The Chinese government has issued amended cybersecurity review measures

Recently, thirteen relevant Chinese government agencies (e.g., Cyberspace Administration of China, National Development and Reform Commission of China, Securities Regulatory Commission of China, etc.) jointly issued amended measures Cyber ​​Security Review (the “New Measures”) to modify and replace the previous version. of these measures issued on April 13, 2020. The new measures will come into force on February 15, 2022.

According to Article 4 of the new measures, the aforementioned thirteen Chinese government agencies will work together to establish the working mechanism of the national cybersecurity review. The Cybersecurity Review Office, hosted by the Cyberspace Administration of China, will be responsible for developing rules and regulations for cybersecurity review, as well as organizing and coordinating the review process. of cybersecurity.

When cybersecurity review is triggered

1. Voluntary application.

Article 2 of the new measures states that, if the purchase of network products and services by a critical information infrastructure operator, or the data processing activities of a network platform operator, affect or may affect national security, a cybersecurity review should be conducted.

Article 7 of the new measures states that if a network platform operator that controls the personal information of more than one million users applies for an offshore public listing, that operator must submit a request to the Cyber ​​Security Review Office for a cyber security review.

The new metric does not provide detailed definitions of certain keywords in the rules above, such as “control” and “users”; these may need to be further explained and clarified by future rules or guidelines.

2. Initiated by relevant agencies.

Article 16 of the new measures states that, if any of the 13 aforementioned government agencies believe that network products or services or data processing activities affect or may affect national security, the Cybersecurity Review Office should report this concern to the Office of the Central Cyberspace Affairs Committee. Once the Office of the Central Cyberspace Affairs Commission confirms that a cybersecurity review should be conducted to address this concern, the Cybersecurity Review Office shall conduct a cybersecurity review regarding these products. , services or activities.

3. Public reports.

Article 3 of the new measures states that the cybersecurity review must incorporate proactive review, ongoing monitoring and public oversight. Section 19 of the new measures states that the Cybersecurity Review Board may strengthen its ongoing oversight by accepting reports from the public. Therefore, any person or entity can report a potential case requiring a cybersecurity review to the Cybersecurity Review Office, and if the Cybersecurity Review Office deems a review to be necessary, it can initiate that review. (procedures for initiating such a review would be similar to those applicable to the review described in Section 2 above).

Definition of network products and services

To clarify what constitutes “the purchase of network products and services by a Critical Information Infrastructure Operator” (which may trigger a cybersecurity review if national security is at issue), Article 21 of the new measures defines that, for the purposes of the new measures, “network products and services” primarily means basic network equipment, large communications products, high-performance computers and servers, mass storage devices, large data and application software, network security equipment, cloud computing services and other network products and services that have a significant impact on the security of critical information infrastructures, network security and data security. Thus, even transactions in the normal course of business of a critical information infrastructure operator (for example, the purchase of certain types of storage devices or application software) could be on the radar of the operator. cybersecurity review, as long as these transactions may affect national security.

National security risks to consider

Section 10 of the new measures provides a list of national security risk factors that would be considered when reviewing the cybersecurity of a proposed transaction, which includes, among others, the following: (1) if the Critical Information Infrastructure is unlawfully controlled, interfered with, or damaged after use of the affected products and services; (2) whether any disruption in the provision of the affected products and services would cause continued harm to the operations of the Critical Information Infrastructure; (3) whether the products and services concerned are safe, open, transparent and have multiple sources of supply, whether the suppliers are reliable and whether the supply of these products and services may be disrupted by political, diplomatic, commercial factors and others ; (4) if there is a risk that essential data, important data or a large amount of personal information may be stolen, disclosed, destroyed or unlawfully used or unlawfully transferred across borders; (5) whether public listing of the relevant entity would present a risk that foreign governments could unlawfully influence, control, or misuse any critical information infrastructure, master data, important data, or large amount of personal information . This list provides guidelines for any party wishing to engage in a self-assessment of the outcome of the cybersecurity review of its intended transactions.

Penalties

Article 20 of the new measures stipulates that any critical information infrastructure operator or network platform operator who violates the provisions of the new measures shall be subject to penalties in accordance with the provisions of the Chinese Cybersecurity Law and the Chinese data security law. A detailed discussion of these provisions is beyond the scope of this article, but we will discuss these laws in later blog posts.