China issues new draft regulations on Cybersecurity Review for Public Comment

Introduction

On 21 May 2019 a draft regulation, entitled Measures on Cybersecurity Review (Cybersecurity Review Measures), was issued by the China Administration of Cyberspace (CAC) for public comment. The Cybersecurity Review Measures are intended to replace the Interim Measures for Security Review of Network Products and Services, which had been implemented on 1 June 2017. The issuance of the draft Cybersecurity Review Measures demonstrates the Chinese government’s ongoing commitment to enhance cybersecurity and compliance requirements for supply chains in relation to critical information infrastructure. 

The draft Cybersecurity Review Measures contain provisions which could have an important impact on vendors and suppliers who sell IT and network products to strategic and sensitive industries (such as the financial, energy, public utility, telecom, transportation and other important sectors). 

In this briefing, we outline the key provisions of the draft Cybersecurity Review Measures and provide high-level analysis of the implications this new regulatory development may have for IT and network vendors and suppliers.

Key provisions of the draft Cybersecurity Review Measures

Designated authority for overseeing cybersecurity review

The draft Cybersecurity Review Measures make it clear that CAC will be the leading authority for regulating cybersecurity review for operators of critical information infrastructure (CII Operators). CAC will work with multiple Chinese national key regulators (such as the National Development and Reform Commission, the Ministry of Information and Industry, the Ministry of Public Security, the Ministry of Commerce, and the People’s Republic of China and the National Administration Bureau of Cryptography) to set up the cybersecurity review regime. 

The Cybersecurity Review Office, which is a governmental agency under CAC, will be granted the power and authority to:

• Formulate the system and work procedures;
• Organise cybersecurity review; and 
• Enforce cybersecurity review decisions. 

Products and services subject to cybersecurity review

The China Cybersecurity Law has established? a general requirement that CII Operators must undergo a national security review where the procurement of network products and services may affect national security. 

Consistently with the requirements of the China Cybersecurity Law, the draft Cybersecurity Review Measures provide that CII Operators must conduct a pre-assessment of the potential cybersecurity risks in connection with the network products and services concerned. the CII Operator must report to the Cybersecurity Review Office for cybersecurity security review if any of the following risks are identified: 

• An overall suspension or malfunction of CII facilities; 
• Any leak, loss, destruction or transfer outside China of a large volume of personal data and important data; 
• CII facilities become exposed to supply chain risk in connection with operation and maintenance, technical support or system upgrades.

The draft Cybersecurity Review Measures provide that the Cybersecurity Review Office will focus on the following aspects when assessing whether the procurement may involve a national security risk: 

• A possibility that CII may be controlled or interrupted or that continuity of service may be put at risk; 
• A possibility that a large quantity of personal or important data may be disclosed, damaged, destructed, or transferred abroad; 
• Controllability, transparency and supply chain risk in connection with network products and services concerned, including the possibility that the supply of products or services may be suspended due to non-technical reasons (such as political, foreign affairs or trade reasons); 
• Impact on the military industry and CII industries and technologies; 
• Compliance with laws and regulations and the commitments for undertakings and obligations by suppliers; 
• Financing to, or control over, the suppliers by foreign government. 

It seems that supply chain risks and financing or control by foreign governments have been highlighted as key factors, among others, in evaluating the procurement risks in connection with network products and services supplied to CII Operators. In the light of increased U.S. / China trade disputes, it is possible that this regime could be used by the Chinese government as a retaliatory measure for responding to trade restrictions imposed by the U.S. government on Chinese-made products. 

Key steps for cybersecurity review

In terms of the procedures, the draft Cybersecurity Review Measures provides that CII Operators should conduct a pre-assessment and produce a cybersecurity risk report. Where CII Operators decide to make a report to the Cybersecurity Review Office, the following procedures should be followed: 

(a) the Cybersecurity Review Office will have 30 working days to conduct the preliminary review (which can be extended for another 15 days in complicated cases); 

(b) the Cybersecurity Review Office will formulate a review conclusion with suggestions based on its preliminary review and send the conclusion and suggestions to the cybersecurity review member units for consultation; 

(c) the cybersecurity review member units will issue written response opinions within 15 working days, and if the opinions are consistent, the Cybersecurity Review Office will revert to the CII Operator with the review conclusion (but if the opinions are inconsistent, a special review process will be initiated); and

(d) the special review process will, as a general principle, take 45 working days (which can be extended for complicated scenarios). 

The draft Cybersecurity Review Measures require CII Operators to use contracts, procurement documents and other binding means in order to require vendors and suppliers to cooperate with the cybersecurity review. CII Operators can also add conditions that procurement contracts will only come into force after a cybersecurity review has passed.

It appears from the provisions described above that a cybersecurity review can have significant implications for vendors and suppliers who sell their network products and services to CII Operators. The cybersecurity review process will not only add an extra timeline and procedures to the procurement process, but it will also add uncertainty to procurement contracts. 

Key definitions

The draft Cybersecurity Review Measures provide for legal definitions for certain important concepts.  They refer to CII Operators as those operators which have been identified by Chinese authorities. This seems to be a different approach from the Cybersecurity Law, which defines CII by way of a list of non-exhaustive industries (such as financial, transportation, energy, telecom, etc.), plus a catch-all under which the scope of CII can be interpreted loosely at the discretion of the governmental authorities. 

The draft Cybersecurity Review Measures accordingly seem to suggest that Chinese authorities may take initiatives in identifying CII. This can provide more practical certainty for businesses in determining who may fall within the scope of CII.  IT and tech vendors and suppliers will be able to assess whether their customers are CII Operators, and therefore whether a procurement by their customers will be subject to the cybersecurity review process. 

Another important definition provided for in the draft Cybersecurity Review Measures is the concept of “safe and controllable”.  This definition:

• Concerns situations where product and service providers may not use the convenient conditions within which a product or service may be supplied or embedded in order: (a) to illegally obtain user data or illegally control or operate user equipment; or (b) use users’ reliance on products or services in order to seek improper benefit, such as forcing users to review or upgrade; and 
• Seems a welcome improvement over the definition of “safe and controllable” under the cybersecurity rules issued by the China Banking Regulatory Commission in 2013, which tried to link the “safe and controllable” standard to the Chinese ownership of IPRs. The new definition provided under the draft Cybersecurity Review Measures may provide a better level playing field.

Our observations

• The issuance of the draft Cybersecurity Review Measures sends out a clear message that the Chinese government will tighten the regulation of supply chain risks in connection with IT and network products and services supplied to CII sectors in China. Pending the increased US/China trade tensions, this cybersecurity review regime can be adopted by the Chinese government as a potential retaliation mechanism to be used in response to US trade sanctions. 
• The draft Cybersecurity Review Measures add new triggers (such as the possibility of a large volume of personal data being leaked, lost, damaged or transferred abroad), which can justify the necessity for a cybersecurity review. Such new provisions reflect the increasing importance attributed to the protection of personal data (which seems to be consistent with the enforcement actions taken by Chinese governmental agencies in the recent years). 
• Upon being issued and implemented, the draft Cybersecurity Review Measures will have significant implications for vendors and suppliers who provide IT and network products and services to Chinese CII Operators. Vendors and suppliers should prepare themselves in advance by conducting impact assessments, improving compliance levels and reviewing / updating their procurement contracts and documents. 
• The public consultation for the draft Cybersecurity Review Measures ends on 24 June 2019. There is no definitive timeline by which the final version of the Cybersecurity Review Measures will be issued and implemented. We suggest that IT and network vendors and suppliers should keep close watch on developments in this regard and comply with the new regulatory changes as they emerge.