On April 27, the Cyberspace Administration of China ("CAC") and 11 other departments  jointly announced the promulgation of the Measures for Cybersecurity Review  (the "Measures"), which will come into effect on June 1, 2020 and replace the current Measures for Security Review of Network Products and Services (for Trial Implementation)  (the "Trial Measures").  The Measures aim to ensure the security of supply chains for critical information infrastructure (“CII”) and guarantee national security by prescribing a security review by the Cybersecurity Review Office (the "CRO") for certain network products and services purchased by CII operators.

Background The Measures were formulated on the basis of the National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”).

In relevant part, the Cybersecurity Law requires CII operators to pass a security review where their procurement of network products or services affect or may affect national security. This requirement was initially implemented in 2017 through promulgation of the Trial Measures.

The Trial Measures present the basic framework for cybersecurity reviews, which is retained in the Measures. The Trial Measures emphasize reviewing the products and services based on their effect on national security notably through the lenses of “security” and “controllability,” two factors which have concerned the foreign business community due to their openness to interpretation and their potential to constitute technical barriers to trade. CAC issued a consultation draft of the Measures in May 2019 (the “Consultation Draft”) which, for purposes of cybersecurity reviews, emphasized national security and proposed to further refine the concept of “secure and controllable” for the products and services.

Possibly in response to such concerns, the Measures no longer use “secure and controllable” as a principle for review, while some of its underlying policy objectives are instead relegated to contractual undertakings between CII operators and providers of products or services. Compared with the Consultation Draft, we believe the Measures clarify the cybersecurity review process in three significant ways: (a) further easing the review criteria, focusing on protection of national security, CII security, and violations of Chinese law, (b) monitoring CII operation security and stability when using relevant products and services, and (c) specifically identifying certain types of network products and services that are subject to review.

Click here to read the entire article