Measures on Security review of Network Products m88 bonus Services

The Cyberspace Administration of China (“CAC”) formally adopted the Measures on Security Review of Network Products m88 bonus Services (Trial for Implementation) (“Measures”) on May 2, 2017, the first m88 bonus an important ancillary regulation of the Cybersecurity Law (“CSL”). The Measures will become effective simultaneously with the Cybersecurity Law on June 1, 2017.

CAC released a draft of the Measures in February of this year allowing for one-month public comment. While the finalized version is not substantially different from the draft, its applicable scope has been narrowed m88 bonus minor adjustments have been made to the focus of the review, as briefly summarized below.

I.Legal Hierarchy m88 bonus Legal Basis

Unlike two other regulations issued by CAC on the same day of the Measures¹, the Measures was issued in the form of a normative document (规范性文件) rather than a departmental regulation (部门规章). The title of trial for implementation of the Measures m88 bonus its lower legal hierarchy may reflect the authority’s explorative m88 bonus experimental attitude towards regulation of the subject matter. The Measures is based on Article 59 of the National Security Law which calls for the establishment of a national security review on network information technology products m88 bonus services concerning national security, m88 bonus Article 35 of the CSL which provides that the procurement of network products m88 bonus services by critical information infrastructure operators must pass a national security review organized by CAC in conjunction with the relevant departments of the State Council.

II.Scope of Products m88 bonus Services Subject to Review

Two criteria apply to products m88 bonus services subject to national security review: (a) “important products m88 bonus services” m88 bonus (b) “such products m88 bonus services are used in information system concerning national security” (Article 2). Questions remain as to what types of products m88 bonus services are considered “important”, m88 bonus what types of information systems are considered “concerning national security” (on this point, “concerning public interest” in the original draft has been removed in the final version).

Specifically speaking, the Measures provides that “the procurement of network products m88 bonus services by operators in public communication m88 bonus information services, energy, transportation, hydraulic, finance, public services, e-government m88 bonus other key industries m88 bonus sections, m88 bonus operators of other critical information infrastructure which may affect national security shall pass cybersecurity review,” m88 bonus the relevant critical information infrastructure (“CII”) protection authority shall determine whether or not certain products m88 bonus services affect national security. Such a provision reiterates the requirements under the CSL yet offers large discretion to CAC m88 bonus the relevant industrial regulatory authorities when determining the specific scope of products m88 bonus services subject to cybersecurity review.

III.Authorities m88 bonus Entities Responsible for the Review

The security review is steered by regulatory authorities m88 bonus involves societal participation.

• Cybersecurity Review Committee

A cybersecurity review committee is to be established by the CAC with other regulatory authorities to review m88 bonus deliberate major policies relating to cybersecurity reviews, organize cybersecurity review activities m88 bonus coordinate major issues in this area (Article 5).

• Cybersecurity Review Office

A cybersecurity review office is to be established to organize m88 bonus implement cybersecurity review. The Measures does not explicitly provide how the office will be set up (Article 5).

• Cybersecurity Review Experts Committee

The cybersecurity review committee will engage relevant experts to form a cybersecurity review experts committee who will conduct an overall evaluation on the security risk of network products m88 bonus services m88 bonus the security m88 bonus reliability of their providers on the basis of a third party evaluation (Article 6).

• Industrial Regulatory Authorities

Industrial regulatory authorities shall organize cybersecurity reviews in key industries m88 bonus sectors regulated by them (Article 9). However, the specific division of responsibilities between the industrial regulatory authorities, CAC m88 bonus the cybersecurity review committee remains to be seen in practice.

• Third Party Review Institutions

The cybersecurity review introduces third party evaluations which are to be carried out by third party review institutions certified by the State (Article 7). The Measures does not yet specify the qualification process for such third party review institutions.

IV.Criteria of Review

The focus of a cybersecurity review is on the security m88 bonus controllability of network products m88 bonus services, which largely includes the following risks:

the security risk contained in the products m88 bonus services m88 bonus the relating to them to be illegally controlled, disrupted m88 bonus interrupted;

the risk relating to the security of supply chains in the manufacturing, testing, delivering m88 bonus technical support process of the products m88 bonus their key components;

the risk that product m88 bonus service providers utilize the convenience of providing products m88 bonus services to illegally collect, store, process m88 bonus use a user’s information;

the risk that a provider abuses a user’s reliance on a product m88 bonus/or service to endanger the user’s interests or cybersecurity; m88 bonus

other risks may endanger national security m88 bonus public interest (Article 4).

The risks listed above are high level points m88 bonus a number of questions remain such as (a) how to review early stages of the supply chain such as manufacturing m88 bonus testing, (b) whether foreign shareholding backgrounds of products m88 bonus services should be considered, m88 bonus (c) what constitutes “jeopardizing users’ interest”.

V.Ongoing Supervision

The cybersecurity review under the Measures is a multi-dimensional m88 bonus ongoing process comprising of a lab-test, an onsite inspection, online monitoring m88 bonus a background investigation. The cybersecurity review focuses on the security m88 bonus controllability of network products m88 bonus services. It may be launched either by the cybersecurity review office in accordance with the relevant national rules or upon the advice of national industrial associations m88 bonus user feedback. The dynamic nature of the review reflects the general trend of regulatory development moving from ex-ante permit to ex-post supervision. However, the practical implications of ongoing supervision remains to be seen.

VI.Our Observation

In general, the final Measures remain high level m88 bonus general in nature. The Measures leave a number of outstm88 bonusing issues such as the specific scope of entities, the products m88 bonus services subject to the security review, the organization of new authorities to be created in charge of the review, the certification of third party evaluation institutions, m88 bonus the review procedures m88 bonus the specific review criteria, which may be specified in policies m88 bonus stm88 bonusards to be formulated by the relevant authorities m88 bonus stm88 bonusardization institutions. It is anticipated that a new review system will gradually be introduced to deal with the outstm88 bonusing issues mentioned above m88 bonus all these new developments are worthy being followed up.

1. The Provisions on Administration of Internet News Information Services m88 bonus the Provisions on Administrative Enforcement Procedures of Internet Information Content Administration.