On April 27, 2020, twelve Chinese government departments led by the Cyberspace Administration of China (CAC)1 jointly promulgated the Measures for Cybersecurity Review (the “Measures”) effective June 1, 2020 under the joint letterhead of the Party’s Central Cyberspace Affairs Commission and CAC.
The Measures, consisting of 22 articles, were promulgated under the authority of the National Security Law and the Cyber Security Law to implement Articles 35 and 59 of the latter statute which established a cybersecurity review requirement on network products and services procured by operators of critical information infrastructure (“CII”) which bears upon national security.
What do the Measures regulate?
The Measures require that CII operators conduct an assessment of potential national security risk exposure prior to procurement of network products or services. If it is determined based on such assessment that the products or services to be procured present potential national security concerns, the CII operator must apply to CAC’s Cybersecurity Examination Office (CEO) for a cybersecurity review.
As such, the Measures impose an obligation on CII operators to apply for a cybersecurity review when they intend to procure network products and services which present or may present a national security concern (Article 2). The term “may present” is not subject to a reasonableness qualifier which increases the likelihood that the scope of application of the Measures will be broadly construed.
Who are CII operators?
As with the Cyber Security Law, the Measures do not define CII operator clearly.
The Cyber Security Law has a broader definition of “critical information infrastructure” (关键信息基础设施) which generally refers to key information infrastructure which if destroyed, disabled, or leaks data may seriously endanger national security, national welfare or the public interest.
CAC in 2019 promulgated the Guidelines on the Determination of Critical Information Infrastructure (关键信息基础设施确定指南) which set out in some detail the process for determining CII and include a non-exhaustive list of key industrial sectors or businesses that would constitute CII. The non-exhaustive list includes such sectors as public communications and information service, energy, water conservation, finance, public service and e-government affairs, public news networks, Party and government networks and public service platforms, networks (including online payment, online purchase and social media) which affect a large segment of the general public (e.g., 1 million or more daily visits and 10 million or more registered users), banking and other financial institutions, medical institutions, large-scale data centers, and cloud service platforms.
Moreover, in a press interview following the promulgation of the Measures, CAC officials stated that important network operators in telecommunications, broadcasting, energy, finance, water and land transportation, railway, civil aviation, postal services, hydraulic engineering, emergency management, hygiene and health management, societal protection and national defense technology, when procuring network products or services, should consider applying beforehand for cybersecurity review.
Given the restrictions on foreign investment in strategic industrial sectors in China, the majority of CII operators are presumably Chinese domestically-invested organizations and entities, including private companies which operate important information infrastructure as well as government agencies, Party organizations, and central as well as some local State-owned enterprises (SOEs). However, some foreign-invested enterprises in China operating important industrial facilities may also be deemed CII operators.
What are the obligations of CII operators under the Measures?
CII operators are required under the Measures to conduct a pre-assessment/determination as to whether the network products/services to be procured present or may present potential national security concerns. If yes, CII operators will be obligated to submit an application to the CEO for a cybersecurity review before undertaking the procurement of such products and services (Article 2).
If procurement activities involve network products or services subject to a cybersecurity review, CII operators are required to include in the procurement documents or agreements clear requirements that potential suppliers must cooperate in the cybersecurity review and undertake not to engage in such conduct as theft or illegal control of user data or manipulation of customer equipment through the products/services which they supply or to cut off or disrupt the supply of relevant products or technologies without justifiable reason (Article 6).
When applying for cybersecurity review, CII operators are required to submit a report assessing potential national security impact and concerns together with relevant procurement materials and agreements (Article 7).
What do “network products and services” cover?
The Measures define “network products and services” to include core network equipment, high performance computers and servers, large capacity storage equipment, large database and application software, network security equipment, cloud computing services, and other network products and services which are important parts of CII (Article 20).
How do CII operators conduct a self-assessment to determine whether products/services have a national security bearing and are thus subject to review?
The Measures do not provide clear guidance in this regard, nor do the Measures define the scope of national security.
The lack of detailed guidelines to guide CII operators through the self-assessment process will likely subject the underlying procurement transactions to greater uncertainty until more detailed measures are promulgated. To avoid risks, CII operators will likely take a more conservative approach in the procurement process and apply the cybersecurity review requirement to a broader range of network products and services. This may disrupt transactions between CII operators and their suppliers over a wider range of products/services.
When should CII operators submit a cybersecurity review application?
Applications for review are required to be submitted prior to the execution of relevant procurement contracts or, if the parties intend to enter into relevant procurement contracts, such contracts must contain clauses conditioning the effectiveness of the contracts upon completion of the cybersecurity review.
This essentially means that the underlying products and services cannot be procured until the cybersecurity review is concluded and clears the transaction.
Who is in charge of the cybersecurity review?
The Measures provides that an application for a cybersecurity review will be submitted to CEO for review and examination (Article 4). The China Cybersecurity Review Technology and Certification Center (CCRC) under the State Administration for Market Regulation, one of the twelve government departments, will be responsible for technical assessment and certification. The Measures further provide that after CEO completes its initial review, it will solicit comments from other government agencies which constitute the cybersecurity review and CII protection work mechanism (Article 10). While the Measures do not clearly specify the identity of these agencies, we would anticipate that they include the departments which jointly promulgated the Measures as well as the regulators of relevant industrial sectors implicated in the application.
As such, while CEO is the government agency charged with responsibility for handling cybersecurity reviews, it will likely serve a coordinating role. The real decision-making process is likely to be a consensus building process among key government agencies and industry regulators of relevant industrial sectors.
What does the cybersecurity review entail?
Under the Measures, the cybersecurity review will focus on national security risk exposure, including risks of illegal control, interruption or sabotage of CII after the use of relevant products or services, risks of theft, leakage or damage of important data; potential damage to continuing operation of CII facilities due to disruptions to products/services; and safety, transparency, and reliability of supply chains (risks of disruption to supply due to political, diplomatic or trade reasons). Supply chain security has now formally been included in cybersecurity review.
Therefore, the review will focus not only on national security and data leakage concerns, but also on supply chain security concerns. Supply chain security has become a key concern of Chinese government and industries in recent years given bilateral trade frictions with the US and the US government’s continuing efforts to tighten its control over the export of critical technologies to China. Thus, cybersecurity review will likely further the decoupling between China and the US.
In this connection, we note that the Ministry of Commerce, another of the twelve departments, in mid-2019 announced that China would introduce an “Unreliable Entity List” regime under which foreign entities or individuals which boycott or cut off supplies to Chinese companies for noncommercial purposes, causing serious damage to Chinese companies, may be listed as “Unreliable Entities” subject to legal action.
The announcement was widely viewed as retaliation by the Chinese government in response to the US government’s inclusion of Huawei Technologies in its “Entity List.” While the introduction of the “Unreliable Entity List” regime has been on hold since the US and Chinese governments reached the Phase One Agreement in January 2020, China has threatened on multiple occasions to retaliate if foreign companies cut off supplies to Chinese companies for political or other non-commercial reasons.
We note in this regard that the U.S. Department of Commerce on May 15 added such items as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology; and such items as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States to the requirement for an export license under the Bureau of Industrial Security’s Entity List.2
In response to the U.S. government’s latest ban on Huawei, Global Times, China’s state media, published on May 17 an article3 titled “Huawei ban drags China, US into tech cold war” claiming “the latest US ban on Chinese high-tech firm Huawei Technologies has officially dragged the two countries, which have seen bilateral ties sour amid the ongoing coronavirus pandemic, into a prolonged cold war in the tech sector…” According to this article, as part of the countermeasures, China may put certain US companies on its “unreliable entity list,” imposing restrictions on or launching investigations into US companies such as Qualcomm, Cisco and Apple in accordance with Chinese laws such as the Cybersecurity Review Measures and Anti-monopoly Law, and suspending the purchase of Boeing airplanes and others.
How long does the review process take?
Applicants are required to submit the following documents for a cybersecurity review: (a) an application letter; (b) an assessment report on potential national security implications; (c) procurement materials, contracts or agreements; (d) other materials as requested by CEO (Article 7). CEO under Article 8 has 10 working days after receipt of an application to determine whether a review is warranted. If a cybersecurity review is warranted, CEO is required to complete an initial review within 30 working days after receipt of an application (Article 9). The initial review may be extended for an additional 15 working days for complicated matters (Article 10). Based on experience with reviews in such other matters as merger reviews, the duration may be extended if an application is deemed unsuitable for review when submitted.
Relevant government agencies and industrial regulators are generally required to submit their opinions within 15 working days after receipt of CEO’s initial report and suggestions (Article 11). If all government agencies agree with CEO’s initial report and suggestions, CEO will complete the phase-one review and notify the applicant of the outcome in writing within 45-60 working days.
If relevant government agencies have different opinions, the application will undergo a “phase-two review” which will take an additional 45 working days, subject to further extensions for complicated matters (Article 13). During the phase-two review, the government will conduct a deeper analysis of the risks of the underlying products/services and also undertake a consensus building process among different agencies involved in the review (Article 12).
As such, if a cybersecurity review is warranted, the process will take at least 45-60 working days for a phase-one review and, if the application requires a phase-two review, at least another 45 working days. In practice, applicants may hesitate to undergo a phase-two review under Article 13.
What are the penalties for violation of the Measures?
CII operators which fail to conduct a cybersecurity review otherwise required or which use products or services that have failed a required cybersecurity review in accordance with the Measures may be penalized pursuant to Article 65 of the Cyber Security Law. Penalties include an order to discontinue use of the products and services, a fine of 1-10 times the procurement value, and a fine of RMB10,000 to RMB100,000 imposed on the responsible individuals in the CII operator.
What are the implications of the Measures for foreign companies doing business in China?
In a press interview following the promulgation of the Measures, the CAC officials stated that the Measures are focused on cybersecurity protection, are not intended to discriminate against or restrict foreign products or services, and China will continue to welcome foreign products and services.
While the Measures are not formally intended to discriminate against foreign products and services, the promulgation of the Measures will have a significant impact on foreign companies that supply network products or services to CII operators in China. In this sense, the Measures may have an impact on such foreign companies comparable to that threatened against the providers of technology to banks and insurance companies under the Notice on the Guidelines for Promotion of Applications in Banking of Secure and Controllable Information Technology (2014-2015) (“CBRC Notice 317”)) and the draft Rules on the Supervision of the Adoption of Information Technology by Insurance Institutions (2015) which China formally walked back under pressure from the United States and other governments. Both the banking and insurance industries are subject to regulation by the People’s Bank of China, another of the twelve departments, under the Measures.
In this connection, we would recommend that foreign companies doing business in China consider the following:
- Carefully assess whether your customers in China are CII operators and whether the network products/services supplied to your customers fall under the definition of network products/services under the Measures or relate to industrial sectors specifically mentioned by CAC.
- Take into account the timeline for the transaction. If the products/services supplied are subject to a cybersecurity review, the completion of a sales transaction will be delayed to allow for the additional time needed for the review, which may take several months. The risk that the transaction will not close should be taken into account.
- In addition to the adoption of relevant security measures to protect the underlying products and services from the risks of data leakage, theft and destruction and illegal control, formulate plans to address supply chain security issues/concerns that your Chinese business partners or the Chinese government may raise. While the Measures do not explicitly set out a “blacklist” regime to penalize companies which fail to provide supply chain security/stability to their Chinese business counterparts, the failure to maintain supply chain security will likely preclude a foreign business from future purchase orders or procurement transactions from Chinese CII operators.
- When asked to cooperate in a cybersecurity review, adopt strict confidentiality measures to protect your trade secrets and intellectual property to the extent possible when disclosing relevant technical data and materials to your Chinese business counterparts, relevant government agencies and third party technical assessment institutions. The Measures do provide for trade secrets and intellectual property protection in Article 16.
- To the extent that sales in China are important, consider investing in a China-specific production and service process to satisfy Chinese cybersecurity requirements. Take into account the potential for Chinese rules and standards to be adopted in Belt and Road Initiative countries and other countries friendly to China.
- Continue to monitor new laws and regulations in the evolving cybersecurity review regime.