6 June, 2017
The Cyberspace Administration of China (“CAC”) formally adopted the Measures on Security Review of Network Products and Services (Trial for Implementation) (“Measures”) on May 2, 2017, the first and an important ancillary regulation of the Cybersecurity Law (“CSL”). The Measures will become effective simultaneously with the Cybersecurity Law on June 1, 2017.
CAC released a draft of the Measures in February of this year allowing for one-month public comment. While the finalized version is not substantially different from the draft, its applicable scope has been narrowed and minor adjustments have been made to the focus of the review, as briefly summarized below.
I. Legal Hierarchy and Legal Basis
Unlike two other regulations issued by CAC on the same day of the Measures1, the Measures was issued in the form of a normative document (规范性文件) rather than a departmental regulation (部门规章). The title of trial for implementation of the Measures and its lower legal hierarchy may reflect the authority’s explorative and experimental attitude towards regulation of the subject matter. The Measures is based on Article 59 of the National Security Law which calls for the establishment of a national security review on network information technology products and services concerning national security, and Article 35 of the CSL which provides that the procurement of network products and services by critical information infrastructure operators must pass a national security review organized by CAC in conjunction with the relevant departments of the State Council.
II. Scope of Products and Services Subject to Review
Two criteria apply to products and services subject to national security review: (a) “important products and services” and (b) “such products and services are used in information system concerning national security” (Article 2). Questions remain as to what types of products and services are considered “important”, and what types of information systems are considered “concerning national security” (on this point, “concerning public interest” in the original draft has been removed in the final version).
Specifically speaking, the Measures provides that “the procurement of network products and services by operators in public communication and information services, energy, transportation, hydraulic, finance, public services, e-government and other key industries and sections, and operators of other critical information infrastructure which may affect national security shall pass cybersecurity review,” and the relevant critical information infrastructure (“CII”) protection authority shall determine whether or not certain products and services affect national security. Such a provision reiterates the requirements under the CSL yet offers large discretion to CAC and the relevant industrial regulatory authorities when determining the specific scope of products and services subject to cybersecurity review.
III. Authorities and Entities Responsible for the Review
The security review is steered by regulatory authorities and involves societal participation.
Cybersecurity Review Committee
A cybersecurity review committee is to be established by the CAC with other regulatory authorities to review and deliberate major policies relating to cybersecurity reviews, organize cybersecurity review activities and coordinate major issues in this area (Article 5).
Cybersecurity Review Office
A cybersecurity review office is to be established to organize and implement cybersecurity review. The Measures does not explicitly provide how the office will be set up (Article 5).
Cybersecurity Review Experts Committee
The cybersecurity review committee will engage relevant experts to form a cybersecurity review experts committee who will conduct an overall evaluation on the security risk of network products and services and the security and reliability of their providers on the basis of a third party evaluation (Article 6).
Industrial Regulatory Authorities
Industrial regulatory authorities shall organize cybersecurity reviews in key industries and sectors regulated by them (Article 9). However, the specific division of responsibilities between the industrial regulatory authorities, CAC and the cybersecurity review committee remains to be seen in practice.
Third Party Review Institutions
The cybersecurity review introduces third party evaluations which are to be carried out by third party review institutions certified by the State (Article 7). The Measures does not yet specify the qualification process for such third party review institutions.
IV. Criteria of Review
The focus of a cybersecurity review is on the security and controllability of network products and services, which largely includes the following risks:
- the security risk contained in the products and services and the relating to them to be illegally controlled, disrupted and interrupted;
- the risk relating to the security of supply chains in the manufacturing, testing, delivering and technical support process of the products and their key components;
- the risk that product and service providers utilize the convenience of providing products and services to illegally collect, store, process and use a user’s information;
- the risk that a provider abuses a user’s reliance on a product and/or service to endanger the user’s interests or cybersecurity; and
- other risks may endanger national security and public interest (Article 4).
The risks listed above are high level points and a number of questions remain such as (a) how to review early stages of the supply chain such as manufacturing and testing, (b) whether foreign shareholding backgrounds of products and services should be considered, and (c) what constitutes “jeopardizing users’ interest”.
V. Ongoing Supervision
The cybersecurity review under the Measures is a multi-dimensional and ongoing process comprising of a lab-test, an onsite inspection, online monitoring and a background investigation. The cybersecurity review focuses on the security and controllability of network products and services. It may be launched either by the cybersecurity review office in accordance with the relevant national rules or upon the advice of national industrial associations and user feedback. The dynamic nature of the review reflects the general trend of regulatory development moving from ex-ante permit to ex-post supervision. However, the practical implications of ongoing supervision remains to be seen.
VI. Our Observation
In general, the final Measures remain high level and general in nature. The Measures leave a number of outstanding issues such as the specific scope of entities, the products and services subject to the security review, the organization of new authorities to be created in charge of the review, the certification of third party evaluation institutions, and the review procedures and the specific review criteria, which may be specified in policies and standards to be formulated by the relevant authorities and standardization institutions. It is anticipated that a new review system will gradually be introduced to deal with the outstanding issues mentioned above and all these new developments are worthy being followed up.
1.The Provisions on Administration of Internet News Information Services and the Provisions on Administrative Enforcement Procedures of Internet Information Content Administration.
