On 27 April 2020, the Cyberspace Administration of China ("CAC") and 11 other government agencies jointly issued the Cybersecurity Review Measures ("Measures"), which require technology products and services procured by critical information infrastructure ("CII") operators to undergo a cybersecurity review, if they present a risk to national security. The Measures sit under China's Cybersecurity Law ("CSL"), and are one of a host of guidelines and measures that have been issued by the Chinese government to provide further clarity on the application of the CSL.
The Measures came into effect on 1 June 2020 and replaced the Measures for Examining the Security of Network Products and Services (Trial) issued in 2017.
What do the Measures Require?
Under the Measures, any network products or services procured by a CII operator must be assessed by the CII operator to determine whether or not they "may" present a national security concern. If the answer is yes, then the CII operator must apply to the Cybersecurity Review Office ("CRO") for a cybersecurity review ("Review") to be conducted. These obligations apply regardless of whether the network products and services are provided by a domestic or foreign provider.
Separately, CII operators are also required to include provisions in their procurement contracts with network product or service suppliers, which:
- impose an obligation on the supplier to provide their cooperation with any Review;
- prohibit the supplier from illegally collecting users' personal information;
- prohibit the supplier from illegally controlling or manipulating any user's equipment; and
- prohibit the supplier from suspending the provision of any products or necessary technical support, without any justifiable reason.
However, no procurement contract can be executed by the CII operator until the Review is completed and the transaction is cleared.
What Network Services and Products are Covered?
Network services and products are broadly defined to include core network equipment, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and any other network products or services that may have a substantial impact on the security of CIIs.
What Entities are Classified as a CII Operator?
The definition of a CII operator remains broad and unclear. CII operators include entities in key sectors such as finance, transportation, utilities (e.g. energy and water), government and communications, and any other industries that the Chinese authorities identify as having the potential to cause serious damage to national security, national economy and people's livelihood and public interests in the event they suffer a security breach leading to any destruction or loss of function or data. Additional sectors have also been identified by the Chinese authorities as falling into the CII category, including media, e-commerce, e-payment, search engines, emails, blogs, cloud computing, enterprise systems and big data. However, the definition of CIIs (and therefore the operators who will be subject to the stringent obligations imposed on CII operators) still remains fluid. It is expected that sector-specific authorities will issue further guidance on which entities should be classified as a CII operator.
Procedure and Time Frame
When applying for a Review, CII operators should submit the following documents: (i) a completed declaration form; (ii) an analysis on the potential impact on national security; (iii) any procurement documents, agreements, contracts or other documents to be entered into; and (iv) any other materials that may be required for the Review. Upon receiving the application, the CRO will consider whether a Review is required and notify the CII operator of its decision within 10 working days. Where a Review is deemed to be necessary, the CRO will proceed to conduct a preliminary review which must be completed within the initial period of 30 working days from the date of written notification to the CII operator. This initial period may be extended for a further 15 working days, depending on the complexity of the situation.
After the CRO completes its initial assessment, it will provide its report to the relevant government agencies and industry-specific regulators for their opinion. Who these government agencies or industry-specific regulators are remains to be determined, as they are not expressly identified in the Measures. Such government agencies and industry-specific regulators must submit their opinions to the CRO within 15 working days. Where there are differing opinions, the CRO may invoke a special review procedure requiring an in-depth analysis of the risks. This special procedure may take a further 45 working days.
Assessment Criteria for the Review
According to the Measures, any Review conducted by the CRO should take into account the following key factors:
- the risk of illegal control over, interference of or destruction of CIIs and the risk of theft, disclosure or damage of critical data following the use of network products and services;
- business continuity concerns in relation to any disruption in the supply of network products and services to CIIs;
- the security, transparency, diversity of sources and reliability of supply chains, and the risk of supply chain disruption due to political, diplomatic or trade factors;
- the network product and service providers' compliance with Chinese laws, administrative regulations and department regulations; and
- any other factors that may threaten the safety of CIIs and/or national security.
If a CII operator or a network product or service provider believes that the outcome of a Review is unfair or fails to be impartial, or there has been a breach of confidentiality, then they may report the matter to the CRO or the relevant government department. However, it is unclear what further action will or can be taken by such entities.
Potential Implications for CII Operators and Suppliers
(I) BUSINESS CONCERNS
Foreign suppliers have expressed concern that the new Measures may adversely affect their competitiveness and ability to enter the Chinese market. From a national security perspective, foreign suppliers may be deemed to be of higher risk. CII operators may therefore favour the use of local suppliers to avoid any possible lengthy and cumbersome review if they use foreign suppliers, which may result in a delay in supply chain operations and increased business costs.
Multi-national companies operating in China who have negotiated supply chain agreements at a global level, may need to seek assurances from their supply chain regarding compliance with these Measures, or look at domestic options.
(II) PROTECTION OF IP AND CONFIDENTIAL INFORMATION
To assist with the Review, the Measures also require CII operators to provide the CRO and relevant government authorities with certain documents and information relating to the CII operator, its supplier and the relevant network services and products. The information may include sensitive or confidential corporate information, such as code reviews, deep product specifications and trade secrets. In order to protect such sensitive information, the Measures specifically require all trade secrets and intellectual property rights disclosed in the course of the Review to be strictly protected by the relevant government agencies and personnel involved. However, the concern still remains as to how strictly this obligation will be enforced.
Penalties for Violation
Any CII operator who violates the Measures will be penalised in accordance with the CSL and ordered to cease using the relevant network products or services. In particular, a fine of up to ten times the value of the procured network product or service may be imposed on the infringing CII operator, and a separate fine of up to RMB 100,000 may be imposed on the relevant persons in charge.
With the introduction of the Measures, CII operators procuring network products and services for use in China may have to re-examine their supply chain. They will need to expend upfront time and costs to carry out an initial assessment on the potential risks to national security. But how should this initial assessment be carried out? What factors should the CII operator take into account? Whilst the Measures touch on the procedure and factors to be considered in relation to the CRO's Review, limited guidance is provided to help CII operators carry out their initial assessment. At this point in time, CII operators may wish to err on the side of caution, until further guidance is provided by the relevant government authorities.
CII operators will need to predict their procurement needs well in advance, to allow for sufficient time to comply with the Measures.
Visit us at www.mayerbrownjsm.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.