Global menu

Our global pages


China issues New Cybersecurity Review Measures

  • China
  • Privacy, data protection and cybersecurity


You may need to comply with new cybersecurity measures if your business in China procures network products and services which may have an impact on China’s national security. The new China Cybersecurity Review Measures (“Measures”) will take effect on 1 June 2020.

One of the key principles of the China Cybersecurity Law provided that the procurement of network products and services (which may affect national security interests) must be subject to an official cybersecurity review. Following the release of the Measures, we have now received greater clarity regarding the procedures and timing of this cybersecurity assessment.

Under the new Measures, operators of critical information infrastructure in China are required to perform a cybersecurity review when they procure network products and services that may impact China’s national security interests. Network products and services include core network equipment, high-performance computers and servers, mass storage equipment, large-scale databases and application software, cybersecurity equipment, cloud computing services as well as other network products and services that have a significant impact on critical information infrastructure security.

Importantly, the Measures require that operators of critical information infrastructure identified by the authorities:

  • anticipate potential national security risks brought about by the procurement;
  • if the procurement may have an impact on national security, declare to the Office for Cybersecurity Review about the need for a cybersecurity review; and
  • obtain via contractual means, the right to request the vendors’ cooperation in the review process as well as undertakings from the vendors prohibiting: (i) the illegal solicitation of users’ data, (ii) the control or manipulation of users’ equipment, and (iii) the suspension of the supply of products or necessary technical support services without justification

The Office of Cybersecurity Review will respond on whether a cybersecurity review will be required within 10 business days following its receipt of the operator’s declaration. Any initial cybersecurity review is expected to be completed within 30 working days.

Contravention of the Measures may be subject to a fine of up to ten times the procurement price, along with individual fines of up to RMB100,000 for the personnel involved.

In light of the greater clarity contained in the Measures, operators of critical information infrastructure should commence preparatory work in relation to cybersecurity assessments which will be relevant for any upcoming procurement of network products and services, which may require updates to their procurement contract templates.

The new Measures can be found here (in Chinese).

For more detailed advice about what the release of the new measures could mean for you, please contact us.






  • 预判采购可能带来的国家安全风险
  • 如采购可能影响国家安全,应当向网络安全审查办公室申报网络安全审查;及
  • 透过合约手段取得要求产品和服务提供者配合网络安全审查的权利,并令提供者作出承诺以禁止:(i)非法获取用户数据,(ii)控制和操纵用户设备,及(iii)无正当理由中断产品供应或必要的技术支持服务。