The Measures for Cybersecurity Reviews "("Measures"") was revised by 12 Ministries on 28 December 2021 and comes into effect on 15 February 2022. The Square speaks with Dr Roberto Gilardino, Regional Partner for Asia and Additional Countries, on the implications of revised Measures and application for companies in China.

The Square: The Measures focus on critical infrastructure network operators '('CII') or the conducting data processing activities by network operators that may affect or affect national security. Specifically, it targets their procurement of related network products and services. Why is this so crucial to national security?

Roberto Gilardino: In 'today's digital, serious cyber-attacks on the network infrastructure and information systems can result in serious damage to national security, national economy and people's livelihoods, and the public interest. Certainly, CII, in which the Chinese characters 关键 guānjìan refers to key elements that enable other components to function such as the economy and society to operate steadily, can be vulnerable to external attacks. Therefore, regulating the hardware and software to service CII infrastructure and other related network operators is significant in securing the system and minimising those cyber-attacks which destabilise daily life.

The Square: What are the main amendments in the revised Measure and its impacts for companies in China?

Roberto Gilardino: The fundamentals of the Measures have not changed from the 2020 version, in which the objective is to safeguard national security. One of the main additions to the 2021 Measures is the alignment with the Data Security Law and the Regulations on the Protection of Critical Information Infrastructure "("Regulations") adopted on 1 November 2021 and 1 September 2021.

Namely, Article 2 of the Measures extends the scope of cybersecurity review by including network operators – "conducting of data processing activities by a network platform operator, that affects or may affect national security". Hence, the Measures aligns with Article 24 of the Data Security Law "national security review of data processing activities that affect or may affect national security", and Article 19 of the Regulations to "pass a security review under national network security provisions if they purchase network products and services that may affect national security".

For companies, the extended scope requires all network platform operators to evaluate whether their data processing activities affect or may affect national security. As there are no definitions for network platform operators, the Cybersecurity Review Office is established to develop relevant policies and rules for cybersecurity review may develop further clarifications.

The Square: What equipment and services are subject to the cybersecurity review for companies affected by the Measures?

Roberto Gilardino: The Measures provisions any core network equipment, important communication product, high-performance computer or server, mass storage equipment, large database or application, network security equipment, cloud computing service, or any other network product or service that has an important impact on the security of any CII, network security, and data security.

With such broad definitions, affected companies should conduct a thorough infrastructure audit and network mapping to ensure any items utilised that could implicate national security risks are flagged and included in the cybersecurity review.  

The Square: What are the main factors considered in the cybersecurity review?  

Roberto Gilardino: The assessment will be based on the following factors.

  1. The risk of any CII being illegally controlled, tampered with, or sabotaged after any product or service is used;
  2. The risk of an interruption in the supply of any product or service endangering the continuity of any CII;
  3. The security, openness, transparency, diversity of sources, reliability of any supply channel of any product or service, and the risk of its supply being interrupted due to political, diplomatic, trade, or other factors;
  4. The compliance of the provider of any product or service with the laws, administrative regulations, and departmental rules of China; and
  5. The risk of any core data, important data, or a large amount of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad;
  6. The risk of any CII, core data, important data, or a large amount of personal information being affected, controlled, or maliciously used by foreign governments, as well as any network information security risk; and
  7. Any other factor that may endanger the security of any CII, network security, or data security

Factors v and vi are based on the Data Security Law and the Personal Information Protection Law and focus on the risks and damages collected data and personal information. Specifically, the transfer of data is highlighted in the two factors and poses stricter obligations for companies utilising a global IT infrastructure as opposed to a China-specific infrastructure.       

The Square: The revised Measures align with the recently adopted data laws such as Data Security Law, Personal Information Protection Law, and Regulations, should we expect more related laws in 2022?   

Roberto Gilardino: Indefinitely, data and cyber governance should dominate the forthcoming laws, rules, and regulations. Since State Council released a five-year plan to develop the digital economy on 13 January 2022, data and cyber security should continue to align with the evolving digital landscape. Whilst, enforcement of such laws mainly affects large technology companies now, companies should be gearing up and implementing policies and changes to establish a data and cyber security system. Violations are subject to high penalties and serious liabilites; therefore it is imperative to act now.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.