable “network products or services” mainly refers to core network equipment, high-performance computers and servers, mass storage equipment, large databases and applications, network security equipment and cloud computing services, and other network products and services that have important impact on the security of CII. As with other regulations, the definition of applicable network products/services offers the regulators a degree of discretion in determining which products/services fall under the regulations of the Measures.

Purchaser & Seller Obligations: What You Must Do

Self-AssessmentA CIIO will need to conduct its own assessment to determine whether any applicable network product or service to be purchased would, once in use, affect or even potentially affect “state security”.  Guidelines for such assessments will likely be issued by regulatory or other competent authorities for specific industries. In the absence of such guidelines, CIIOs are recommended to conduct their assessments based on the review parameters mentioned below. If a CIIO makes a positive determination, it must submit a cybersecurity review application to the Cybersecurity Review Office (“CRO”).[5]

In addition to cybersecurity review being initiated by CIIOs themselves, it may be initiated by the Cybersecurity Review Office if any member of the cybersecurity review working mechanism[6] believes that a network product or service affects or may affect state security.

Procurement Contract: Although not explicit in the Measures, the self-assessment (and cybersecurity review application) is recommended to be carried out before a CIIO signs the relevant contract for procuring an applicable network product or service, according to the CAC’s press conference. CAC also states that if such procurement contract is signed first, it is recommended to have the effectiveness of such contract conditioned on the passing of cybersecurity review. As the cybersecurity review will have significant impact on the procurement contract for network products/services, CIIOs should always factor in potential cybersecurity review when considering, negotiating with, and selecting suppliers for applicable network products or services. 

As to substantive obligations to be included in procurement contracts, the Measures specifically require them to provide for the suppliers to: (a) cooperate with the cybersecurity review (e.g., submit documents required by the CRO); (b) not take advantage of the provision of products or services to illegally obtain user data or illegally control or operate users' equipment; and (c) not interrupt product supply or necessary technical support services without justifiable reasons.

Application Documentation: The following documents shall be submitted in a cybersecurity review application: (a) a declaration statement; (b) an analysis report on the impact or possible impact on state security; (c) the contract (to be signed) or other such document; and (d) other, as yet unspecified, materials “required for cybersecurity review”. Thus the baseline documents may not be very complicated or onerous, although guidance or precedents for the form of the analysis report are wanting and it seems reviewing authorities may request further documents.

Review Procedure: What Will It Take

The Measures provide detailed procedures for the cybersecurity review. Based on the timeline provided in the Measures, the general review can take up to 55 working days to complete starting from the submission, extended by 15 working days if the situation is complex; if a special review procedure is required, at least 100 working days should be anticipated for the completion of the cybersecurity review. The timeline does not include any time taken for submission of any supplementary documents.

Procedure and Review Regulators



Application acceptance by the CRO

Within 10 working days

  • After receiving the application materials, the CRO determines whether a review is required and notifies the relevant CIIO of the result in writing.

Initial review by the CRO

Within 30 working days, plus 15 working days (for complicated cases)

  • The CRO circulates its preliminary conclusion and suggestion to the relevant CII protection departments and the members of the cybersecurity review working mechanism.

Feedback from members of the cybersecurity review working mechanism

Within 15 working days

  • If unanimous agreement is reached by the CRO, the relevant CII protection departments, and the members of the cybersecurity review working mechanism, the CIIO will be notified of the determination.
  • If unanimous agreement is not reached, the proposed purchase will move into a special review (and the CIIO will be notified).

Special review by the CRO

Within 45 working days, with extension allowed for complicated cases

  • The CRO solicits further opinions from relevant departments and circulates the more in-depth analysis and evaluation to the relevant CII protection departments and the members of the cybersecurity review working mechanism for comments.
  • The result is reported to the Central Cyber Affairs Commission for the final say, and the CIIO will be notified of the determination. 


Review Parameters: What Counts

The review criteria in the Measures concentrate on the impact of the products and services on the stability, security, and continuity of CII, and specifically include:

  • The possibility of “manipulate[ion]”, “interfere[ce] or “business continuity disrupt[ion]” on CII.
  • The possibility of “leakage, loss or corruption of important data”.
  • The harm to the business continuity of CII by disruption of the supply of products or services.
  • The “security, openness, transparency, diversity of sources, and supply-chain reliability”, including the possibility of “supply disruptions as a result of factors like political, diplomatic, and trade reasons”.
  • The “conditions of compliance” with “Chinese laws, administrative regulations, and departmental rules” by network product/service providers.
  • Other factors that could jeopardize CII security and state security.


The Measures, as the implementation rules of Article 35 of the PRC Cybersecurity Law, are important to CIIOs that purchase applicable network products and services and to their suppliers. Failing to handle or pass the cybersecurity review will render the network product/service contract void or unenforceable. Further, the Measures provide that if a CIIO uses a network product or service that is subject to cybersecurity review while such product/service has not been reviewed or has failed the review, the CIIO will be ordered by the relevant competent departments to stop such use and will be subject to significant fines.[7] Given such significant risks and the complexities of cybersecurity review, it is advisable for both CIIOs and suppliers to carry out self-assessments before making substantial progress on purchase deals. In addition, given the in-depth review by regulators, information disclosure and technology and intellectual property protection will be key concerns for foreign suppliers, although the Measures impose on the cybersecurity reviewers’ obligations to limit disclosure and protect technology and intellectual property. It is hoped that more specific regulations or guidelines are made available to further address such concerns along with clarifying other outstanding issues, e.g., more clarity on which particular CIIOs and network products and services are subject to the cybersecurity review obligations.

[1] The other issuing government departments are the National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of State Security, Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, National Radio and Television Administration, National Administration of State Secrets Protection, and State Cipher Code Administration.

[2] Measures on the Security Review of Network Products and Services (Trial), issued by CAC and effective as of 1 June 2017.

[3] According to the Regulations on the Protection of the Security of Critical Information Infrastructure (Draft for Comment), issued by CAC on 10 July 2017, the competent or regulatory authorities for industries shall, as per the division of duties by the State Council, guide and supervise the protection of the security of the CII in the industries and fields concerned.

[4] A press conference held by CAC on 27 April 2020: http://www.cac.gov.cn/2020-04/27/c_1589535446378477.htm.

[5] According to the Measures, the CRO is established within CAC and is responsible for formulating the relevant system specifications for, and organizing, cybersecurity reviews.

[6] The cybersecurity review working mechanism is established by, and is likely to consist of representatives from, the twelve government departments issuing the Measures. 

[7] Specifically, a fine of no less than one but no more than ten times the purchase amount shall be imposed; as for the persons directly in charge or other directly responsible persons, a fine of no less than RMB 10,000 but no more than RMB 100,000 shall be imposed. Article 65 of the PRC Cybersecurity Law.

› More Insights