Cybersecurity Review Measures
网络安全审查办法
Product or service providers of critical information infrastructure operators are required to cooperate in cybersecurity reviews
(Promulgated by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration on April 13, 2020 and effective as of June 1, 2020.)
(国家互联网信息办公室、国家发展和改革委员会、工业和信息化部、公安部、国家安全部、财政部、商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、国家保密局及国家密码管理局于二零二零年四月十三日公布,自二零二零年六月一日起施行。)
Order of the CAC and 11 other departments No.6
国家互联网信息办公室等十二部门令 第6号
Article 1: These Measures have been formulated pursuant to the PRC National Security Law and the PRC Cybersecurity Law in order to ensure the security of the supply chain for critical information infrastructure and to safeguard national security.
第一条 为了确保关键信息基础设施供应链安全,维护国家安全,依据《中华人民共和国国家安全法》《中华人民共和国网络安全法》,制定本办法。
Article 2: Where a critical information infrastructure operator (an Operator) procures a network product or service and the same would or could affect national security, it shall have a cybersecurity review conducted in accordance herewith.
第二条 关键信息基础设施运营者(以下简称运营者)采购网络产品和服务,影响或可能影响国家安全的,应当按照本办法进行网络安全审查。
Article 3: Cybersecurity reviews adhere to combining the prevention of cybersecurity risks with the promotion of the application of advanced technologies, combining fair and transparent process with intellectual property protection, combining prior review with ongoing oversight and combining corporate undertaking with public scrutiny. Reviews shall be conducted on aspects such as the security of the product or service and the potential risks it poses to national security.
第三条 网络安全审查坚持防范网络安全风险与促进先进技术应用相结合、过程公正透明与知识产权保护相结合、事前审查与持续监管相结合、企业承诺与社会监督相结合,从产品和服务安全性、可能带来的国家安全风险等方面进行审查。
Article 4: Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China, in concert with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of State Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration, shall establish a state cybersecurity review work mechanism.
第四条 在中央网络安全和信息化委员会领导下,国家互联网信息办公室会同中华人民共和国国家发展和改革委员会、中华人民共和国工业和信息化部、中华人民共和国公安部、中华人民共和国国家安全部、中华人民共和国财政部、中华人民共和国商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、国家保密局、国家密码管理局建立国家网络安全审查工作机制。
The Cybersecurity Review Office shall be established in the Cyberspace Administration of China, and be responsible for formulating relevant systems and codes for cybersecurity reviews and organizing cybersecurity reviews.
网络安全审查办公室设在国家互联网信息办公室,负责制定网络安全审查相关制度规范,组织网络安全审查。
Article 5: An Operator procuring a network product or service shall pre-assess the risks it could pose to national security once it comes on line and is used. If it would or could affect national security, the Operator shall make a filing for a cybersecurity review with the Cybersecurity Review Office.
第五条 运营者采购网络产品和服务的,应当预判该产品和服务投入使用后可能带来的国家安全风险。影响或者可能影响国家安全的,应当向网络安全审查办公室申报网络安全审查。
A department responsible for the work of protecting critical information infrastructure may formulate the pre-assessment guidelines for its industry or sector.
关键信息基础设施保护工作部门可以制定本行业、本领域预判指南。
Article 6: With respect to a procurement activity for which a cybersecurity review filing is made, the Operator shall, by way of the procurement documents, agreement, etc., require the product or service provider to cooperate with the cybersecurity review, including undertaking to not unlawfully obtain user data and to not unlawfully control and manipulate user equipment by taking advantage of its provision of the product or service, and to not interrupt supply of the product or required technical support services without just cause.
第六条 对于申报网络安全审查的采购活动,运营者应通过采购文件、协议等要求产品和服务提供者配合网络安全审查,包括承诺不利用提供产品和服务的便利条件非法获取用户数据、非法控制和操纵用户设备,无正当理由不中断产品供应或必要的技术支持服务等。
Article 7: When making a filing for a cybersecurity review, an Operator shall submit the following materials:
第七条 运营者申报网络安全审查,应当提交以下材料:
(1) a written filing form;
(一)申报书;
(2) a report analyzing the effect or potential effect on national security;
(二)关于影响或可能影响国家安全的分析报告;
(3) the procurement documents, agreement, proposed contract, etc.; and
(三)采购文件、协议、拟签订的合同等;
(4) other documentation as required for the cybersecurity review work.
(四)网络安全审查工作需要的其他材料。
Article 8: The Cybersecurity Review Office shall determine whether a review is required and notify the Operator thereof in writing within 10 working days from the date of receipt of the review filing materials.
第八条 网络安全审查办公室应当自收到审查申报材料起,10个工作日内确定是否需要审查并书面通知运营者。
Article 9: A cybersecurity review shall focus on evaluating the risks to national security that the procured network product or service could engender, mainly taking into consideration the following factors:
第九条 网络安全审查重点评估采购网络产品和服务可能带来的国家安全风险,主要考虑以下因素:
(1) the risk that the critical information infrastructure could be illegally controlled or suffer disruption or undermining, or that key data could be stolen, leaked or destroyed that could arise after use of the product or service;
(一)产品和服务使用后带来的关键信息基础设施被非法控制、遭受干扰或破坏,以及重要数据被窃取、泄露、毁损的风险;
(2) the hazard that interruption of supply of the product or service could pose to the continuity of the business of the critical information infrastructure;
(二)产品和服务供应中断对关键信息基础设施业务连续性的危害;
(3) the security, openness and transparency of the product or service, the diversity of the sources thereof, the reliability of the supply channel and the risks of the disruption of supply caused by political, foreign relations, trade and other such factors;
(三)产品和服务的安全性、开放性、透明性、来源的多样性,供应渠道的可靠性以及因为政治、外交、贸易等因素导致供应中断的风险;
(4) the compliance with Chinese laws, administrative regulations and ministerial level rules and regulations by the product or service provider; and
(四)产品和服务提供者遵守中国法律、行政法规、部门规章情况;
(5) other factors that could jeopardize the security of the critical information infrastructure or national security.
(五)其他可能危害关键信息基础设施安全和国家安全的因素。
Article 10: If the Cybersecurity Review Office deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within 30 working days from the date on which it gave written notice to the Operator, including producing review conclusions and recommendations, and sending the same to the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure to seek their opinions; if the circumstances are complex, an extension of 15 working days may be accorded.
第十条 网络安全审查办公室认为需要开展网络安全审查的,应当自向运营者发出书面通知之日起30个工作日内完成初步审查,包括形成审查结论建议和将审查结论建议发送网络安全审查工作机制成员单位、相关关键信息基础设施保护工作部门征求意见;情况复杂的,可以延长15个工作日。
Article 11: The member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure shall give their response opinion in writing within 15 working days from the date of receipt of the review conclusions and recommendations.
第十一条 网络安全审查工作机制成员单位和相关关键信息基础设施保护工作部门应当自收到审查结论建议之日起15个工作日内书面回复意见。
If the opinions of the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure are consistent, the Cybersecurity Review Office shall notify the Operator of the review conclusions in writing. If their opinions are not consistent, the matter shall be handled by the special review procedure and the Operator shall be notified thereof.
网络安全审查工作机制成员单位、相关关键信息基础设施保护工作部门意见一致的,网络安全审查办公室以书面形式将审查结论通知运营者;意见不一致的,按照特别审查程序处理,并通知运营者。
Article 12: Where the matter is handled by the special review procedure, the Cybersecurity Review Office shall listen to the opinions of relevant departments and entities, conduct an in-depth analytical evaluation, again produce review conclusions and recommendations, seek the opinions of the member entities of the cybersecurity review work mechanism and the department responsible for the work of protecting the relevant critical information infrastructure and, after securing the approval of the Central Cyberspace Affairs Commission by the procedure, produce the review conclusions and notify the Operator thereof in writing.
第十二条 按照特别审查程序处理的,网络安全审查办公室应当听取相关部门和单位意见,进行深入分析评估,再次形成审查结论建议,并征求网络安全审查工作机制成员单位和相关关键信息基础设施保护工作部门意见,按程序报中央网络安全和信息化委员会批准后,形成审查结论并书面通知运营者。
Article 13: Generally, a special review procedure shall be completed within 45 working days, but if the circumstances are complex, such period may be appropriately extended.
第十三条 特别审查程序一般应当在45个工作日内完成,情况复杂的可以适当延长。
Article 14: If the Cybersecurity Review Office requests the provision of supplementary materials, the Operator and product or service provider shall cooperate therewith. The time for submitting the supplementary materials shall not count toward the time for the review.
第十四条 网络安全审查办公室要求提供补充材料的,运营者、产品和服务提供者应当予以配合。提交补充材料的时间不计入审查时间。
Article 15: If the member entities of the cybersecurity review work mechanism are of the opinion that the network product or service would or could affect national security, the Cybersecurity Review Office shall, after securing the approval of the Central Cyberspace Affairs Commission by the procedure, conduct a review in accordance herewith.
第十五条 网络安全审查工作机制成员单位认为影响或可能影响国家安全的网络产品和服务,由网络安全审查办公室按程序报中央网络安全和信息化委员会批准后,依照本办法的规定进行审查。
Article 16: The relevant organizations and personnel that participate in a cybersecurity review shall strictly protect corporate trade secrets and intellectual property and bear an obligation of confidentiality in respect of the non-public materials submitted by the Operator and product or service provider, as well as other non-public materials to which they were privy in the course of the review. Without the consent of the information provider, they may not disclose such materials to an outsider or use the same for a purpose other than the review.
第十六条 参与网络安全审查的相关机构和人员应严格保护企业商业秘密和知识产权,对运营者、产品和服务提供者提交的未公开材料,以及审查工作中获悉的其他未公开信息承担保密义务;未经信息提供方同意,不得向无关方披露或用于审查以外的目的。
Article 17: If the Operator or network product or service provider is of the opinion that the reviewers lacked objectivity and impartiality or failed to bear their obligation of confidentiality in respect of the information to which they were privy in the course of the review, it may report the same to the Cybersecurity Review Office or relevant department.
第十七条 运营者或网络产品和服务提供者认为审查人员有失客观公正,或未能对审查工作中获悉的信息承担保密义务的,可以向网络安全审查办公室或者有关部门举报。
Article 18: The Operator shall procure the performance by the product or service provider of the undertakings it gave in the course of the cybersecurity review.
第十八条 运营者应当督促产品和服务提供者履行网络安全审查中作出的承诺。
The Cybersecurity Review Office shall strengthen its ex-ante, interim and ex-post monitoring by means such as accepting tip-offs.
网络安全审查办公室通过接受举报等形式加强事前事中事后监督。
Article 19: If an Operator violates these Measures, the matter shall be handled in accordance with Article 65 of the PRC Cybersecurity Law.
第十九条 运营者违反本办法规定的,依照《中华人民共和国网络安全法》第六十五条的规定处理。
Article 20: For the purposes of these Measures, the term "critical information infrastructure operator" means an operator recognized by the department responsible for the work of protecting the critical information infrastructure.
第二十条 本办法中关键信息基础设施运营者是指经关键信息基础设施保护工作部门认定的运营者。
For the purposes of these Measures, the term "network product or service" mainly refers to core network equipment, high-performance computers and servers, large-capacity storage equipment, large databases and application software, network security equipment, cloud computing services, and other network products and services that have a major impact on the security of critical information infrastructure.
本办法所称网络产品和服务主要指核心网络设备、高性能计算机和服务器、大容量存储设备、大型数据库和应用软件、网络安全设备、云计算服务,以及其他对关键信息基础设施安全有重要影响的网络产品和服务。
Article 21: Where state secret information is involved, matters shall be handled in accordance with relevant state confidentiality provisions.
第二十一条 涉及国家秘密信息的,依照国家有关保密规定执行。
Article 22: These Measures shall be effective as of June 1, 2020. The Measures for Security Reviews of Network Products and Services (Trial Implementation) shall be repealed simultaneously.
clp reference:5600/20.04.13 promulgated:2020-04-13 effective:2020-06-01第二十二条 本办法自2020年6月1日起实施,《网络产品和服务安全审查办法(试行)》同时废止。
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now