24 June, 2019
On June 5, 2019, the Ministry for Industry and Information Technology (“MIIT”) released a draft of Implementation Measures on Key Network Equipment Safety Inspection (the “Draft for Comment”), which will remain open for public comment for one month until July 4.
Article 23 of the Cybersecurity Law (the “CSL”) provides key network equipment and the specialized products for network security which may not be sold or provided until they pass the security certification or security testing conducted by qualified institutions in accordance with the compulsory requirements of the national standards. The national Internet information department shall, in conjunction with relevant departments of the State Council, formulate and promulgate the catalogue of key network equipment and specialized products for network security and promote the mutual recognition of security certification and security testing results to avoid repetitive certification and testing.
The Draft for Comment provides specific requirements on procedures and requirements for security inspection. It refers to‘key network equipment’as those listed in the Key Network Equipment and Network Security Special Products Catalogue, according to Notice on the release of the Key Network Equipment and Network Security Special Products Catalogue (First Batch) in 2017, which includes routers, switchs, rack servers and programmable logic controllers. MIIT shall be responsible for organizing and carrying out the key network equipment security inspection work (Article 5).
The Draft for Comment provides manufacturers of key network equipment which select to conduct security inspection for key network equipment, shall submit application materials (including basic information about the manufacturer and key network equipment, a statement about equipment performance data is in compliance with key network equipment technical parameters, materials relating to the enterprise’s security capacity) to MIIT (Article 6), then, they shall choose an example product and entrust a qualified institution to conduct security inspection. Such institution will then provide a security inspection report on the selected product to MIIT (Article 7). MIIT will publish the list of key network equipment which has passed security inspection with a three year term of validity.
The Draft also provides for any key network equipment subject to telecom device network access permit system, if it has been inspected by qualified institutions in accordance with the security inspection standard for key network equipment during the process of applying for the network access permit, and it still has a valid network access permit, such key network equipment shall be exempt from repetitive security inspection. The expiration date for such key network equipment will be the expiration date of its network access permit.
The Draft for Comment also provides requirements in respect of information change of key network equipment, obligations and liabilities for manufacturers and inspection institutions and supervision requirements for MIIT.
We will follow up with legislative development of the Draft.
