DaHui Lawyers

English  |  中文

rss feed

Search

Search This Section

4 Jun 2019

China Releases Draft Cybersecurity Review Measures

On 21 May 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures on Cybersecurity Review (“Draft Measures”). The finalized Draft Measures, after the public comment period ends (24 June 2019) and any further revisions are made, are meant to replace the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”), effective since 1 June 2017. Both set out details of the “cybersecurity review” introduced by Article 35 of China’s Cybersecurity Law (“CSL”) for the procurement, particularly by Critical Information Infrastructure (“CII”) operators, of network products and services that may impact the national security of China. However, the Draft Measures significantly update and therefore differ considerably from the Trial Measures, including by expanding the parameters of the review and setting forth its framework, timetable, etc. As such, this Newsletter provides an overview of potential implications heralded by the Draft Measures for the reinforced cybersecurity review. 

Scope: Who Is Affected

The Draft Measures impose obligations on any CII operator upon its having an intention to purchase any network product or service that affects or may affect national security. Moreover, certain obligations extend via the CII operator to the product/service provider. Finally, Article 19 appears to allow purchases by non-CII operators to be brought within the cybersecurity review, specifically at the discretion of any member of a long list of government organs with oversight authority (“cybersecurity review working mechanism”).[1] In fact, however, this is merely a refinement and not necessarily an expansion of the scope of the Trial Measures, which mandated review of “purchases of important network products and services for networks and information systems that relate to national security”. Neither set of rules defines “network products or services”.

Purchaser & Seller Obligations: What You Must Do

A CII operator purchasing any network product or service must assess and produce a report on the “potential security risks” posed by the use of the product/service. The CII operator must further apply for cybersecurity review, by the newly established Cybersecurity Review Office, if the self-assessment indicates the product/service may lead to any of the following:

  • complete shutdown or main function failure of CII;
  • leakage, loss, corruption or cross-border transfer of massive personal information or important data;
  • supply chain security threats compromising the operation and maintenance, technical support and upgrading of CII; or
  • other potential risks that could severely jeopardize CII.

At the same time, in any of the above circumstances, the CII operator must require the product/service provider’s cooperation, by writing it into the purchase contract or by other binding means, and make successful review and approval a precondition for the contract to take effect.

The Draft Measures also contain a general provision requiring the CII operators to “enhance security management and urge product and service providers to earnestly fulfill the pledges they made during the cybersecurity review.” Although the Draft Measures make no other mention of provider pledges, one possibility is that they will be similar to the “acknowledgement letter” in practice generally requested by the authorities (e.g., MIIT) from applicants, whereby they undertake to conduct business in compliance with PRC laws and instructions from the authorities, and this item would fall under “the other materials requested by the Cybersecurity Review Office” when applying for the cybersecurity review.[2] Finally, the Cybersecurity Review Office will be carrying out spot checks, in response to public reports as well as presumably on its own initiative.

The Trial Measures had no such detailed obligations, providing only generally that assessments of purchases would be made and that providers “shall cooperate with cyber security inspections”. If anything, the Trial Measures put more emphasis on experts and third-party institutions performing assessments; the Draft Measures make only one such reference, in one potential part of the review procedure. The initial onus of the Draft Measures falls heavily on the CII operators, followed by review and approval authority by the Cybersecurity Review Office in tandem with other members of the cybersecurity review working mechanism.

Review Procedure: What Will It Take

Aside from an emphasis on the use of experts and third-party institutions, the Trial Measures had few specifics on the review procedure. In contrast, the Draft Measures specify the details of the review procedure as follows:

Procedure

Timeline

Notes

Initial review by the Cybersecurity Review Office

30 working days, plus 15 working days (for complicated cases)

  • The Cybersecurity Review Office circulates its preliminary conclusion and suggestion to other members of the cybersecurity review working mechanism.
  • The preliminary conclusion and suggestion may be: (1) Pass, (2) Conditional Pass, or (3) Fail.

Feedback from the members of the cybersecurity review working mechanism

15 working days

  • If unanimous agreement is reached by the Cybersecurity Review Office and the members of the cybersecurity review working mechanism, the CII operator will be notified of the conclusion.
  • If unanimous agreement is not reached, the proposed purchase will move into a special review (and the CII operator will be notified).

The special review by the Cybersecurity Review Office

45 working days, with extension allowed for complicated cases

  • The Cybersecurity Review Office solicits further opinions from relevant departments, specialized agencies and experts and circulates the more in-depth analysis and evaluation to the cybersecurity review working mechanism for comments.
  • The result is reported to the Central Cyber Affairs Commission (a special committee under CAC) for the final say. 


As a result, and setting aside the indeterminateness of the final extension in the special review, while the Trial Measures had no timetable, the Draft Measures indicate that the final answer on proposed purchases should be obtained in no more than three months, though parties should consider 45 days a minimum. 

Review Parameters: What Counts

According to both the Trial Measures and the Draft Measures, the focus of the cybersecurity review is on the “safety and controllability” of the network products/services. These concepts are defined only in the Draft Measures: briefly, that the product/service does not permit illegal access of users’ data or illegal control or manipulation of users’ devices and does not exploit users’ dependence on the products/services for unjustified gains or to force users into upgrading.

However, the real innovation and crux in the review lie in provisions setting out the exact risk and other factors considered. A side-by-side comparison of these provisions in the Draft Measures versus Trial Measures shows both slight and substantial differences:

Draft Measures (2019)

Trial Measures (2017)

Implications on CII’s “continuous, secure and stable operation”, including the possibility of “manipulate[ion]”, “interfere[ce] or “business continuity disrupt[ion]”.

“Security risks” of the products/services themselves and risks of “illegal control, interference and interruption in operations”.

The possibility of “leakage, loss, corruption or cross-border transfer of massive personal information and important data”.

“Risks arising from the illegal collection, storage, processing and usage of users’ relevant information”.

“controllability, transparency and supply-chain security”, including the possibility of “supply disruptions as a result of non-technical factors like political, diplomatic and trade reasons”.

“supply chain” “security risks” in production, testing, delivery or technical support.

The “influence” on “technologies and industries related to national defense, military industry and CII”.

“Risks of damaging the cyber security and users' interests”.

The product and also service provider’s “track record” in “compliance with national laws and administrative regulations” as well as pledges.

 N/A

“Whether the product and service provider is funded or controlled by foreign governments”.

 N/A

“Other factors that could compromise CII security and national security”.

“Other risks which are likely to jeopardize national security”.

 

Takeaways

In addition to further specifying the scope and procedure of the cybersecurity review, the Draft Measures augment the obligations and requirements of CII operators, products/services and their providers. This augmentation appears to align with the legislative trend since the coming into effect of the CSL and other draft implementing rules and regulations, e.g., an intention to expand the application of those laws and regulations from CII operators to network operators in general. Although the new review measures are only in draft form, the government is indicating an inclination towards greater limitations and burdens in connection with purchases of network products and services in China—affecting both buyers and sellers. There are ample instances in which items in draft provisions have been left out of final versions, but parties may wish to plan ahead and consider the legal and other expert advice they may wish to solicit when entering into purchases of network products or services in China.



[1] The National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Commerce, the Ministry of Finance, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration.

[2] The materials explicitly enumerated for submission in the cybersecurity review are:

  1. application form;
  2. the security risk report produced pursuant to Article 6; and
  3. procurement contract, agreement, etc.
› More Insights