China expands scope of revised Cybersecurity Review Measures to include network platform operators

2 March 2022

On 4 January 2022, the Cyberspace Administration of China (“CAC”), in conjunction with 12 other government departments, issued a revised version of the Cybersecurity Review Measures (“New Measures”). The CAC also issued answers to specific questions relating to the New Measures on 4 January 2022 (“CAC Q&A”). The CAC and the government departments involved are referred to collectively in the New Measures as the “cybersecurity review work mechanism” (“Working Mechanism”).

The requirement for cybersecurity review for activities conducted by critical information infrastructure operators (“CIIO”) involving the purchase of network products and services was first provided for in China’s Cybersecurity Law (“CSL”), which came into effect in 2017.

The New Measures expand the scope of business entities subject to a cybersecurity review to include network platform operators (“NPOs”) intending to engage in certain activities, such as applying for overseas listing.

Cybersecurity reviews are conducted by the Cybersecurity Review Office (“CRO”) within the CAC.

The New Measures took effect on 15 February 2022 and supersede the previous version.

This article provides an overview of the key highlights of the New Measures. 

Activities that affect national security

CIIOs

CIIOs will be subject to a cybersecurity review upon purchase of network products and services, which affects or may affect national security.

The Regulations on the Security and Protection of Critical Information Infrastructure defines “CIIOs” as operators of information infrastructure in important industries and sectors, such as public communication and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defence.

The “network products and services” mentioned in the New Measures primarily refer to core network equipment, important telecommunications products, high-performance computers and servers, large-capacity storage devices, large-scale databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have important influence on the security of critical information infrastructure (“CII”), cybersecurity and data security.

NPOs 

NPOs will be subject to a cybersecurity review where they:

• conduct data processing activity that affects or may affect national security; or 
• hold personal information of more than one million users and plan to newly list their shares on foreign markets.

The New Measures do not define NPOs. “Data processing” is defined in the Data Security Law (“DSL”) to include the collection, storage, use, processing, transmission, provision and disclosure of data.

The CAC Q&A clarifies that an NPO should apply for a cybersecurity review prior to filing a listing application with a foreign securities regulator.

Assessment of risk to national security

The cybersecurity review process assesses the following factors to determine any potential national security risks:

• The risk that the use of products and services could bring about the illegal control of, interference with, or destruction of CII; 
• The harm to CII business continuity arising from product and service supply disruptions;
• The security, openness, transparency, and diversity of sources of products and services; the reliability of supply channels, as well as the risk of supply disruptions due to political, diplomatic, and trade factors;
• Product and service providers’ compliance with Chinese national laws, regulations, and department rules;
• The risk that core data, critical data or large amounts of personal information are stolen, leaked, damaged, or illegally used or illegally exported;
• The risk that CII, core data, important data, or large amounts of personal information are affected, controlled, or maliciously used by foreign governments due to listing overseas, as well as cybersecurity risks;
• Other factors that could harm CII security, cybersecurity and data security.

Procedure for cybersecurity review

The New Measures set out the procedure for cybersecurity review as follows:

• Upon application by a CIIO or an NPO for cybersecurity review, the CRO shall determine whether a review is needed. The CRO must notify the applicant in writing of its determination within 10 business days upon receiving all application materials.
• Where the CRO determines that a cybersecurity review is required, it must complete its preliminary within 30 business days of issuing written notice to the party, including providing preliminary conclusions to the Working Mechanism for their opinion. In cases involving complex situations, the review may be extended by an additional 15 working days.
• The members of the Working Mechanism shall provide the CRO with their opinions in writing within 15 business days upon receiving the preliminary conclusions. Where the members of the Working Mechanism are unable to reach a consensus, a special review procedure shall be triggered. The applicant will be notified of this instance.
• The special review procedure should generally be completed within 90 business days. If the situation at issue is complicated, the special review procedure can be extended. No time limit is specified.

Penalties for contravention

The New Measures stipulate that violation of its provisions will attract liability as set out in the CSL and the DSL.