Notwithstanding a lengthy consultation process that commenced in July 2015 when the first draft was published, the PRC Cybersecurity Law (CSL) suffers from significant gaps and ambiguities in practical implementation. Many commentators expected these shortcomings to be addressed through implementing rules issued before the CSL came into effect. The enforcement of many of its key provisions, such as the data localization requirement under Article 37 and the security review requirement under Article 35, depend on implementing measures. Yet, between November 1, 2016, when the CSL was promulgated, and June 1, 2017, when it entered into effect, mostly only draft measures addressing limited questions were issued.

The one exception was with respect to Article 35. The Measures for the Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行) (Measures), setting out some details for the security review under Article 35, are the only implementing measures to have been issued to date in final form. The Measures were published by the Cyberspace Administration of China (CAC) in May and came into effect, together with the CSL, on June 1. They do not expressly refer to Article 35 but the language of the Measures permits the inference that they relate to and operate within the scope of Article 35.

Article 35 of the CSL requires operators of “critical information infrastructure” (关键信息基础设施) (CII) to complete a national security review when purchasing network products and services that “may affect national security”, but does not specify either the scope of or procedure for such review. The Measures provide some guidance on these issues but still leave significant ambiguity, due to both loose drafting and various key issues being expressly left to be determined. Significant additional guidance from the CAC and other government agencies will be required before a network operator can properly assess whether its network falls within the scope of the Measures and, if so, what specific products and services are subject to review—and how to go about completing that review.

Scope and definition of CII

While the drafting of the Measures is loose in this respect, it would appear that they ought to apply, as Article 35 of the CSL does, only to operators of networks falling within the scope of CII.