
Knowledge Highlights 26 May 2023
Knowledge Highlights 2 March 2022
On 4 January 2022, the Cyberspace Administration of China (“CAC”), in conjunction with 12 other government departments, issued a revised version of the Cybersecurity Review Measures (“New Measures”). The CAC also issued answers to specific questions relating to the New Measures on 4 January 2022 (“CAC Q&A”). The CAC and the government departments involved are referred to collectively in the New Measures as the “cybersecurity review work mechanism” (“Working Mechanism”).
The requirement for cybersecurity review for activities conducted by critical information infrastructure operators (“CIIO”) involving the purchase of network products and services was first provided for in China’s Cybersecurity Law (“CSL”), which came into effect in 2017.
The New Measures expand the scope of business entities subject to a cybersecurity review to include network platform operators (“NPOs”) intending to engage in certain activities, such as applying for overseas listing.
Cybersecurity reviews are conducted by the Cybersecurity Review Office (“CRO”) within the CAC.
The New Measures took effect on 15 February 2022 and supersede the previous version.
This article provides an overview of the key highlights of the New Measures.
Activities that affect national security
CIIOs
CIIOs will be subject to a cybersecurity review upon purchase of network products and services, which affects or may affect national security.
The Regulations on the Security and Protection of Critical Information Infrastructure defines “CIIOs” as operators of information infrastructure in important industries and sectors, such as public communication and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defence.
The “network products and services” mentioned in the New Measures primarily refer to core network equipment, important telecommunications products, high-performance computers and servers, large-capacity storage devices, large-scale databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have important influence on the security of critical information infrastructure (“CII”), cybersecurity and data security.
NPOs
NPOs will be subject to a cybersecurity review where they:
The New Measures do not define NPOs. “Data processing” is defined in the Data Security Law (“DSL”) to include the collection, storage, use, processing, transmission, provision and disclosure of data.
The CAC Q&A clarifies that an NPO should apply for a cybersecurity review prior to filing a listing application with a foreign securities regulator.
Assessment of risk to national security
The cybersecurity review process assesses the following factors to determine any potential national security risks:
Procedure for cybersecurity review
The New Measures set out the procedure for cybersecurity review as follows:
Penalties for contravention
The New Measures stipulate that violation of its provisions will attract liability as set out in the CSL and the DSL.