China: Cybersecurity review

Latest developments

China’s cybersecurity review system was first introduced into law by the CSL, which requires CII operators to apply for national security review on their procurement of network product and services if it may impact national security. The cybersecurity review regime has been further updated and implemented by the Measures for Cybersecurity Review (Review Measures) which came into effect on February 15, 2022.


The Review Measures extend the scope of cybersecurity review from procurement by CII operators to also include data processing activities by network platform operators that impact or may impact national security. Notably, a network platform operator must also apply for a cybersecurity review over its proposed listing outside China, if the network platform operator controls over one million users’ PI.

The Review Measures provide that the cybersecurity review should take into account the following aspects:

  • The risks of illegal control of, interference in, or destruction of CII arising from the use of the products and services;
  • The harm to the business continuity of CII caused by the interruption of the supply of the products and services;
  • The security, openness, transparency, diversity of sources of products and services, reliability of supply channels, and the risks of supply disruption caused by political, diplomatic, and trade factors;
  • The compliance by product and service providers with Chinese laws, administrative regulations, and departmental rules;
  • The risks of core data, important data, or a large amount of personal information being stolen, leaked, damaged, illegally used, or illegally transferred to another jurisdiction;
  • The risks of the CII, core data, important data or a large amount of personal information being affected, controlled or maliciously used by foreign governments and network information security risks after listing; and
  • Other factors that may endanger the security of CII, cybersecurity, and data security.

The time limit for a cybersecurity review is 30 working days for review and 15 working days for reply under normal situations and can be extended by 15 working days. Notably, for cases where the relevant ministries cannot reach a consensus, the case will follow a special review procedure, and the statutory time limit can be extended for 90 working days or longer.

*Information is accurate up to 27 November 2023


Cybersecurtiy - Explore further sections

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection


Digital Identity and Trust Services