China's new security review measures for critical information infrastructure operators
On 27 April 2020, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology and other 10 authorities jointly issued the Measures for Cybersecurity Review ('the measures'), which will be effective from 1 June 2020.
The measures provide long-awaited ‘clarity’ on the designation of critical information infrastructure (CII) under the China's cyber security law and the requirements for CII operators (CIIOs) when purchasing network products and services.
The measures were finalised and signed by all 12 authorities on 13 April but only officially announced on the CAC’s website on 27 April along with a media briefing, which you can find here.
Am I a CIIO?
China's cyber-security law itself, surprisingly, does not contain a definition of CII. But the CAC’s cyberspace security strategy, released on 27 December 2016, defines 'critical information infrastructure' as 'information infrastructure that affects national security, the national economy and people’s livelihoods, such that, if data is leaked, damaged or loses its functionality, national security and public interests may be seriously harmed'. Other measures and guidance propose both a sector and a volume threshold test.
The media briefing confirms the CAC and MIIT joint Notice on Matters Related to the Safety Protection of Critical Information Infrastructure in stating that operators in the following sectors are liable to be designated as CIIOs:
- telecommunications, radio and television;
- national defence and defence technologies;
- public transportation, including highways, waterways, railways and civil aviation;
- public sanitary and public health;
- finance;
- social security insurance;
- energy;
- water conservancy;
- postal services; and
- emergency response.
In practice, all the available guidance on the designation of CII leaves very significant scope for interpretation and, therefore, the application of discretion. We are aware that conversations with many Chinese and international companies, their sectoral regulators and the Ministry of Public Security have been taking place for some time regarding the designation. The measures effectively acknowledge this and state that the designation of CIIO will be confirmed by the authorities (formally the CAC).
So, the answer to the question of whether an organisation is a CIIO is… 'we'll be in touch'.
National security reviews
Article 35 of China's cyber-security law established a requirement for CIIOs to complete a national security review when purchasing network products and services that may impact upon national security.
The measures now establish a procedure and grounds for such reviews.
CIIOs will be required to apply for cyber security review before purchasing any of the types of network products and services the measures are concerned with. These include:
- core network devices;
- high-performance computers and servers;
- high-capacity storage devices;
- large-scale database software and relevant applications;
- cyber-security devices and services;
- cloud-computing services; and
- other products and services that impact on the security of the CII.
The review will focus on assessing the potential national security risks of the purchase of these products or services, taking into account the following factors:
- the risks of CII being illegally controlled, interfered or destroyed and the risk of important data being stolen, leaked or damaged;
- whether supply disruption of such products and services will threaten the business continuity of CIIOs;
- the safety, openness, transparency, diversity and reliability of supply channels, and the risks of supply disruption due to political, diplomatic and trade reasons;
- whether the product and service providers are compliant with Chinese laws and regulations; and
- other factors that may jeopardise the security of the CII or national security.
The media briefing states that the purpose of the review is not to restrict the purchase of or to discriminate against foreign products and services.
When to apply for the review and how long it will take?
The review will not, however, be mandatory or automatic. A CIIO will need to self-assess whether its use of the relevant network products or services may affect national security. No further guidance is given. The CAC will also have the power to mandate submission to a security review and to demand production of additional documentation.
The review may take between one and three months or even longer. It will follow various stages, with an initial clearance stage (10 working days) leading to preliminary review (30-45 working days) and a potential second stage review (45 working days) in complicated cases.
The review will be conducted by a cyber security review office to be established within the CAC. Any purchase that goes to the second stage of review will need to be approved by Central Cyberspace Affairs Commission.
What are the consequences if a CIIO fails to apply for review?
If CIIOs use network products or services that should have been reviewed without completing the review:
- the purchase contract will be voided in China (which will place risk on the vendor);
- the CIIO may be required to cease using the relevant products and services, and be subject to a fine of up to 10 times of the purchase price; and
- officers of the company may also be subject to personal liability in an amount up to RMB100,000 (around €13,000 or $14,100).
With many thanks to Zooey Chen for her work on this post (and finding the cartoon).