Cybersecurity Review Measures has been implemented since June 1, 2020
Since the implementation of the “Measures on Security Examination for Online Products and Services (Trial Implementation)” in 2017, various practical problems jumped out. For example, it is stipulated that online products and services providers shall be responsible for the cybersecurity examination, however, most of those providers are not the operators of the online platform, it is not reasonable and practical for them to conduct the examination. Under this circumstance, on April 13, 2020, the Cyberspace Administration Office and other 11 departments jointly released the “Cybersecurity Review Measures” (the “Measures”), and its main contents include:
- The operator shall be responsible for the security examination for online products and services.
Article 2 of the “Measures” prescribes that the critical information infrastructure operators (the “Operators”) purchase network the product or service, shall conduct the security examination. The main obligations are as follows:
(1) Operators shall prejudge the possible risks to national security after such product or service is put into use. Where national security is or may be affected, an application for cybersecurity review shall be filed with the Cybersecurity Review Office. The pre-judgment standards and guidelines will be released successively in the future.
(2) With regard to procurement activities for which a cybersecurity review is applied, the operator shall require the product or service provider to cooperate in the cybersecurity review by reflecting such cooperation in, among others, the procurement document or the agreement, including the provider’s commitments not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justified reasons.
(3) Operators shall apply for the examination and deal with the relevant procedures.
(4) Operators shall urge the product or service provider to fulfill its commitments in the cybersecurity review.
- To introduce the detailed examination procedure.
(1) Operators apply.
(2) The Cybersecurity Review Office review the declaration material, and determine whether the examination is required.
(3) Where the Cybersecurity Review Office deems it necessary to conduct a cybersecurity examination, it shall conduct a preliminary examination.
(4) The Cybersecurity Review Office sends the preliminary examination result to members of the cybersecurity review working mechanism and relevant departments for protection of critical information infrastructure for comments.
(5) If members of the cybersecurity review working mechanism and relevant departments for protection of critical information infrastructure donot have any negative comment, the Cybersecurity Review Office shall notify operators. If there is any negative comment, it shall enter special examination process, that is, the application would be re-examined, and reported to the Central Cyberspace Affairs Commission for approval.
- To clarify the key examination factors.
(1) risks that the critical information infrastructure brought about by the use of product or services is illegally controlled, interfered with or destroyed, or that important data are stolen, leaked or destroyed;
(2) the damage caused by supply interruption of the product or service to the continuity of critical information infrastructure business;
(3) safety, openness, transparency, and diversity of sources of the product or service, reliability of supply channels, and risks of supply interruption as a result of political, diplomatic, trade or any other factor;
(4) compliance with Chinese laws, administrative regulations and departmental rules by the product or service provider; and
(5) other factors that may endanger the security of the critical information infrastructure or the national security.