Cybersecurity Review Measures

(Promulgated by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration on April 13, 2020 and effective as of June 1, 2020.)

Order of the CAC and 11 other departments No.6

Article 1:   These Measures have been formulated pursuant to the PRC National Security Law and the PRC Cybersecurity Law in order to ensure the security of the supply chain for critical information infrastructure and to safeguard national security.

Article 2:   Where a critical information infrastructure operator (an Operator) procures a network product or service and the same would or could affect national security, it shall have a cybersecurity review conducted in accordance herewith.

Article 3:   Cybersecurity reviews adhere to combining the prevention of cybersecurity risks with the promotion of the application of advanced technologies, combining fair and transparent process with intellectual property protection, combining prior review with ongoing oversight and combining corporate undertaking with public scrutiny. Reviews shall be conducted on aspects such as the security of the product or service and the potential risks it poses to national security.

Article 4:   Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China, in concert with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of State Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration, shall establish a state cybersecurity review work mechanism.

The Cybersecurity Review Office shall be established in the Cyberspace Administration of China, and be responsible for formulating relevant systems and codes for cybersecurity reviews and organizing cybersecurity reviews.

Article 5:   An Operator procuring a network product or service shall pre-assess the risks it could pose to national security once it comes on line and is used.  If it would or could affect national security, the Operator shall make a filing for a cybersecurity review with the Cybersecurity Review Office.

A department responsible for the work of protecting critical information infrastructure may formulate the pre-assessment guidelines for its industry or sector.

Article 6:   With respect to a procurement activity for which a cybersecurity review filing is made, the Operator shall, by way of the procurement documents, agreement, etc., require the product or service provider to cooperate with the cybersecurity review, including undertaking to not unlawfully obtain user data and to not unlawfully control and manipulate user equipment by taking advantage of its provision of the product or service, and to not interrupt supply of the product or required technical support services without just cause.

Article 7:   When making a filing for a cybersecurity review, an Operator shall submit the following materials:

(1)  a written filing form;

(2)  a report analyzing the effect or potential effect on national security;

(3)  the procurement documents, agreement, proposed contract, etc.; and

(4) other documentation as required for the cybersecurity review work.

Article 8:   The Cybersecurity Review Office shall determine whether a review is required and notify the Operator thereof in writing within 10 working days from the date of receipt of the review filing materials.

Article 9:   A cybersecurity review shall focus on evaluating the risks to national security that the procured network product or service could engender, mainly taking into consideration the following factors:

(1)  the risk that the critical information infrastructure could be illegally controlled or suffer disruption or undermining, or that key data could be stolen, leaked or destroyed that could arise after use of the product or service;

(2)  the hazard that interruption of supply of the product or service could pose to the continuity of the business of the critical information infrastructure;

(3)  the security, openness and transparency of the product or service, the diversity of the sources thereof, the reliability of the supply channel and the risks of the disruption of supply caused by political, foreign relations, trade and other such factors;

(4)  the compliance with Chinese laws, administrative regulations and ministerial level rules and regulations by the product or service provider; and

(5)  other factors that could jeopardize the security of the critical information infrastructure or national security.

Article 10:   If the Cybersecurity Review Office deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within 30 working days from the date on which it gave written notice to the Operator, including producing review conclusions and recommendations, and sending the same to the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure to seek their opinions; if the circumstances are complex, an extension of 15 working days may be accorded.

Article 11:   The member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure shall give their response opinion in writing within 15 working days from the date of receipt of the review conclusions and recommendations.

If the opinions of the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure are consistent, the Cybersecurity Review Office shall notify the Operator of the review conclusions in writing. If their opinions are not consistent, the matter shall be handled by the special review procedure and the Operator shall be notified thereof.

Article 12:   Where the matter is handled by the special review procedure, the Cybersecurity Review Office shall listen to the opinions of relevant departments and entities, conduct an in-depth analytical evaluation, again produce review conclusions and recommendations, seek the opinions of the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure and, after securing the approval of the Central Cyberspace Affairs Commission by the procedure, produce the review conclusions and notify the Operator thereof in writing.

Article 13:   Generally, a special review procedure shall be completed within 45 working days, but if the circumstances are complex, such period may be appropriately extended.

Article 14:   If the Cybersecurity Review Office requests the provision of supplementary materials, the Operator and product or service provider shall cooperate therewith. The time for submitting the supplementary materials shall not count toward the time for the review.

Article 15:   If the member entities of the cybersecurity review work mechanism are of the opinion that the network product or service would or could affect national security, the Cybersecurity Review Office shall, after securing the approval of the Central Cyberspace Affairs Commission by the procedure, conduct a review in accordance herewith.

Article 16:   The relevant organizations and personnel that participate in a cybersecurity review shall strictly protect corporate trade secrets and intellectual property and bear an obligation of confidentiality in respect of the non-public materials submitted by the Operator and product or service provider, as well as other non-public materials to which they were privy in the course of the review. Without the consent of the information provider, they may not disclose such materials to an outsider or use the same for a purpose other than the review.

Article 17:   If the Operator or network product or service provider is of the opinion that the reviewers lacked objectivity and impartiality or failed to bear their obligation of confidentiality in respect of the information to which they were privy in the course of the review, it may report the same to the Cybersecurity Review Office or relevant department.

Article 18:   The Operator shall procure the performance by the product or service provider of the undertakings it gave in the course of the cybersecurity review.

The Cybersecurity Review Office shall strengthen its ex-ante, interim and ex-post monitoring by means such as accepting tip-offs.

Article 19:   If an Operator violates these Measures, the matter shall be handled in accordance with Article 65 of the PRC Cybersecurity Law.

Article 20:   For the purposes of these Measures, the term "critical information infrastructure operator" means an operator recognized by the department responsible for the work of protecting the critical information infrastructure.

For the purposes of these Measures, the term "network product or service" mainly refers to core network equipment, high-performance computers and servers, large-capacity storage equipment, large databases and application software, network security equipment, cloud computing services, and other network products and services that have a major impact on the security of critical information infrastructure.

Article 21:   Where state secret information is involved, matters shall be handled in accordance with relevant state confidentiality provisions.

Article 22:   These Measures shall be effective as of June 1, 2020.  The Measures for Security Reviews of Network Products and Services (Trial Implementation) shall be repealed simultaneously.