China Cybersecurity Law Update – Will Network Products and Network Services Pass the Test?
Background
The China Cybersecurity Law was passed on 7 November 2016 and will come into effect on 1 June 2017. Article 35 of the Cybersecurity Law provides that network products and services procured by operators of critical information infrastructure ("CII") will be subject to national security examination if network products and services are likely to affect "national security". However, the Cybersecurity Law does not give detailed guidance on the scope of this national security examination and how it will be implemented.
Draft Measures on Security Examination of Network Products and Services
The proposed implementation framework of national security examination is now set out in the consultation paper on the draft "Measures on Security Examination of Network Products and Services" (the "Draft Measures"). The Draft Measures was released by the State Internet Information Office on 4 February 2017. The consultation period will end on 4 March 2017.
Key focuses
The Draft Measures provides that the national security examination will focus on the security and controllability of network products and services, including:
- risks of illegal control, interference and interruption of the operation of products and services;
- risks in research and development, delivery and technical support of products and key components;
- risks associated with illegal collection, storage, processing and utilisation of user-related information by the providers of network products and services (the "Product and Service Providers");
- risks of unfair competition or harm to users' interest by the Product and Service Providers, who may take advantage of users' reliance on the products and services; and
- other risks which may harm national security and public interests.
Public disclosure
The results of national security examination may be published or disclosed in accordance with requirements of the relevant state departments, recommendations of national associations of the industries, market demands, applications by enterprises.
Network Security Examination Committee
A new Network Security Examination Committee will be established by the State Internet Information Office and relevant departments to review important policies of network security examination and perform a work coordination role. Integrated security assessment will be made by an expert committee comprised of third parties designated by the Network Security Examination Committee.
Key obligations
The Draft Measures requires all Product and Service Providers to cooperate when it comes to network security examination work.
The departments in charge of key industries such as the financial, telecommunications and energy industries are required to organise security examination of network products and services in accordance with the requirements of the national security examination.
These key industries must not use network products and services which have not passed the security examination. In addition, network products and services purchased by CII operators, where they may affect national security, must pass network security examination. Departments in charge of protecting the security of CII will determine whether the purchase of network products and services by CII operators will affect national security.
Observations
- The Draft Measures provide some first insights into how network security examination of network products and services will be undertaken and the standards to be met and this is of particular interest to Product and Service Providers and CII operators.
- The Draft Measures expressly designates the finance, telecommunications and energy industries as key industries. The list however does not appear to be exhaustive.
- As the date of implementation of the Cybersecurity Law draws near, it is expected that more implementation rules and guidelines on other aspects of the Cybersecurity Law will be released for consultation shortly.
