The China Cybersecurity Law was passed on 7 November 2016 and will come into effect on 1 June 2017. Article 35 of the Cybersecurity Law provides that network products and services procured by operators of critical information infrastructure ("CII") will be subject to national security examination if network products and services are likely to affect "national security". However, the Cybersecurity Law does not give detailed guidance on the scope of this national security examination and how it will be implemented.
Draft Measures on Security Examination of Network Products and Services
The proposed implementation framework of national security examination is now set out in the consultation paper on the draft "Measures on Security Examination of Network Products and Services" (the "Draft Measures"). The Draft Measures was released by the State Internet Information Office on 4 February 2017. The consultation period will end on 4 March 2017.
The Draft Measures provides that the national security examination will focus on the security and controllability of network products and services, including:
The results of national security examination may be published or disclosed in accordance with requirements of the relevant state departments, recommendations of national associations of the industries, market demands, applications by enterprises.
Network Security Examination Committee
A new Network Security Examination Committee will be established by the State Internet Information Office and relevant departments to review important policies of network security examination and perform a work coordination role. Integrated security assessment will be made by an expert committee comprised of third parties designated by the Network Security Examination Committee.
The Draft Measures requires all Product and Service Providers to cooperate when it comes to network security examination work.
The departments in charge of key industries such as the financial, telecommunications and energy industries are required to organise security examination of network products and services in accordance with the requirements of the national security examination.
These key industries must not use network products and services which have not passed the security examination. In addition, network products and services purchased by CII operators, where they may affect national security, must pass network security examination. Departments in charge of protecting the security of CII will determine whether the purchase of network products and services by CII operators will affect national security.
Jun 08 2023