China Cybersecurity Law Update - Critical Network Equipment and Dedicated Cybersecurity Products Catalogue issued

13 June 2017

Clarice Yue, Michelle Chan, Sven-Michael Werner, John Shi

As reported previously, the China Cybersecurity Law came into effect on 1 June 2017.

Article 23 of the China Cybersecurity Law contemplates that certain "critical network equipment" (CNE) and "dedicated cybersecurity products" (DCSP) are required to either (1) obtain security certification from accredited certification bodies or (2) pass security inspection before they can be put on sale or supplied in China. The Article further specifies that catalogues will be issued in due course on the equipment and products which will be subject to such requirement.

The Catalogue

On 1 June 2017, the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Public Security Bureau (PSB) and the Certification and Accreditation Administration of China (CAA) jointly issued the first catalogue, which provides for the following:

Critical network equipment

The following types of CNEs meeting the prescribed specifications set out in the catalogue will be subject to the accreditation or inspection requirements:

  • Routers
  • Switches
  • Servers (rack-mounted)
  • Programmable logic controllers

Dedicated cybersecurity products

The following types of DCSPs meeting the prescribed specifications set out in the catalogue will also be subject to the accreditation or inspection requirements:

  • Integrated data backup
  • Firewall (hardware)
  • Web application firewall
  • Intrusion detection system
  • Intrusion defence system
  • Security isolation and information exchange products (gatekeeper)
  • Anti-spam mail products
  • Network synthetical audit system
  • Network vulnerability scanning product
  • Security data system
  • Website recovery products (hardware)

Accredited bodies

The catalogue itself provides that the CAC, MIIT, PSB and CAA will jointly promulgate further measures on how a body may become an accredited body and to provide the accreditation and certification contemplated in the catalogue.

Publication of approved products

As is the practice of the PRC government on products which require accreditation or approval, products which have been duly accredited or have passed relevant inspection will be announced publicly on a regular basis.

More implementation rules to come

On the eve of the coming into force of the China Cybersecurity Law, the CAC issued a set of Q&As clarifying that there will be no moratorium of the coming into effect of the law. Relevant ministries and authorities are expected to promulgate regulations and implementation measures within a period of one year such that the law could begin to be properly implemented. Quite apart from this catalogue, we are expecting more implementation and administrative measures to be issued shortly.

Authors

Michelle Chan

Michelle Chan

Partner
China and Hong Kong

Call me on: +852 2248 6000

John Shi

Partner
China and Hong Kong

Call me on: +86 10 5933 5688
Image of Sven-Michael Werner

Sven-Michael Werner

Partner
China and Hong Kong

Call me on: +86 21 2312 1288
Clarice Yue

Clarice Yue

Counsel
China and Hong Kong

Call me on: +852 2248 6000