The “Cybersecurity Review Measures (2021)” will be effective on Feb. 15, 2022

After the promulgation of the “Data Security Law” and the “Regulations on the Security Protection of Critical Information Infrastructures”, articles regarding security review stipulated in the original ” Cybersecurity Review Measures ” (implemented on Jun. 1, 2020, hereinafter referred to as “2020 Measures”) shall be updated. Therefore, 13 departments including the State Internet Information Office have revised the “2020 Measures”, and the revised ” Cybersecurity Review Measures ” (hereinafter referred to as “2021 Measures”) is released on Dec. 28, 2021, and will be effective on Feb. 15, 2022.

The following is an introduction to the main revisions of the “2021 Measures”.

  1. Expand the scope of security review objects

The “2020 Measures” stipulates that the review object is critical information infrastructure operators, and the “2021 Measures” adds “network platform operators”. However, for the former, the security review is for “procurement of network products and services”, while for the latter, the security review is for “data processing activities”.

  1. Strengthen the security review management of overseas listings

Article 7 of the “2021 Measures” clearly stipulates that: ” To go public abroad, an internet platform operator who possesses the personal information of more than 1 million users shall declare to the Office of Cybersecurity Review for cybersecurity review. ”

In fact, such security review would tend to be tightened in the future. Recently, the government released the “Network Data Security Management Regulations (Draft for Comment)”, Article 13 of which has listed the 2 circumstances that required a voluntary declaration. The 2 circumstances are, (1) to merge, reorganize, separate, an internet platform operator who gathers and manages a large number of data resources related to national security, economic development, and public interests, which affects or may affect national security; and (2) the data processor goes public in Hong Kong, which affects or may affect national security. Let’s wait for the final promulgated version.

  1. Extend the scope of the object/situation of risk review and assessment

Regarding the objects/situations considered in the risk review and assessment, the “2020 Measures” mainly stipulates four items, while the “2021 Measures” add two new ones, as follows:

“2020 Measures” Risks of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services.
The harm caused by supply interruption of products and services to the business continuity of critical information infrastructure.
Security, openness, transparency and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors.
Information on compliance with Chinese laws, administrative regulations and departmental rules by product and service providers.
“2021 Measures”

(Additional)

Risks of theft, disclosure, damage, illegal use or cross-border transfer of core data, important data or large amounts of personal information.
Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large amounts of personal information by foreign governments after overseas listing.