Cybersecurity Review Measures (2022 ed.)

Promulgation Date: 2021-12-28
Title: Cybersecurity Review Measures
Document Number:
Expiration date: 
Promulgating Entities:China Cyberspace Administration, National Development and Reform Commission, Ministry of Industry and Information Technology et al.
Source of text: http://www.cac.gov.cn/2022-01/04/c_1642894602182845.htm

Article 1: These Measures are drafted on the basis of the People's Republic of China National Security Law, the People's Republic of China Cybersecurity Law, and the People's Republic of China Data Security Law, and the Regulations on the Protection of Critical Information Infrastructure Security, so as to ensure supply chain security for critical information infrastructure to preserve national security, and to ensure cybersecurity and data security.

Article 2: Where critical information infrastructure operators purchase network products and services, or online platform operators carry out data handling activities, impacting or having the potential to impact national security, they shall conduct network security reviews in accordance with these measures.

The critical information infrastructure operators and network platform operators provided for in the preceding paragraph are collectively referred to as 'parties'.

Article 3: Cybersecurity reviews are to combine the prevention of cybersecurity risks with the promotion of technological applications, combine equity and transparency in procedures with the protection of intellectual property rights, combine ex-ante reviews with ongoing regulation, and combine enterprise's pledges with social oversight, to carry out reviews of areas such as the security, reliability, and potential national security risks or the products, services, or data handling activities.

Article 4: Under the leadership of the Central Cyberspace Affairs Commission, the State Internet Information Office is to establish a national mechanism for cybersecurity review work, in conjunction with the National Development and Reform Commission, Ministry of Industry and Information, Ministry of Public Security, Ministry of State Security Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, The China Securities Regulatory Commission, State Secrets Administration, and State Cryptography Administration.

An Office for Cybersecurity Review is to be set up in the State Internet Information Office, and be responsible for regulating systems related to cybersecurity reviews and organizing cybersecurity reviews.

Article 5: Where critical information infrastructure operators purchase network products and services, they shall make an anticipatory judgment of national security risks that might occur after they are put into use. Where there is an impact or potential impact on national security, an application for cybersecurity review shall be made to the Office for Cybersecurity Review.

The departments for critical information infrastructure security protection work may formulate a pre-assessment guide for the corresponding industry or field.

Article 6: For procurement activities that are submitted for cybersecurity review, critical information infrastructure operators shall use procurement documents, agreements, and so forth, to request that providers of products and services cooperate in the cybersecurity review, including pledging not to use the provision of products and services to facilitate the illegal acquisition of user data, illegal control or operation of user equipment, and to not interrupt the supply of products or necessary technical support services without legitimate reason.

Article 7: Where network platform operators that have information on 1,000,000 or more users in hand are to be publicly listed abroad, an application for cybersecurity review must be made to the Office for Cybersecurity Review.

Article 8: Parties shall submit the following material in applying for cybersecurity review:

(1) a written declaration;

(2) An analytic report on the impact or potential impact to national security;

(3) Application documents for listing, such as the purchasing documents, agreements, signed contracts, or proposed Initial Public Offering (IPO);

(4) Other materials required for cybersecurity review efforts.

Article 9: The Office for Cybersecurity Review shall determine whether a review is required within 10 working days of receiving review declaration materials compliant with article 8 of these Measures, and notify the party in writing.

Article 10: Cybersecurity reviews are to focus on assessing the following national security risk factors in the subject or situation under review:

(1) The risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after that the product or service is put into use;

(2) The threat to the continuity of critical information infrastructure from interruptions in the supply of the products or services;

(3) The products' or services' security, openness, transparency, and diversity of sources, as the reliability of supply channels and the risk of supply interruptions due political, diplomatic, or trade factors, and so forth;

(4) The supplier of the product or services' compliance with Chinese law, administrative regulations, and departmental rules;

(5) The risk of core data, important data, or large volumes of personal information being stolen, leaked, destroyed, or being illegally used or illegally sent abroad;

(6) The risk in public listing of foreign governments influencing, controlling, or maliciously exploiting critical information infrastructure, core data, important data, or large volumes of personal information, as well as the risk to network information security.

(7) Other factors that might endanger critical information infrastructure security, cybersecurity, and data security.

Article 11: Where the Office for Cybersecurity Review finds that it is necessary to carry out cybersecurity review, it shall complete a preliminary review within 30 working days of issuing a written notice to the parties, including forming review conclusions and recommendations and sending them to solicit comments from the mechanism for cybersecurity review work's member units and related departments; and where the circumstances are complicated, the period may be extended by 15 working days.

Article 12: The unit members of the mechanism for cybersecurity review work and related departments shall reply with written comments within 15 working days of receiving the review conclusions and recommendations.

Where the mechanism for cybersecurity review work's member units and related departments' comments are consistent, the Office for Cybersecurity Review is to notify the parties of the review conclusions in writing; where the comments are not consistent, handle them in accordance with the procedures for special review, and notify the parties.

Article 13: The special review procedures shall normally be completed within 90 working days, but where circumstances are complex, this may be extended.

Article 14: The special review procedures shall normally be completed within 90 working days, but where circumstances are complex, this may be extended.

Article 15: Where the Office for Cybersecurity Review requests that supplementary materials be provided, parties and providers of products and services shall cooperate. The time for the provision of supplementary materials is not counted in the time for review.

Article 16: Products and services. as well data handling activities, that member units of the mechanism for cybersecurity review work find might impact national security, are to be reviewed in accordance with these Measures after the Office for Cybersecurity Review reports to the Central Cyberspace Affairs Commission for permission in accordance with procedures.

As a precaution against risk, the parties shall employ measures during the review period as required for the cybersecurity review to prevent and reduce risk

Article 17: The institutions and personnel participating in cybersecurity reviews shall strictly protect the intellectual property rights, and bear an obligation to protect the confidentiality of commercial secrets and personal information learned of in the course of review work, as well as undisclosed materials submitted by parties and the providers of products or services, as well as other undisclosed information, and must not disclose these to unrelated parties or use them for purposes other than reviews.

Article 18: Where parties or network product and services providers feel that reviewers are no longer objective and fair, or are unable to bear the obligation to preserve the confidentiality of information obtained in the course of the review, they may report this to the Office for Cybersecurity Review or relevant departments.

Article 19: Parties shall urge product and service providers to perform on the pledges they make during cybersecurity reviews.

The Office for Cybersecurity Review is to strengthen ex-ante and ongoing oversight through means such as accepting reports.

Article 20: Where parties violate the provisions of these Measures, it is to be addressed in accordance with the People's Republic of China Cybersecurity Law and the People's Republic of China Data Security Law.

Article 21: "Network products and services" as used in these Measures primarily refers to core network equipment, important communications equipment, high-performance computers and servers, mass storage equipment, large-scale databases, and application software, cloud computing services, as well as other network products and services that have a major impact on critical information infrastructure security, cybersecurity, or data security.

Article 22: Where information that is a state secret is involved, implementation is to be in accordance with state provisions on secrecy.

Where the state has other provisions on data security reviews or foreign investment reviews, they shall be complied with concurrently.

Article 23: These Measures take effect on February 15, 2022. The "Cybersecurity Review Measures" promulgated on April 13, 2020 (Order No. 6 of the China Cyberspace Administration, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of State Security, Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, National Radio and Television Administration, National Administration of State Secrets Protection, and State Cryptography Administration) are simultaneously repealed.