China Publishes New Measure on Cybersecurity Review of Network Products and Services

The new measure, which will come into effect on June 1, 2020, will potentially affect operators of critical information infrastructures as well as their domestic and overseas suppliers. Affected companies should now take preparatory steps, including conducting a self-assessment and reexamining their procurement agreements.

The Cyberspace Administration of China (CAC), along with 11 other government authorities[1], jointly released the final version of the Measure on Cybersecurity Review (the Measure) on April 27, to set up a government cybersecurity review system targeting network products and services used by operators of critical information infrastructures (CII). The review system is designed to implement the cybersecurity review requirements previously imposed by the National Security Law (2015) and the China Cybersecurity Law (2017) to detect and eliminate the potential cybersecurity risks in the supply chain of the CII operators and thus to safeguard the national security. The Measure is set to come into effect on June 1, 2020 and will replace the previously released Trial Measures on the Security Review of Network Products and Services (2017) and Draft Measure on Cybersecurity Review (2019).

The cybersecurity review system outlined in the Measure will potentially affect both CII operators and their domestic and overseas suppliers of IT and network products and services. This LawFlash introduces the key provisions in the Measure and provides recommendations for affected companies in China.

Application Scope

The Measure applies the cybersecurity review to CII operators  whose procurement of network products and services affects or may affect China’s national security.

CII is broadly defined under the China Cybersecurity Law (CSL) as “an infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” The CSL and its associated regulations[2] provide non-exhaustive examples of the definition, including network operators in the areas of public communications, information services, energy, transportation, water utilities, finance, public services, egovernment, telecommunications, radio and television, postal services, emergency management, health, social security, and national defense technology industry.

Companies in these sectors may be included in such a broad definition if regulators decide that any data leakage or malfunction of such companies’ network systems may affect national security, national welfare, or the people’s livelihood and public interest. Therefore, companies that fall under these sectors should conduct further analysis to determine whether they are subject to the cybersecurity review requirements.

Highlights of the Cybersecurity Review

• Two-step procedures: The Measure specifies a two-step review process. First, before executing a procurement agreement, the CII operator should conduct a self-assessment to predict the national security risks associated with the use of the network products or services. Second, if the self-assessment flags national security risks, the CII operator should submit the required documents, including procurement agreements and risk assessment report, to the CAC for a cybersecurity review. Notably, the Measure gives the CAC the discretion to initiate a cybersecurity review without CII operators’ application, if the relevant industry regulator believes the network products or services used by CII operators affect or may affect national security.

• Timeline: The procedure normally will wind up within 45-60 working days but may take three months or more in complicated cases, where a special review process will be triggered.

• Review criteria: The following factors will be taken into consideration during the cybersecurity review: (i) if the risk arising from the use of the network products or services will cause CII operators to be unlawfully manipulated, interfered or destroyed, or lead to the leak, loss, or damage of important data; (ii) if there will be continuous damages to CII’s business due to supply disruptions of the products or services; (iii) the security, openness, transparency and diversity of sources, reliability of supply channels, and any risk of supply disruptions resulting from “political, diplomatic, and trade” factors; and (iv) if the product or service provider is in compliance with Chinese regulations. In addition to these four factors, the Measures also provide a catch-all provision covering all other situations that could endanger CII security and national security. Based on this catch-all provision, it seems that the CAC will have ample discretion in determining potential risks in a particular procurement.

Legal Implications

• Legal liabilities of CII operators: The CII operator that fails to conduct the cybersecurity review will be subject to liabilities under Article 65 of the CSL, under which the CII operator will be ordered by the competent authority to stop using the network products or services in question and be subject to a fine equivalent to more than one but less than 10 times the purchase price. In addition, the management directly in charge and other directly liable persons will be subject to a fine ranging from RMB 10,000 to RMB 100,000 (approximately $1,413 to $14,132).

• Obligations for suppliers: Although most of the obligations of the cybersecurity review are imposed on CII operators, certain obligations will extend via the CII operators to the product or service providers. For example, the Measure requires that the CII operators specify in the procurement agreements that the supplier is obligated to provide cooperation for the cybersecurity review, including making a commitment not to (i) illegally collect users’ data, or illegally control or manipulate users’ equipment via the supplied network products and services, or (ii) interrupt the supply of products or necessary technical support services without justified reasons.

Recommendations

Companies can mitigate their risks associated with the cybersecurity review by planning ahead and starting the following preparation work.

• Conduct a self-assessment. Companies operating in China, especially those in manufacturing, finance, medical, food, healthcare, telecommunications, energy, and transportation sectors should conduct a self-assessment on whether they are considered CII operators. IT and tech vendors that supply network products and services to customers in these sectors should also evaluate whether their customers are CII operators, which may cause the procurement of network products and services to be affected by the cybersecurity review.

• Reexamine and revise the procurement agreements. Companies affected by the cybersecurity review should reexamine and revise their procurement agreements to include the required clauses.

• Seek legal advice. Although the Measure provides a specific clause preventing the review authorities from unauthorized disclosure of trade secrets and intellectual properties they receive, companies may still have concerns for their confidential information when conducting the cybersecurity review. Companies should seek legal advice before acting, in order to minimize the exposure of their confidential information to the review authorities.

Conclusion

The release of the Measure marks a critical step forward in the implementation of the cybersecurity review and demonstrates the Chinese government’s ongoing commitment to safeguarding the network supply chains of CII operators. However, the Measure leaves some areas blank for the development of further legislation. For example, the self-assessment guidelines to be used for predicting the cybersecurity risks are to be formulated by the competent authorities, and the specific scope of the CII operators is awaiting further clarification. These pending issues will increase the uncertainties for companies that desire a clear path forward with respect to compliance with the cybersecurity review. We will continue to closely monitor developments in these areas and will keep you informed.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Shanghai
Todd Liao
K. Lesli Ligorner
Sylvia Hu