Originally authored 4/30/2020
On April 27, 2020, twelve Chinese government agencies led by the Cyberspace Administration of China (“CAC”) jointly promulgated the Measures for Cybersecurity Review (“Measures”) effective on June 1, 2020.
The Measures, consisting of 22 articles, were promulgated under the authority of the National Security Law and the Cyber Security Law (“CSL”) to implement Articles 35 and 59 of the CSL which imposes a cybersecurity review requirement on network products and services procured by operators of Critical Information Infrastructure (“CII”) that may impact national security.
After the Measures become effective on June 1, 2020, when a CII operator purchases any network products or services with a potential impact on national security, this purchase must go through a cybersecurity review in accordance with the new Measures.
The scope of the cybersecurity review is quite broad. Pursuant to the Measures, network products and services (“NPSs”) refer to core network devices, high-performance computers and servers, mass storage devices, large databases and application software, network security devices, cloud computing services, and other network products and services that have a significant impact on the security of the critical information infrastructure.
Each CII operator is obliged to fully understand the NPSs to be purchased and assess their potential impact on national security when in use. A sector-specific guidance may be published in the future, but currently it is within the discretion of the CII operator whether to file a review application to CAC.
While CSL and the Measures are not formally intended to discriminate against foreign business, they will have a significant impact on foreign companies that operate in China, especially these companies that supply network products or services to CII operators in China. Foreign companies doing business in China should carefully assess whether your customers in China are CII operators and whether the network products/services supplied to your customers fall under the definition of network products/services under the Measures or relate to industrial sectors specifically mentioned by CAC and continue to monitor new laws and regulations in the evolving cybersecurity review regime.
