China Cyber Security Law Update - Critical Network Equipment and Dedicated Cyber Security Products Catalogue issued

13 June 2017

As reported previously, the China Cyber Security Law came into effect on 1 June 2017.

Article 23 of the China Cyber Security Law contemplates that certain "critical network equipment" (CNE) and "dedicated cyber security products" (DCSP) are required to either (1) obtain security certification from accredited certification bodies or (2) pass security inspection before they can be put on sale or supplied in China. The Article further specifies that catalogues will be issued in due course on the equipment and products which will be subject to such requirement.

The Catalogue

On 1 June 2017, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau (PSB) and the Certification and Accreditation Administration of China (CAA) jointly issued the first catalogue, which provides for the following:

Critical network equipment

The following types of CNEs meeting the prescribed specifications set out in the catalogue will be subject to the accreditation or inspection requirements:

  • Routers
  • Switches
  • Servers (rack-mounted)
  • Programmable logic controllers

Dedicated cyber security products

The following types of DCSPs meeting the prescribed specifications set out in the catalogue will also be subject to the accreditation or inspection requirements:

  • Integrated data backup
  • Firewall (hardware)
  • Web application firewall
  • Intrusion detection system
  • Intrusion defence system
  • Security isolation and information exchange products (gatekeeper)
  • Anti-spam mail products
  • Network synthetical audit system
  • Network vulnerability scanning product
  • Security data system
  • Website recovery products (hardware)

Accredited bodies

The catalogue itself provides that the CAC, MIIT, PSB and CAA will jointly promulgate further measures on how a body may become an accredited body and to provide the accreditation and certification contemplated in the catalogue.

Publication of approved products

As is the practice of the PRC government on products which require accreditation or approval, products which have been duly accredited or have passed relevant inspection will be announced publicly on a regular basis.

More implementation rules to come

On the eve of the coming into force of the China Cyber Security Law, the CAC issued a set of Q&As clarifying that there will be no moratorium of the coming into effect of the law. Relevant ministries and authorities are expected to promulgate regulations and implementation measures within a period of one year such that the law could begin to be properly implemented. Quite apart from this catalogue, we are expecting more implementation and administrative measures to be issued shortly.