On May 2, 2017, the Cyberspace Administration of China published the final version of the Measures for the Security Review of Network Products and Services (for trial implementation) (the “Measures”), after having published a draft for public comment in February. Pursuant to the Cybersecurity Law of China (the “Cybersecurity Law”), if an operator of key information infrastructure purchases a network product or service that may affect national security, a security review of that product or service is required. The Measures provide detailed information about how these security reviews will actually be implemented. The Measures will come into effect on June 1, 2017, together with the Cybersecurity Law. The Measures should not be confused with the final version of the draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, which was published on April 11, 2017, and remain open for public comment.
Pursuant to the Measures, critical network products and services used in network and information systems relating to national security are subject to a network security review. Any network product or service purchased by operators of key information infrastructure will also be subject to a network security review, if such product or service might affect national security.
The Measures require that the security assessments focus on verifying that the products or services are “secure and controllable.” The Measures do not provide the precise requirements for finding that a product or service is “secure and controllable,” but indicate that the process for determining whether a product or service is “secure and controllable” will take the form of a risk assessment, which will focus on the following risks: 1) the risk in the product or service itself, and the risk that the product or service may be illegally controlled, interfered with or suspended; 2) the supply chain risks arising during the manufacturing, testing, delivery and technical support of the product or service; 3) the risk that the provider of the product or service may use it to illegally collect, store, process or use its users’ personal information; 4) the risk that the provider of the product or service may jeopardize cybersecurity or infringe upon the interests of users, by taking advantage of their reliance on the product or service; and 5) any other risks that may jeopardize national security.
The Cyberspace Administration of China will establish a network security review commission which will cooperate with experts and third-party institutions to evaluate the foregoing risks.