China Issues New Cybersecurity Review Measures

Jun 4, 2020

Reading Time : 3 min

Subjects and Applicants of the Cybersecurity Review:

Where the purchase of network products and services by an operator of critical information infrastructures (the “CII operator”) influences or may influence state security, a cybersecurity review shall be conducted pursuant to Article 2 of the Review Measures. According to the FAQ of the Review Measures (find the FAQ here in Chinese), the CII operator includes the operators of important networks and information systems in the fields of telecommunications, radio and television, energy, finance, road and water transportation, railways, civil aviation, postal services, water conservancy, emergency management, health and wellness, social security, defense technology industry, etc. According to Article 20 of the Review Measures, the governmental department for the protection of critical information infrastructures will finally identify the CII operator.

When purchasing network products or services, the CII operator shall consider whether potential state security risks may arise after the use of such products or services. If the state security can be affected or may be affected, the CII operator shall declare the procurement to the cybersecurity review office to conduct a cybersecurity review. The pre-judgment guideline for the CII operators may be formulated by the department for the protection of critical information infrastructures, and before the issuance of the pre-judgment guideline, the CII operator may at least consider the primary elements listed in Article 9 of the Review Measures for the cybersecurity review (details as provided below).

Additionally, the cybersecurity review office can conduct a review on the network products or services if the review office is concerned that they can influence or may influence state security, after getting the approval of the Central Cyberspace Affairs Commission.

The Scope of the Cybersecurity Review:

According to Article 20 of the Review Measures, the “network products and services” mainly refer to core network equipment, high-performance computers and servers, mass storage equipment, large databases and applications, network security equipment, cloud computing services and other network products and services that have an important impact on the security of critical information infrastructures.

Main Factors of the Cybersecurity Review:

According to Article 9 of the Review Measures, the state security risk will be the primary focus during a cybersecurity review, and the following factors are taken into consideration during the review:

(1) The risk of illegal control, interference or destruction of critical information infrastructures and the theft, leakage or destruction of important data that arises due to the use of the products or services.

(2) The harm caused by the disruption of the supply of products or services to the operation continuity of critical information infrastructures.

(3) The risk of the security, openness, transparency and diversity of sources of the products or services, the risk of the reliability of supply channels, as well as the risk of supply interruption due to politics, diplomacy, trade, etc.

(4) The compliance situations of the provider of products or services with Chinese laws, administrative regulations and departmental rules.

(5) Other factors which may endanger the safety of critical information infrastructures and state security.

Requirements on Relevant Contract Clauses:

According to Article 6 of the Review Measures, for procurement activities that are filed for the cybersecurity review, the relevant CII operator shall request the product and/or service providers to cooperate with the cybersecurity review, for example, committing to not illegally obtain user data and control or illegally operate user’s equipment, and to not interrupt supply or technical support service without justified reasons.

Timeline of the Cybersecurity Review:

The cybersecurity review office shall complete the preliminary review and send review conclusions and suggestions to the member authorities of the cybersecurity review mechanism and the relevant key information infrastructure protection government agencies (the “other related authorities”) within 30 working days from the date of issuing the written notice to the CII operator, and the review time may be extended by 15 working days if the situation is complicated.

The other related authorities shall provide their opinions in writing within 15 working days after they receive the review conclusions and suggestions from the cybersecurity review office. If the other related authorities reach a consensus, the cybersecurity review office will send the review conclusions to the CII operator in writing; if no consensus is reached, the office will notify the CII operator and review the case under a special review procedure. This special review procedure has not been issued with the Review Measures, which may be issued by the related governmental authority later or only established as an internal undisclosed review procedure of the review office.

Share This Insight

Previous Entries

Data Dive

March 3, 2025

On January 16, 2025, the Federal Trade Commission (FTC) issued a Final Rule updating the Children’s Online Privacy Protection (COPPA) Rule, significantly expanding compliance obligations for online services that collect, use, or disclose personal information from children under 13.1 The amendments impose new restrictions on targeted advertising, add data security requirements, refine parental consent mechanisms, and introduce additional compliance measures.

...

Read More

Data Dive

February 21, 2025

On January 8, 2025, the DOJ published a final rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

January 22, 2025

On January 17, 2025, days before the inauguration, former President Joe Biden issued an executive order titled Strengthening and Promoting Innovation in the Nation's Cybersecurity (EO 14144). Building on previous efforts, including Executive Order 14028, this directive seeks to bolster cybersecurity across federal systems, supply chains and critical infrastructure from adversarial nations, particularly from the People’s Republic of China (PRC).

...

Read More

Data Dive

January 10, 2025

UPDATE: The California Privacy Protection Agency (CPPA) has extended the deadline for submitting public comments from January 14 to February 19, 2025, in response to the recent California wildfires. This extension aims to afford stakeholders additional time to provide comprehensive and detailed feedback, considering the significant challenges posed by the wildfires.

...

Read More

Data Dive

November 25, 2024

Treasury has issued a Final Rule to implement President Biden’s 2023 EO targeting U.S. investments in Chinese companies engaged in certain activities related to semiconductors, quantum computing or AI.

...

Read More

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.