China Cybersecurity Law Update: Finalised Measures on Security Examination of Network Products and Network Services Issued!

The security examination measures will be applicable to the procurement of network products and network services by critical information infrastructure operators.

In our previous update, we highlighted the key provisions of the draft of the security examination measures that was put forward for consultation in February 2017. The final security examination measures in substance follows the provisions in the draft, with the following notable changes and features:

1. National security is the key focus
   
   Whether any network products or services supplied will be subject to security examination will depend on if the system concerned will raise any "national security" concern. The final security examination measures clarifies this by removing references to "public interest" in determining the scope and purpose of the security examination.
   
   
2. Who are "critical information infrastructure" operators
   
   The security examination measures specifically lists out the scope of who may be regarded as "critical information infrastructure" operators.  This list mirrors the definition of "critical information infrastructure" under Article 31 of the Cybersecurity Law, i.e. critical information infrastructure is likely to be in the sectors of public communications and information service, energy, transport, water conservancy, finance, public services and e-government affairs. As with the Cybersecurity Law, the list is non-exhaustive, and makes reference to "other important industries and sectors" which according to the Cybersecurity Law, will be determined by the State Council.
   
   
3. Right to Report Breach to the Office of Network Security Examination
   
   Security examination will be conducted by an expert committee comprising third parties designated by the Network Security Examination Committee. The  security examination measures now sets out an express right to providers of network products and network services to report any breach of confidentiality or principles of objective fairness by any third party in the course of conducting security examination to the Office of Network Security Examination and other relevant departments. This right is not included in the consultation draft.

Observations

1. The security examination measures is substantially similar to the consultation draft. In other words, and as with the draft, limited guidance is given on how the security examination will be conducted, in particular, whether there are specifications or technical requirements that should be met. Until more details are available, it may be difficult in practice for critical information infrastructure operators and providers of network products and network services to start preparing for the security examination when the Cybersecurity Law comes into force.
   
   
2. There is less than one month to go before the Cybersecurity Law comes into force. The application of the provisions of the Cybersecurity Law is potentially very wide and businesses that have an operation in China are keenly awaiting much needed further clarity on many other aspects of the law which may be released shortly.