Global menu

Our global pages

Close

China issues New Cybersecurity Review Measures

  • China
  • Privacy, data protection and cybersecurity

13-05-2020

You may need to comply with new cybersecurity measures if your business in China procures network products and services which may have an impact on China’s national security. The new China Cybersecurity Review Measures (“Measures”) will take effect on 1 June 2020.

One of the key principles of the China Cybersecurity Law provided that the procurement of network products and services (which may affect national security interests) must be subject to an official cybersecurity review. Following the release of the Measures, we have now received greater clarity regarding the procedures and timing of this cybersecurity assessment.

Under the new Measures, operators of critical information infrastructure in China are required to perform a cybersecurity review when they procure network products and services that may impact China’s national security interests. Network products and services include core network equipment, high-performance computers and servers, mass storage equipment, large-scale databases and application software, cybersecurity equipment, cloud computing services as well as other network products and services that have a significant impact on critical information infrastructure security.

Importantly, the Measures require that operators of critical information infrastructure identified by the authorities:

  • anticipate potential national security risks brought about by the procurement;
  • if the procurement may have an impact on national security, declare to the Office for Cybersecurity Review about the need for a cybersecurity review; and
  • obtain via contractual means, the right to request the vendors’ cooperation in the review process as well as undertakings from the vendors prohibiting: (i) the illegal solicitation of users’ data, (ii) the control or manipulation of users’ equipment, and (iii) the suspension of the supply of products or necessary technical support services without justification

The Office of Cybersecurity Review will respond on whether a cybersecurity review will be required within 10 business days following its receipt of the operator’s declaration. Any initial cybersecurity review is expected to be completed within 30 working days.

Contravention of the Measures may be subject to a fine of up to ten times the procurement price, along with individual fines of up to RMB100,000 for the personnel involved.

In light of the greater clarity contained in the Measures, operators of critical information infrastructure should commence preparatory work in relation to cybersecurity assessments which will be relevant for any upcoming procurement of network products and services, which may require updates to their procurement contract templates.

The new Measures can be found here (in Chinese).

For more detailed advice about what the release of the new measures could mean for you, please contact us.


中国发布新《网络安全审查办法》

任何企业在中国的业务如涉及采购可能影响中国国家安全的网络产品和服务,则可能需要遵守新的网络安全措施。新《网络安全审查办法》(“《办法》”)将于2020年6月1日起实施。

中国《网络安全法》其中一项主要原则订明,采购(可能影响国家安全利益的)网络产品及服务必须通过官方的网络安全审查。在《办法》发布后,我们对网络安全评估的程序及时间有了更清晰的了解。

根据新《办法》,中国的关键信息基础设施运营者在采购可能影响中国国家安全利益的网络产品和服务时须进行网络安全审查。网络产品和服务包括核心网络设备、高性能计算机和服务器、大容量存储设备、大型数据库和应用软件、网络安全设备、云计算服务,以及其他对关键信息基础设施安全有重要影响的网络产品和服务。

重要的是,《办法》要求获有关部门认定的关键信息基础设施运营者:

  • 预判采购可能带来的国家安全风险
  • 如采购可能影响国家安全,应当向网络安全审查办公室申报网络安全审查;及
  • 透过合约手段取得要求产品和服务提供者配合网络安全审查的权利,并令提供者作出承诺以禁止:(i)非法获取用户数据,(ii)控制和操纵用户设备,及(iii)无正当理由中断产品供应或必要的技术支持服务。

网络安全审查办公室将于收到运营者的申报材料后10个工作日内,通知运营者是否需要进行网络安全审查。初步的网络安全审查预期将在30个工作日内完成。

如违反《办法》,运营者可被处采购金额十倍以下的罚款,而涉事人员可各被处人民币十万元以下的罚款。

鉴于《办法》中提出更为明确的要求,关键信息基础设施的运营者宜开始关于网络安全评估的准备工作,这与之后的网络产品和服务采购息息相关,且运营者可能需要更新其采购合同范本。

有关新《办法》的内容可见此处(中文版)。

如您希望更详细地了解新措施对您的影响,请联络我们。

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings