Innovations & New Developments of Cybersecurity Review Measures
On 27 April 2020, the Cyberspace Administration of China ("CAC"), in conjunction with 11 other government agencies, jointly issued the Cybersecurity Review Measures ("Review Measures"). The Review Measures to be implemented as of 1 June 2020 will replace the Measures for the Security Review of Network Products and Services (for Trial Implementation) (“Trial Measures"). The Review Measures stipulate the scope of application, reporting procedures, evaluation factors, compliance works (in particular for the protection of the rights and interests of operators of critical information infrastructure ("CIIOs") and product and service providers), legal responsibilities, etc. in relation to the cybersecurity review, which portends that China's cybersecurity review has entered a new stage.
The Review Measures are well worth attention from CIIOs and relevant network product and service providers.
"Throughout the world, it has long been an international trend and common practice to conduct cybersecurity review."[1] However, the establishment, composition, procedure design, and other aspects of the cybersecurity review regime vary from country to country. The joint working mechanism of multiple agencies established in the Review Measures will help break down the industrial and technical barriers of critical information infrastructure ("CII") to promote consensus on CII protection. Different requirements imposed on CIIOs and network product and service providers are also conducive to defining their respective duties and obligations under the cybersecurity review regime. From the joint working of regulatory authorities to the cooperation of different market entities, it could well be seen that cybersecurity, in particular, protection of CII, requires concerted and coordinated efforts to maintain a safe network ecosystem.
This article will review the history of the cybersecurity review regime in China, summarize the framework and procedures of the cybersecurity review system determined by the Review Measures, and, based on the comparison with the cybersecurity review regime overseas and the previous Cybersecurity Review Measures (Draft for Comments) ("Draft Review Measures"), discuss how the new cybersecurity review mechanism will provide guidance for relevant market players and industry practice.
I. History of cybersecurity review regime
The Cybersecurity Law issued in 2016 established the security review mechanism for network products and services (the "cybersecurity review").
However, the cybersecurity review mechanism in China can be traced back to the Two Session's proposal on "Establishing the Information Security Review Mechanism" in 2013.[2] During the period of 2013 to 2016, China released a number of laws, regulations and policies which showed the state’s close attention to the construction of cybersecurity review mechanism.[3]
Before the Cybersecurity Law officially took effect in 2017, the CAC had issued the Trial Measures on 2 May of the same year in order to enable the initial implementation of the cybersecurity review mechanism (for details of the Trial Measures, please see"Building an Institutional Framework for Cybersecurity Review --- Understanding the Measures for Security Review of Network Products and Services (for trial implementation) " 画龙画虎先画骨——解读<网络产品和服务安全审查办法(试行)>.)
With the implementation of the Cybersecurity Law, the emergence of CII security issues and the growing experience in the cybersecurity review regime, in May 2019, the CAC, together with the National Development and Reform Commission, the Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security, the Ministry of State Security and other seven government agencies, jointly issued the Draft Review Measures (for details of the Draft Review Measures, please see "A Brief Analysis of Cybersecurity Review Measures (Draft for Comments) 千淘万漉虽辛苦,吹尽狂沙始到金 ——<网络安全审查办法(征求意见稿)>简析 ), and finally released the recent Review Measures (please see below the summary of relevant laws, regulations and legislative policies of China's cybersecurity review mechanism).
II. Framework and Procedures of the Cybersecurity Review Mechanism
Pursuant to the Review Measures and other relevant laws, regulations and guidelines, we summarize the framework of cybersecurity review mechanism as follows:
Meanwhile, the Review Measures also refine the cybersecurity review procedures established in the 2019 Draft Review Measures. We hereby summarize the updated cybersecurity review process as follows:
In addition to the application for cybersecurity review by CIIOs in accordance with the above procedures, member units of the cybersecurity review mechanism may also initiate "proactive review" of network products and services that affect or may affect national security.[6]
III. Major Amendments and Highlights of the Review Measures
Compared with the Draft Review Measures issued in 2019, this official version of the Review Measures make adjustments in various aspects including the practice of CIIOs' risk prejudgment, the compliance requirements for the contents of supplier agreement, the scope of confidentiality obligations of review agencies and their personnel. In addition, the Review Measures also change the focus regarding the specific contents to be reviewed.
1. Establish a multi-department joint working mechanism to promote the connection between security review and industrial regulation
Currently, the security reviews in other countries are mostly led by the communications department, but there are also examples of multi-department joint review. For instance, the national security review in the US is undertaken by the Committee on Foreign Investment, which is composed of nine departments including Department of the Treasury and Department of Justice, and is responsible for organizing investigations. Similarly, the cybersecurity review in Russia is led by the Ministry of Industry and Trade, who will consult with the Federal Security Bureau and the Committee of State Security for decision review and assessment.
As shown in the above framework, the Review Measures establish a national cybersecurity review mechanism under the unified leadership of the Central Cyberspace Affairs Commission with close collaboration between CAC and 11 other important national ministries and agencies such as the Ministry of Public Security and the Ministry of State Security. Under the review mechanism, after the Cybersecurity Review Office completes the preliminary review, it will send relevant conclusions and advice to all member units thereunder and relevant CII protection departments. A final decision will then be reached on the basis of unified confirmation from relevant units and departments. In this way, a multi-departments' joint supervision for CIIOs, i.e. the security review mechanism, is formed on the premise of a multi-department joint working mechanism for cybersecurity review being in place.
Security review requirements for CIIOs' purchase of network products and services can also been found among various industries. For instance, the Cryptography Law provides that where CIIOs’ procurement of network products and services involve commercial cryptography and may affect national security, such CIIOs shall go through a national security review organized by relevant departments.[7] We understand that the legislative logic and purpose of aforementioned requirement are basically the same as those of the cybersecurity review mechanism. Therefore, the security assessment conducted by unit members in industries and the cybersecurity review may intersect and the multi-department joint working mechanism will help all departments to reach a consensus on CII protection, while at the same time provide easy channel for application and assessment of the cybersecurity review of CIIOs to some extent.
2. CIIOs may decide whether to apply for cybersecurity review based on industrial guidelines
Adhering to the idea of the Draft Review Measures, the Review Measures confirm that the application and review procedures for cybersecurity review do not apply unconditionally to the procurement of network products and services by any CIIOs. Article 5 thereof provides that the CIIOs, at the time of procuring network product or service, shall prejudge the potential risks such product or service may bring to national security after being in use; and when CIIOs believe that such product or service will affect or is likely to affect national security, they shall file an application for cybersecurity review.
It is noteworthy that Para 2 of Article 5 thereof specifies that CII protection departments may formulate prejudgment guidelines for their respective industries and fields. This means that such prejudgment guidelines will serve as a strong guidance for CIIOs'prejudgment of risks, and the formulation of prejudgment guidelines for certain industries and fields also reflects the recognition and respect for their particularity in the Review Measures. Such prejudgment guidelines will facilitate the connection with the CII identification mechanism, and, to a certain extent, eliminate the foregoing concern that "there are technical barriers between cybersecurity review and industry practice" which may leave CIIOs in a dilemma in practice.
Certainly, it takes time to formulate prejudgment guidelines for certain industries and fields, and the effectiveness and guiding role of such guidelines in practice await further observation upon formulation.
3. Cybersecurity review becomes the prerequisite for validation of the procurement contract
In addition, the Review Measures provide additional requirements for the contents, execution and performance of the procurement contract, the Review Measures and relevant Q&A by CAC officials make clear that CIIOs shall apply for cybersecurity review prior to signing the official contract with product and service providers, or they shall set the approval of cybersecurity review as the prerequisite for the contract validation. Meanwhile, with regard to procurement activities for which a cybersecurity review is applied, the CIIOs need to set out the obligation of product and service providers to cooperate during the cybersecurity review via procurement documents and agreements, [8] and to submit the procurement documents, agreements and contracts to be signed when applying for the cybersecurity review. [9] After passing the cybersecurity review, CIIOs also have the obligation to urge product and service providers to fulfil their commitments made during the cybersecurity review. [10]
On the one hand, the above provisions are helpful to materialize the security role of the cybersecurity review in the procurement of products and services by CIIOs, and to avoid conflicts between the agreement and the cybersecurity review that would diminish the actual role of the cybersecurity review or render it useless. On the other hand, the review of procurement contracts, agreements and other documents is also conducive to the reasonable allocation of responsibilities and obligations concerning cybersecurity between CIIOs and product and service providers, and indirectly to secure the supply chain of CII operations at all stages by contractually binding suppliers of products and services to the operator.
4. Focus of the Cybersecurity Review: Safeguarding National Security as the Core While Adhering to the Technology Neutrality.
Factors other than technology may generally be taken into account in the cybersecurity reviews by different countries. For example, according to the Executive Order on Securing the Information and Communications Technology and Services Supply Chain issued by the United States last year, the authority would consider whether "the transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary"[11] during cybersecurity review. Transactions involving or Usages of foreign information technology and services that may pose a special threat to the national security, foreign policy, and economy of the United States would be prohibited.[12]
The Review Measures exclude "the influence on technologies and industries relating to national defence, military industry and CII", "whether the product and service provider is funded or controlled by foreign governments"[13] and other non-technical factors related to politics, diplomacy and trade environment from the key evaluation factors of cybersecurity review. As reiterated by the responsible person of the CAC in the Press Conference on the Review Measures, opening-up is a basic national policy of China,[14] such revision mainly reflects a shift of focus of the cybersecurity review. In another word, in addition to safeguarding national security, the cybersecurity review would pay more attention to the substantive contents of products and services now.
In addition, as indicated by Article 9 (III) of the Review Measures, the factors of the cybersecurity review include: "safety, openness, transparency, and diversity of sources of the product or service, reliability of supply channels, and risks of supply interruption as a result of political, diplomatic, trade or any other factor". The supply chain security, as the focus of the security review, will be comprehensively reviewed regarding the aspects of product and service sources, supply channels, service delivery methods, service attributes and impacts of other non-technical factors on the supply chain.
However, it should also be noted that the review factors aforementioned are still directional requirements at a high level and detailed guidelines are needed to provide a clearer instruction. More time will be needed to observe how to balance among all the factors during the review and what criteria would be taken under certain factors in practice.
5. Clarification on the scope of confidentiality obligations of the agency and its personnel
Pursuant to Article 15 of the 2019 Draft Review Measures, the agency and its personnel are legally bound by the general confidentiality obligations which prohibiting them from using the information obtained from the cybersecurity review for other purposes. The Review Measures further refine and clarify the scope of the confidentiality obligations of the agency and its personnel. To be specific, the agency and its personnel are obliged to keep the trade secrets, intellectual property information, and other non-public information of the CIIOs, as well as those of the product and service providers, confidential.[15] With regard to the disclosure of materials, in addition to the restrictions on the purpose of review described in the 2019 Draft Review Measures, the Review Measures introduce an additional requirement that relevant materials shall not be disclosed to unrelated parties without the consent of the providers, with a view to providing a more comprehensive protection of the rights and interests of enterprises.
6. Anticipation to More Detailed Implementing Rules In Future
The Review Measures specify the basic procedure of and requirements for the cybersecurity review. However, in practical implementation, detailed implementing rules have yet to be introduced, for the purposes of responding to the practical questions and providing more accurate guidance. For example, considering that the Review Measures have not set up channels for appeal against review decisions, it is unclear that whether the CIIOs may raise an objection on reasonable grounds if failing the review.
May the providers of network products and services, as stakeholders, also have the right to appeal? In addition, further explanation on the issues such as CIIO identification, pre-judgment guidelines for the relevant industries and fields by the competent agencies for CII protection, and the scope of network products and services that shall abide by the Review Measures are also needed.
IV. Impact of the Review Measures on relevant enterprises
For CIIOs, the Review Measures' establishment of multi-agency joint working mechanism will help promote the interactions between the cybersecurity review and industrial supervisions. The CIIOs might also be relieved from the burden caused by the multiple declaration on the cybersecurity reviews to both the CAC and industrial regulatory authorities.
However, it should be noted that the CIIOs may also be faced with some new obligations and legal liability accordingly. For example, the CIIOs are obliged to make pre-judgment decision on whether to declare the cybersecurity review and supervise the subsequent fulfilment of commitments by product and service providers after the cybersecurity review. In particular, considering that the guidelines on the scope of CIIOs and the specific types of procurement of network products and services required to be declared have not been issued yet, the CIIOs may have difficulty in accurately identifying thresholds and timing for declaration.
Therefore, we advise the Operators in certain important industries and fields, including but not limited to public communication and information service, energy, transportation, water conservancy, finance, public service and e-government, to:
(1) Communicate closely and confirm whether the operator would be recognized as CIIO with the industry regulatory agency;
(2) Communicate closely and confirm whether the procurement of certain network products and services shall be declared for a cybersecurity review with the CAC and the agencies responsible for the CII protection;
(3) Establish an internal review mechanism for cybersecurity and service procurement, including but not limited to:
(a) conduct pre-review assessment on the security qualifications of network product and service providers;
(b) improve the purchase agreements with the network product and service providers, stipulating the obligations of the providers to cooperate in the cybersecurity review and the liabilities for breach of contract that shall be borne by the providers for failure in complying with the commitments made during the cybersecurity review; and
(c) agree on the CIIO's entitlement to conduct irregular and random inspection and monitoring of performance of commitments made by the network product and service providers in the cybersecurity review, or to require the provider to submit reports on performance of such commitments on a regular basis.
Considering that the cybersecurity review is a prerequisite for the signing or the effectiveness of the procurement contracts, network product and service providers may be faced with an increasing uncertainty, and the time period between the conclusion and entry into force of the agreement might be prolonged. For providers who may provide network products and services to the CIIOs, it is recommended to:
(1) Categorize potential client groups and prepare the cybersecurity review in advance in accordance with the industries the clients belong to, so as to communicate with the competent agencies of different industries in a targeted way;
(2) Fully communicate with the clients who may be engaged in key sensitive industries to find out whether they have been or might be identified as CIIOs, and keep communication on the subsequent identification results if any.
(3) Conduct internal review in advance on the factors that may be considered in the cybersecurity review, and form a preliminary conclusion if a large portion of the clients of the providers might be recognized as CIIOs.
(4) Cooperate with the launch of the cybersecurity review, and fulfil the commitments to the CIIOs in accordance with the results of the internal review, including not illegally obtaining user data when providing products and services to the CIIOs, illegally controlling and manipulating user equipment, or refusing to provide product supply or necessary technical support services without justifiable reasons.
Generally speaking, the Review Measures build an overall implementation framework of the national cybersecurity review system. It is convinced that with the introduction of detailed implementing rules in the future, the cybersecurity reviews will have a profound impact on the daily operation, maintenance and procurement activities of CIIOs.
Therefore, it is recommended that CIIOs and network product and service providers should pay close attention to the relevant legislative developments, and carefully assess and determine the possibility of being subject to the Review Measures and the influence thereafter. CIIOs and network product and service providers shall also respond to the requirements of policies and regulations in a timely manner and pursue the best business choices on the basis of compliance.
Related Link(s):
同道而相益,同心而共济—— 《网络安全审查办法》的创新与变化
[1] Cybersecurity Review Mechanism of Different Countries and Case Analysis [EB/OL]. http://www.cac.gov.cn/2015-04/17/c_1114990146.htm. Issued on 17 April 2015. Last visited on 28 April 2020.
[2] Article 35 of the Cybersecurity Law provides that any purchase of network products and services by the operator of critical information infrastructure that may threaten national security is subject to the national security review conducted by the CAC together with competent departments of the State Council.
[3] Ma Ning, The Connotation and Regime of the State Cybersecurity Review [J]. Secrecy Science and Technology, 2017(02):12-16.
[4] Cyber Administration of China, National Development and Reform Commission, Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, Ministry of Commerce, Ministry of Finance, the People's Bank of China, State Administration for Market Regulation, National Radio and Television Administration, National Administration of State Secrets Protection, and State Cryptography Administration
[5] Id.
[6] Article 15 of the Review Measures provide: "Where any member unit of the cybersecurity review mechanism believes that the network product or service affects or may affect national security, the Cybersecurity Review Office shall, in accordance with relevant procedures, report the case to the Central Cyberspace Affairs Commission for approval, and then conduct the review in accordance with this Measures."
[7] Para 2, Article 27 of the Cryptography Law provides: "Where CIIOs procure network products and services involving commercial cryptography which may affect national security, they shall go through a national security review organized by the state cyberspace administration in concert with the state cryptography administration and other relevant authorities in accordance with the Cybersecurity Law of the People’s Republic of China."
[8] Article 6 of the Review Measures.
[9] Article 7 of the Review Measures.
[10] Article 18 of the Review Measures.
[11] Section 1 (a) (i) of the Executive Order on Securing the Information and Communications Technology and Services Supply Chain.
[12] Cybersecurity Law Research Centre of the Third Research Institute of Ministry of Public Security. Chinese translation of the Executive Order on Securing the Information and Communications Technology and Services Supply Chain. https://www.secrss.com/articles/10721. Issued on 16 May 2019; last visited on 28 April 2020.
[13] Article 10 of the Draft Review Measures.
[14] Q&A for the Cybersecurity Review Measures [EB/OL]. https://mp.weixin.qq.com/s/yzhiqTvfi107cir2zpMkdw. Issued on 27 April 2020; last visited on 28 April 2020.
[15] Article 16 of the Review Measures.
Authors
Susan Ning
Partner
Compliance Group
susan.ning@cn.kwm.com
Susan Ning’s main areas of practice include antitrust and competition law, and cybersecurity and data compliance. In the field of antitrust, she mainly provides services including antitrust undertaking concentration declarations, responding to antitrust administrative investigation, antitrust law compliance consultation and antitrust litigation. Prior to the enactment of the AML in 2008, Ms. Ning took a very active role in assisting and consulting with the Chinese Government on the drafting of the AML. Since the enactment of the AML, she continued to be actively involved in drafting regulations, measures for implementation and guidelines accompanying the AML. In the areas of cybersecurity and data compliance, she has advised on data compliance due diligence, risk assessment and compliance system construction for a large number of well-known domestic and foreign enterprises. As one of the pioneers engaged in the cybersecurity and data compliance sector, Ms. Ning has extensive experience in providing clients with cybersecurity and data compliance legal services.
Wu Han
Partner
Compliance Group
wuhan@cn.kwm.com
Mr. Wu Han specializes in cybersecurity and data compliance. He has assisted clients in establishing and revising privacy policy and compliance plans, designing plans for the cross-border transfer of data, formulating data commercialization compliance plans, conducting data compliance programs (including personal data protection), self-reviewing a company’s cybersecurity and data protection practice, establishing the business and compliance framework for data infusion, constructing enterprise data asset systems, and conducting internal trainings of cybersecurity and data compliance. Mr. Wu has extensive experience in providing cybersecurity and data compliance advice to multinational companies’ offices in China in terms of China’s compliance requirements. In addition, Mr. Wu is also experienced in constructing data compliance system in line with the regulations in multi-jurisdictions (such as the EU and the US) for Chinese companies operating in foreign countries. He issues in a wide spectrum of industries, including finance, insurance, data risk control, ride-hailing service platform, aviation, consumer electronics, internet advertising, automobile and e-commerce.
Jiang Ke
Partner
Compliance Group
jiangke@cn.kwm.com
Mr. Jiang Ke specializes in regulatory compliance in the fields of technology, telecommunication, cybersecurity and data compliance. He had been working in KWM for ten years, and prior to re-joining KWM, he acted as an in-house counsel to support the product and operation compliance, digital and cybersecurity projects of Amazon Web Services and BMW Group in China. Jiang Ke is experienced in advising various technology, automotive, cloud services and internet companies on compliance issues in their relevant fields, and is able to integrate the leading experience in enterprise supervision with cyber and information technology. Mr. Jiang provides innovative and integrated solutions in major and complex deals, receiving wide acclaim from clients.
Li Yuanshan
Managing Associate
Compliance Group
Lucia Liu
Legal Assistant
Compliance Group
Zhang Lejian
Legal Assistant
Compliance Group
金杜网络安全与数据合规团队文章
相关文章链接
Links of Related Articles
人工智能:
AI与大数据的“理想城”:智慧城市合规的基础要点 2020-02
2020年“AI”应有大爱 2020-01
人工智能系列之人脸识别信息的内涵与合规难题 2019-11
数据合规:
问答精选-解读《个人金融信息技术保护规范》2020-02
解读《信息安全技术 个人信息告知同意指南(征求意见稿)》2020-02
疫情防控 | 数据资源流转与公开 2020-02
疫情防控|同舟共济——不同场景下健康医疗数据流转的合规路径 2020-02
宜未雨而绸缪——企业上市关注的重点数据合规问题 2020-01
“数”年快乐——万字长文说“数据融合” 2020-01
平安夜里说平安——“数据资产”的误区与合规条件 2019-12
按图索骥——图示移动APP个人信息保护的重点 2019-11
大一统而慎始也——新型信用监管机制问答 2019-10
竹杖芒鞋轻胜马:医疗大数据发展和合规管理并重 2019-09
星光奉献给长夜——儿童个人信息保护的亮点和启示 2019-08
投资出行领域,数据是金矿还是烫手山芋?2019-07
Development Of PrcRegulations On Cross Border Data Transfer 2019-06
数据监管新要求,电子商务法时代跨境电商将走向何方? 2018-11
你的“饼干”安全吗?——Cookie 与个人信息保护 2018-08
“明者因时而变,知者随事而制” ——《个人信息安全规范》实务探讨 2018-02
谨于言而慎于行:互联网信息内容服务管理新规出台 2017-08
No “Data”, No “Internet of Vehicles” 2017-07
布局“自动驾驶”:此时不为,更待何时?2017-07
Putting an “Invisibility Cloak” over Personal Information —— A discussion on “invisible waybills” introduced by express industry 2017-07
图解“车联网” 2017-06
无“数据”,怎“车联”?——“车联网”数据类核心业务法律监管刍议 2017-05
为个人信息披上一件“隐形衣”——从快递行业推行“隐形面单”说开去 2017-05
欲善其事,先利其器——解读《互联网信息内容管理行政执法程序规定》 2017-05
你的数据,能不能走出国门? 2017-04
中国推进个人信息保护 2017-04
2017年,大数据合规离我们有多远? 2017-01
隔耳有“墙”——从美国FCC新规则谈个人信息保护新趋势 2016-12
个人信息保护的百万罚单时代来了? 2016-11
网络安全:
“柳暗花明又一村”——金融产业链的困局及破局思路 2020-03
“云深不知处”——企业远程办公的网络安全常见问题及建议 2020-02
“管中窥豹”——《生物安全法》前瞻及现行生物安全相关监管体系回顾 2020-02
博观而约取,厚积而薄发:《密码法》要点评析及企业合规路径 2019-11
亡羊补牢未为迟:如何应对网络安全勒索事件 2019-06
“欲穷千里目,更上一层楼”——国际新形势下的等保2.0 2019-05
叶上初生并蒂莲——最新出台的《电子商务法》与《网络安全法》之比较 2018-09
《网安法》生效后不得不知的N件大事 2017-08
“新”电信业务办法:更简、更活、更规范 2017-07
必将婴城固守,皆为金城汤池——看《关键信息基础设施安全保护条例(征求意见稿)》 2017-07
Petya来袭,网络安全事件应急预案正当其时 2017-07
图解安全评估流程——互联网业务安全不可因“新”而废“管” 2017-06
《网络安全法》及其部分配套规定今起实施 2017-06
“一带一路”背景下中国企业境外并购的网络安全和数据合规问题 2017-06
十三五“新常态”下企业营商的合规挑战 2017-05
开启互联网新闻监管新时代——《互联网新闻信息服务管理规定》述评 2017-05
画龙画虎先画骨 ——解读《网络产品和服务安全审查办法(试行)》 2017-05
热点解读:网信办连续颁布三项重磅新规 2017-05
感谢关注金杜研究院