China: Han Kun Cybersecurity And Data Compliance Series IV: The Unveiling Of Cybersecurity Reviews

Last Updated: 17 May 2017
Article by David Tang

On May 2, 2017, the Cyberspace Administration of China ("CAC") issued a trial version of the Measures for the Security Review of Network Products and Services (Trial)("Trial Measures"), which are slated to become effective on June 1.  The Trial Measures are another supporting document of the Cybersecurity Lawthat is intended to enact the cybersecurity review requirements of Article 35 of the Cybersecurity Law, following its issuance on November 7, 2016.

Changes in the Trial Measures

Compared to the original draft for comment version of the measures ("Draft") issued by CAC on February 4, 2017, the Trial Measures make a number of clear adjustments, which mainly include:

  1. References to the "public interest" have been removed throughout the regulation. We understand that "public interest" is an ambiguous and broad concept that may lead to a scope that is beyond the boundaries of the cybersecurity review. Thus, the removal of public interest provides for a clearer regulatory scope for the Trial Measures, and is also more in line with the original focus of national cybersecurity review.
  2. The security review criteria have been made clearer. The Trial Measures expressly stipulate that the cybersecurity review includes static reviews (security risks of the products and services themselves) and dynamic reviews (supply chain security risks to products and key components, including in the process of production, testing, delivery and technical support), based on the secure and controllable requirements.
  3. Reiteration of key industries and sectors. In coordinating with the Critical Information Infrastructure ("CII") provisions in Article 31 of the Cybersecurity Law, the Trial Measures reiterate that the key areas subject to cybersecurity reviews are public communications, information services, energy, transportation, water conservancy, finance, public services and e-government, and others key industries and sectors. It is worth mentioning that the Trial Measures remove the "party and government offices" language found in the Draft. We understand that party and government offices have their own security review mechanism, so it is unnecessary to specifically regulate these entities in the Trial Measures reiterate that the key areas subject to cybersecurity reviews are public communications, information services, energy, transportation, water conservancy, finance, public services and e-government, and others key industries and sectors. It is worth mentioning that the Trial Measures remove the "party and government offices" language found in the Draft. We understand that party and government offices have their own security review mechanism, so it is unnecessary to specifically regulate these entities in the Trial Measures.

Main Content of the Trial Measures

The Trial Measures contain the following aspects that are worthy of note:

a. No administrative access approvals, focus on concurrent and post-event regulation

Throughout the Trial Measures, emphasis is placed on concurrent and post-event regulation rather than setting new market access administrative licensing for network product and service providers.  The Trial Measures stipulate in Article 2 that "important network products and services purchased for networks and information systems that relate to national security must pass a cybersecurity review."  Article 3 further provides that "cybersecurity reviews of network products and theirproviders and supply chains shall be carried out by a combination of enterprise commitment and social supervision, of third-party evaluations and continuous government oversight, and of laboratory testing, on-site inspections, online monitoring and background investigations."

b. Security Review Criteria: Secure and controllable

From the outset of cybersecurity legislation, "secure" and "controllable" have been the two concepts that are most referred to by legislators and regulators, and the Trial Measures again confirm these concepts as the basic principles guiding the Cybersecurity Law and its implementation.  Article 4 of the Trial Measures states that security reviews shall focus on security and controllability, including: 1) security risks of the productsand services themselves, and the risk of being illegally controlled, interfered with or interrupted in the course of operating; 2) supply chain security risks to products and key components; 3) risk of illegal collection, storage, processing and use of user information by providers of such products and services; 4) risks of harming cybersecurity and users' interests, and 5) other risks that may harm national security.

Of these criteria, 1) and 2) evaluate the ability to defend against risks, and 3) and 4) prohibit active infringing conduct.  These criteria give consideration to both the active and passive aspects of cybersecurity, but remain concepts in principle.  Without further guidance, it is difficult to predict the scope and standard of cybersecurity reviews in practice, and the relevant reviewers appear to be left with broad discretion in this regard.

c. Multi-party participation, striving for due process

The Trial Measures primarily place emphasis on the cybersecurity review process, as shown by Articles 5 to 10.  These articles reflect administrative participation and due process under the modern administrative procedure law.

For example, from the perspective of participants, the Trial Measures involve the cybersecurity review commission (a newly established agency), cybersecurity review office, cybersecurity review experts committee, third-party institutions, national industry associations, users, competent departments in their respective industries and sectors, CII protection departments, and, from the perspective of process, the Trial Measures refer to expert evaluations, social supervision and public participation, among others.

It is clearly observable, however, that the final decisions relating to cybersecurity reviews are to be made by government regulators.  Therefore, in contrast to the principle of simplifying administrative procedures, referred to as "small government and big society," legislators still desire to exert a certain degree of greater governmental power in the area of cybersecurity.

d. Reviews to be commenced by regulatory departments

The Trial Measures also make clear the procedures for launching cybersecurity reviews.  Article 8 of the Trial Measures state that the cybersecurity review office shall commence security reviews in accordance with the relevant national requirements, and take into consideration the suggestions of national industry associations and user feedback.  Article 9 requires that competent departments of key industries and sectors, such as finance, telecommunications,energy and others, shall organize cybersecurity reviews of network products and services within their respective industries and sectors according to the national cybersecurity review requirements.

Compared to the Draft, the Trial Measures remove the application by enterprises as an option to commence cybersecurity reviews.  That is to say, enterprises no longer have the right to initiate security reviews, and, in necessary situations, most can only promote security reviews via industry associations or other indirect means.  This is also consistent with the government's position mentioned above, the government is inclined to adopt active administration and proactive regulation for cybersecurity matters.

e. Security assessment reports: A black list for cybersecurity reviews?

Article 13 of the Trial Measures state that the cybersecurity review office will release assessment reports on the security of network products and services from time to time.  No report format or content requirements have currently been provided.  However, information we have gathered from the legislative process suggests that the assessment reports will not only include information on network products and services and their providers that pass reviews, but will also include a listing of those products, services and providers that have not passed. 

This information may be developed into an information disclosure system based on the "white list" and "black list," that may affect and direct the industry guidance.

In addition, a CAC official hassaid that the regulator will treat enterprises and products from China and other countries equally during cybersecurity reviews, and will not direct efforts at products and services from specific countries or regions, nor limit foreign products from entering the domestic market.  However, as the cybersecurity reviews focus on "national security," it remains to be seen whether the reviews will raise certain invisible barriers to market access in China for products and services provided by foreign enterprises or domestic joint-ventures.

Advice

Strictly speaking, cybersecurity reviews for network products and services do currently exist.  There are certain national quality standards, industries access and enterprise qualification requirements for special industries, products and services, and enterprises themselves may have their own product security and industry standards.  Until now, however, no specialized regulation has been enacted to confirm a unified system and standard for such cybersecurity reviews.  The issuance of the Trial Measure marks the commencement of nationally-led cybersecurity reviews.

The Trial Measures are still a basic guidance for the cybersecurity review of network products and services based on its current content, which will require further development and refining.  Such issues include, for example, organizing the cybersecurity review commission and experts committee, identifying third-party institutions, evaluating criteria that affect national security and related review processes and working rules.

While detailed regulations are on the way, the related penalties are clear.  According to Article 65 of the Cybersecurity Law, CII operators using products or services which have not undergone or have failed security reviews will be ordered by the competent department to stop such use and may be subject to a fine equivalent to more than 1 but less than 10 times the purchase price, and the supervisor directly in charge and other persons directly responsible will be subject to fines ranging from 10,000.00 yuan to 100,000.00 yuan.  It can thus be said that the penalty ceiling is relatively high.

We would therefore recommend that network operators and providers of network products and services, especially CII operators in key industries and sectors, conduct self-reviews of network products and services they have purchased or which they provide toothers in order to make improvements according to the secure and controllable requirement, and keep open communications with industry regulators and industryassociations, and to watch for further developments in this area.

Han Kun Cybersecurity and Data Compliance Series:

I: Big Data Policy and Legal Issues in the Healthcare Industry

II:Comments on the Network Security Law

III:Comments on the Measures on Security Assessments for Personal Information and Important Data to be Transmitted Abroad (for Public Comment)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions