Implementation and Implication of Cybersecurity Review Measures

On 15 February 2022, the Cybersecurity Review Measures (2021) (Measures) comes into effect. The Measures were adopted by the Cyberspace Administration of China (CAC) and consented by other competent authorities like National Development and Reform Commission, Ministry of Industry and Information Technology, the Ministry of Public Security etc. and was previously released on 28 December 2021.

Scope of Application

To purchase network products or services, a critical information infrastructure operator shall prejudge any possible risks to national security after such products or services are put into use. It shall declare any network product or service that affects or may affect national security to the Office of Cybersecurity Review for cybersecurity review. For the purpose of the present Measures, the term "network products and services" mainly refers to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure.

The data processing activities carried out by online platform operators, which affects or may affect national security, shall be subject to cybersecurity review in accordance with the present Measures.

To go public abroad, an online platform operator who possesses the personal information of more than 1 million users shall declare to the Office of Cybersecurity Review for cybersecurity review.

Documents to be Submitted

To file an application for cybersecurity review, the operator shall submit the following declaration materials:

1. A written declaration;
2. An analysis report concerning the impact or possible impact on national security;
3. The procurement document, agreement, contract to be entered into or IPO materials to be submitted, etc.;
4. Other materials necessary for cybersecurity reviews.

The Office of Cybersecurity Review will decide whether the cybersecurity review is required within 10 working days upon the receipt of the declaration materials and notify the operator hereof in writing accordingly.

Cybersecurity Review Standards and Procedure

Cybersecurity review shall focus on the assessment of national security risk factors of the relevant object or situation:

1. Risks of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services;
2. The harm caused by supply interruption of products and services to the business continuity of critical information infrastructure;
3. Security, openness, transparency and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors;
4. Information on compliance with Chinese laws, administrative regulations and departmental rules by product and service providers;
5. Risks of theft, disclosure, damage, illegal use or cross-border transfer of core data, important data or large amounts of personal information;
6. Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large amounts of personal information by foreign governments after overseas listing;
7. Other factors that may endanger critical information infrastructure security and nationaldata security.

The cybersecurity review includes a preliminary review of 30 to 45 working days conducted by the Office of Cybersecurity Review (Office). Thereafter, it takes up to 15 working days to wait for a written reply of Members of the Cybersecurity Review Working Mechanism and relevant authorities after their receipt of preliminary review findings and suggestions from the Office (Consultation Process), or in comprehensive cases, the Office will further start a possible special review procedure of 90 working days if the results of preliminary review and the consultation process are not consistent.

Implication and Liabilities

Foreign invested enterprises which may be categorized as critical information infrastructure operator in the industries like communications, information service, energy, transport, water conservancy, finance, public service etc. need to strictly follow these Measures，pre-judge the risks according to the developing pre-judgment guidelines for their own industry or field concerned before filing the case for review (if any). Further, any foreign invested enterprises as provider of network products and services to critical information infrastructure operator shall cooperate with authority and concerned operators to provide the required documents or assistance, assist operators in taking measures to prevent and mitigate risks during the review in accordance with the requirements of the cybersecurity review, even to fulfill its commitments made during the cybersecurity review, including without limitation undertaking not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justifiable reasons. Any breach of these Measures will be deemed as breach of Cybersecurity Law and Data Security Law of the People’s Republic of China and be subject to the corresponding liabilities.