“Apart from the rules surrounding the collection, use, and cross-border transfer of data, which companies will be categorized as CII operators in the first place remains the biggest issue,” said David Tang, a Shanghai-based corporate compliance partner at Han Kun Law Offices. “For those that are targeted, the main concern then is how complex and drawn out the security review procedure will be and how that is going to impact their business.”

Clients in older and traditional sectors wanting to develop digital infrastructure for electric vehicles or other data-driven products, for instance, as well as those in new and emerging industries using cross-border cloud services and collecting customer data in China, all have expressed concern about the potential coverage of CII and being captured by the assessment requirement, Tang said. (This feature explains the broad and growing definition of CII.)

Review focus areas

Article 4 of the Draft sets out four (plus one catch-all: “other risks of jeopardizing national security and public interest”) areas of focus for the assessment of network security products and services. It includes checking for:

1. Risk of unauthorized control, interference and interruption of the operation of the product or service.

2. Risks in R&D, delivery and technical support of the product or its key components.

3. Risk of the product or service being used by its provider to illegally collect, store, process and utilize user information through the product or service.

4. Risk that the product or service provider may be able to take advantage of a user's reliance on the product or service to engage in unfair competition or acts that can harm the user's interest.

The first point looks out for any areas of vulnerability to hacking, infection or undesired external or remote control or access.

The second may be aimed at identifying software back doors or codes that may have been deliberately installed as part of the development of the product or service in order to allow data extraction or remote operation, whether the product or service was thoroughly screened and tested, and if any encryption/decryption keys, software or trade secrets were leaked or became known outside the organization during the development of the technology, according to a Hogan Lovells briefing. Technical support may refer to whether the product or service relies on remote or overseas support, which could be a concern for foreign tech suppliers, the report said.

The third echoes provisions in existing data protection regulations that impose penalties for the illicit gathering and use of personal information.

The fourth brings in elements of antitrust and consumer protection that have led several lawyers to question its direct relevance to cybersecurity in the review process. “The fact that this folds in abuse of dominance issues and market principles hints that this is as much as about trade as it is about national or cyber security,” Mark Parsons, a TMT partner at Hogan Lovells in Hong Kong, told China Law & Practice. “Further, on a global scale, geopolitical tensions, particularly with the new U.S. administration, may have added to the uncertainty in policy—the Cybersecurity Law comes into force in just three months and people are still waiting for clarity on a number of areas,” he added.

Review process

The Draft mentions several agencies that will administer the assessment process. The CAC, together with other departments, will establish a National Security Review Committee that will coordinate and conduct network security-related policy reviews. The Network Security Review Office implements the review, and will hire experts and third-party evaluators for assessing the risks of submitted network security products and services, consult with other authorities, national trade associations and the market.

“One problem with this approach of appointing experts is that it has the potential to influence procurement decisions in China,” said Parsons. “Tech neutrality should be a key part of trade regulations and there are industry concerns this could be used as a tool for protectionism and favoritism for specific companies.”

It isn't clear who the list will comprise of and worries over conflicts of interest and risks of going up against regulatory bodies that have traditionally been less open to foreign investment may also arise.

Foreign players squeezed out?

Lawyers on the ground say they already see international companies resorting to adopting Chinese technology. While neither the Cybersecurity Law nor the Draft explicitly differentiates between foreign and domestic products or services, regulators may feel more comfortable with those that are PRC-owned (or at least Sino-foreign joint ventures).

These risks have led some foreign service providers, such as eDiscovery and cloud vendors, to create Chinese versions of their technology.

But not every company is in a position to do that, Parsons said. “Global IT majors may certainly be equipped to do so, but most players won't be able to suddenly switch on a separate version tailored to the PRC, which takes significant investment and time.”

The biggest question remains, also, whether passing the review certification would involve divulging source code and other key or sensitive intellectual property to the government—another reason some multinational companies may prefer to provide non-front-line or a limited range of products in China, to mitigate the risk of disclosing knowhow and the technology's “crown jewels”, according to the Hogan Lovells alert.

Companies clearly captured by the scope, such as foreign banks in China, are in the process of preparing to submit their products and services for review while waiting for more detailed rules, said Han Kun's Tang. “They don't have a choice,” he added.

“Secure and controllable”

Key industry authorities, such as regulators for the banking, telecommunications, healthcare and energy sectors, are responsible for reviews concerning their respective sectors.

The China Banking Regulatory Commission (CBRC) issued guidelines back in 2014 that explicitly required financial institutions to implement “secure and controllable” network security standards and to share source code with the government.

The CBRC subsequently granted waivers to certain banks following an industry backlash, but now that the Cybersecurity Law has taken the front seat and the general intentions behind its security assessments have been released, it's unclear whether there will be a phase-out period or arrangement for the sector, said Tang.

By Katherine Jo

The Chinese government drove home its intention to regulate cybersecurity last month, following up its most sweeping legislation yet with draft guidelines for reviewing and approving network security products and services used by operators of “critical information infrastructure” (CII).

The Cyberspace Administration of China (CAC)'s Measures for Security Reviews of Network Products and Services (Draft for Comments) (Draft), sets out some general review criteria and the government bodies that will oversee the process.

This is while the industry is still awaiting clarity on the PRC Cybersecurity Law, which was released in November and comes into effect in June. The law requires network operators of CII to store key personal and important data in the country.

“Apart from the rules surrounding the collection, use, and cross-border transfer of data, which companies will be categorized as CII operators in the first place remains the biggest issue,” said David Tang, a Shanghai-based corporate compliance partner at Han Kun Law Offices. “For those that are targeted, the main concern then is how complex and drawn out the security review procedure will be and how that is going to impact their business.”

Clients in older and traditional sectors wanting to develop digital infrastructure for electric vehicles or other data-driven products, for instance, as well as those in new and emerging industries using cross-border cloud services and collecting customer data in China, all have expressed concern about the potential coverage of CII and being captured by the assessment requirement, Tang said. (This feature explains the broad and growing definition of CII.)

Review focus areas

Article 4 of the Draft sets out four (plus one catch-all: “other risks of jeopardizing national security and public interest”) areas of focus for the assessment of network security products and services. It includes checking for:

1. Risk of unauthorized control, interference and interruption of the operation of the product or service.

2. Risks in R&D, delivery and technical support of the product or its key components.

3. Risk of the product or service being used by its provider to illegally collect, store, process and utilize user information through the product or service.

4. Risk that the product or service provider may be able to take advantage of a user's reliance on the product or service to engage in unfair competition or acts that can harm the user's interest.

The first point looks out for any areas of vulnerability to hacking, infection or undesired external or remote control or access.

The second may be aimed at identifying software back doors or codes that may have been deliberately installed as part of the development of the product or service in order to allow data extraction or remote operation, whether the product or service was thoroughly screened and tested, and if any encryption/decryption keys, software or trade secrets were leaked or became known outside the organization during the development of the technology, according to a Hogan Lovells briefing. Technical support may refer to whether the product or service relies on remote or overseas support, which could be a concern for foreign tech suppliers, the report said.

The third echoes provisions in existing data protection regulations that impose penalties for the illicit gathering and use of personal information.

The fourth brings in elements of antitrust and consumer protection that have led several lawyers to question its direct relevance to cybersecurity in the review process. “The fact that this folds in abuse of dominance issues and market principles hints that this is as much as about trade as it is about national or cyber security,” Mark Parsons, a TMT partner at Hogan Lovells in Hong Kong, told China Law & Practice. “Further, on a global scale, geopolitical tensions, particularly with the new U.S. administration, may have added to the uncertainty in policy—the Cybersecurity Law comes into force in just three months and people are still waiting for clarity on a number of areas,” he added.

Review process

The Draft mentions several agencies that will administer the assessment process. The CAC, together with other departments, will establish a National Security Review Committee that will coordinate and conduct network security-related policy reviews. The Network Security Review Office implements the review, and will hire experts and third-party evaluators for assessing the risks of submitted network security products and services, consult with other authorities, national trade associations and the market.

“One problem with this approach of appointing experts is that it has the potential to influence procurement decisions in China,” said Parsons. “Tech neutrality should be a key part of trade regulations and there are industry concerns this could be used as a tool for protectionism and favoritism for specific companies.”

It isn't clear who the list will comprise of and worries over conflicts of interest and risks of going up against regulatory bodies that have traditionally been less open to foreign investment may also arise.

Foreign players squeezed out?

Lawyers on the ground say they already see international companies resorting to adopting Chinese technology. While neither the Cybersecurity Law nor the Draft explicitly differentiates between foreign and domestic products or services, regulators may feel more comfortable with those that are PRC-owned (or at least Sino-foreign joint ventures).

These risks have led some foreign service providers, such as eDiscovery and cloud vendors, to create Chinese versions of their technology.

But not every company is in a position to do that, Parsons said. “Global IT majors may certainly be equipped to do so, but most players won't be able to suddenly switch on a separate version tailored to the PRC, which takes significant investment and time.”

The biggest question remains, also, whether passing the review certification would involve divulging source code and other key or sensitive intellectual property to the government—another reason some multinational companies may prefer to provide non-front-line or a limited range of products in China, to mitigate the risk of disclosing knowhow and the technology's “crown jewels”, according to the Hogan Lovells alert.

Companies clearly captured by the scope, such as foreign banks in China, are in the process of preparing to submit their products and services for review while waiting for more detailed rules, said Han Kun's Tang. “They don't have a choice,” he added.

“Secure and controllable”

Key industry authorities, such as regulators for the banking, telecommunications, healthcare and energy sectors, are responsible for reviews concerning their respective sectors.

The China Banking Regulatory Commission (CBRC) issued guidelines back in 2014 that explicitly required financial institutions to implement “secure and controllable” network security standards and to share source code with the government.

The CBRC subsequently granted waivers to certain banks following an industry backlash, but now that the Cybersecurity Law has taken the front seat and the general intentions behind its security assessments have been released, it's unclear whether there will be a phase-out period or arrangement for the sector, said Tang.