Promulgation Date: 2021-12-28 Title: Cybersecurity Review Measures Document Number: Expiration date: Promulgating Entities: China Cyberspace Administration, National Development and Reform Commission, Ministry of Industry and Information Technology et al. Source of text: http://www.cac.gov.cn/2022-01/04/c_1642894602182845.htm
Article 1: These Measures are drafted on the basis of the People's Republic of China National Security Law, the People's Republic of China Cybersecurity Law, and the People's Republic of China Data Security Law, and the Regulations on the Protection of Critical Information Infrastructure Security, so as to ensure supply chain security for critical information infrastructure to preserve national security, and to ensure cybersecurity and data security.
Article 2: Where critical information infrastructure operators purchase network products and services, or online platform operators carry out data handling activities, impacting or having the potential to impact national security, they shall conduct network security reviews in accordance with these measures.
The critical information infrastructure operators and network platform operators provided for in the preceding paragraph are collectively referred to as 'parties'.
Article 3: Cybersecurity reviews are to combine the prevention of cybersecurity risks with the promotion of technological applications, combine equity and transparency in procedures with the protection of intellectual property rights, combine ex-ante reviews with ongoing regulation, and combine enterprise's pledges with social oversight, to carry out reviews of areas such as the security, reliability, and potential national security risks or the products, services, or data handling activities.
Article 4: Under the leadership of the Central Cyberspace Affairs Commission, the State Internet Information Office is to establish a national mechanism for cybersecurity review work, in conjunction with the National Development and Reform Commission, Ministry of Industry and Information, Ministry of Public Security, Ministry of State Security Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, The China Securities Regulatory Commission, State Secrets Administration, and State Cryptography Administration.
An Office for Cybersecurity Review is to be set up in the State Internet Information Office, and be responsible for regulating systems related to cybersecurity reviews and organizing cybersecurity reviews.
Article 5: Where critical information infrastructure operators purchase network products and services, they shall make an anticipatory judgment of national security risks that might occur after they are put into use. Where there is an impact or potential impact on national security, an application for cybersecurity review shall be made to the Office for Cybersecurity Review.
The departments for critical information infrastructure security protection work may formulate a pre-assessment guide for the corresponding industry or field.
Article 6: For procurement activities that are submitted for cybersecurity review, critical information infrastructure operators shall use procurement documents, agreements, and so forth, to request that providers of products and services cooperate in the cybersecurity review, including pledging not to use the provision of products and services to facilitate the illegal acquisition of user data, illegal control or operation of user equipment, and to not interrupt the supply of products or necessary technical support services without legitimate reason.
Article 7: Where network platform operators that have information on 1,000,000 or more users in hand are to be publicly listed abroad, an application for cybersecurity review must be made to the Office for Cybersecurity Review.
Article 8: Parties shall submit the following material in applying for cybersecurity review:
(1) a written declaration;
(2) An analytic report on the impact or potential impact to national security;
(3) Application documents for listing, such as the purchasing documents, agreements, signed contracts, or proposed Initial Public Offering (IPO);
(4) Other materials required for cybersecurity review efforts.
Article 9: The Office for Cybersecurity Review shall determine whether a review is required within 10 working days of receiving review declaration materials compliant with article 8 of these Measures, and notify the party in writing.
Article 10: Cybersecurity reviews are to focus on assessing the following national security risk factors in the subject or situation under review:
(1) The risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after that the product or service is put into use;
(2) The threat to the continuity of critical information infrastructure from interruptions in the supply of the products or services;
(3) The products' or services' security, openness, transparency, and diversity of sources, as the reliability of supply channels and the risk of supply interruptions due political, diplomatic, or trade factors, and so forth;
(4) The supplier of the product or services' compliance with Chinese law, administrative regulations, and departmental rules;
(5) The risk of core data, important data, or large volumes of personal information being stolen, leaked, destroyed, or being illegally used or illegally sent abroad;
(6) The risk in public listing of foreign governments influencing, controlling, or maliciously exploiting critical information infrastructure, core data, important data, or large volumes of personal information, as well as the risk to network information security.
(7) Other factors that might endanger critical information infrastructure security, cybersecurity, and data security.
Article 11: Where the Office for Cybersecurity Review finds that it is necessary to carry out cybersecurity review, it shall complete a preliminary review within 30 working days of issuing a written notice to the parties, including forming review conclusions and recommendations and sending them to solicit comments from the mechanism for cybersecurity review work's member units and related departments; and where the circumstances are complicated, the period may be extended by 15 working days.
Article 12: The unit members of the mechanism for cybersecurity review work and related departments shall reply with written comments within 15 working days of receiving the review conclusions and recommendations.
Where the mechanism for cybersecurity review work's member units and related departments' comments are consistent, the Office for Cybersecurity Review is to notify the parties of the review conclusions in writing; where the comments are not consistent, handle them in accordance with the procedures for special review, and notify the parties.
Article 13: The special review procedures shall normally be completed within 90 working days, but where circumstances are complex, this may be extended.
Article 14: The special review procedures shall normally be completed within 90 working days, but where circumstances are complex, this may be extended.
Article 15: Where the Office for Cybersecurity Review requests that supplementary materials be provided, parties and providers of products and services shall cooperate. The time for the provision of supplementary materials is not counted in the time for review.
Article 16: Products and services. as well data handling activities, that member units of the mechanism for cybersecurity review work find might impact national security, are to be reviewed in accordance with these Measures after the Office for Cybersecurity Review reports to the Central Cyberspace Affairs Commission for permission in accordance with procedures.
As a precaution against risk, the parties shall employ measures during the review period as required for the cybersecurity review to prevent and reduce risk
Article 17: The institutions and personnel participating in cybersecurity reviews shall strictly protect the intellectual property rights, and bear an obligation to protect the confidentiality of commercial secrets and personal information learned of in the course of review work, as well as undisclosed materials submitted by parties and the providers of products or services, as well as other undisclosed information, and must not disclose these to unrelated parties or use them for purposes other than reviews.
Article 18: Where parties or network product and services providers feel that reviewers are no longer objective and fair, or are unable to bear the obligation to preserve the confidentiality of information obtained in the course of the review, they may report this to the Office for Cybersecurity Review or relevant departments.
Article 19: Parties shall urge product and service providers to perform on the pledges they make during cybersecurity reviews.
The Office for Cybersecurity Review is to strengthen ex-ante and ongoing oversight through means such as accepting reports.
Article 20: Where parties violate the provisions of these Measures, it is to be addressed in accordance with the People's Republic of China Cybersecurity Law and the People's Republic of China Data Security Law.
Article 21: "Network products and services" as used in these Measures primarily refers to core network equipment, important communications equipment, high-performance computers and servers, mass storage equipment, large-scale databases, and application software, cloud computing services, as well as other network products and services that have a major impact on critical information infrastructure security, cybersecurity, or data security.
Article 22: Where information that is a state secret is involved, implementation is to be in accordance with state provisions on secrecy.
Where the state has other provisions on data security reviews or foreign investment reviews, they shall be complied with concurrently.
Article 23: These Measures take effect on February 15, 2022. The "Cybersecurity Review Measures" promulgated on April 13, 2020 (Order No. 6 of the China Cyberspace Administration, National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, Ministry of State Security, Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, National Radio and Television Administration, National Administration of State Secrets Protection, and State Cryptography Administration) are simultaneously repealed.
[…] A day prior, the Cyberspace Administration of China (CAC), along with 12 other government agencies—including the China Securities Regulatory Commission (CSRC)—announced a new version of its high-profile “Cybersecurity Review Measures.” […]
[…] A day prior, the Cyberspace Administration of China (CAC), along with 12 other government agencies—including the China Securities Regulatory Commission (CSRC)—announced a new version of its high-profile “Cybersecurity Review Measures.” […]
[…] 15, 2022, the Cybersecurity Review Measures (2021) (CRM 2021, unofficial English text available here) took effect. CRM 2021 was promulgated on December 28, 2021, by the Cyberspace Administration of […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling up. But that path also seems blurry. In December, China’s cyber security regulator said Internet platform operator with data of more than one million individuals [within China] Must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] bu rota da daha sönük görünüyor. Aralık ayında Çin’in siber güvenlik düzenleyicisi dedim bir milyondan fazla kişinin verisine sahip internet platformu operatörleri [within China] yurt […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] wide scale. But that route also looks blurry. In December, China’s cybersecurity regulator speak internet platform operators with the data of more than a million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route can be wanting dimmer. In December, China’s cybersecurity regulator said web platform operators with information of a couple of million people [within China] should bear a […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] 但这条路也显得平淡无奇。 12月,中国网络安全监管部门 她说 拥有百万以上数据的互联网平台运营商 [within China] […]
[…] scaling. But that route can also be trying dimmer. In December, China’s cybersecurity regulator said web platform operators with knowledge of multiple million people [within China] should bear a […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route can also be trying dimmer. In December, China’s cybersecurity regulator mentioned web platform operators with information of a couple of million people [within China] should endure […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] to scale. . But this road also seems darker. In December, the Chinese cybersecurity regulator mentioned Internet platform operators with the data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] that route can also be trying dimmer. In December, China’s cybersecurity regulator stated web platform operators with information of a couple of million people [within China] should bear a […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] Pero esta ruta también parece más oscura. En diciembre, el regulador de ciberseguridad de China llamado Operadores de plataformas de Internet con datos de más de un millón de personas [within China] […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] A day prior, the Cyberspace Administration of China (CAC), along with 12 other government agencies—including the China Securities Regulatory Commission (CSRC)—announced a new version of its high-profile “Cybersecurity Review Measures.” […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] to scale up. But that route also looks vaguer. In December, China’s cybersecurity regulator said Internet platform operators with data on more than one million people [within China] must undergo […]
[…] scaling. But that route can also be wanting dimmer. In December, China’s cybersecurity regulator said web platform operators with knowledge of a couple of million people [within China] should bear a […]
[…] também está parecendo mais escura. Em dezembro, o regulador de segurança cibernética da China disse operadores de plataformas de internet com dados de mais de um milhão de indivíduos [within China] […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] Pero este camino también parece más oscuro. En diciembre, el regulador de ciberseguridad chino mencionado Operadores de plataformas de Internet con los datos de más de un millón de personas [within […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] However that route can also be trying dimmer. In December, China’s cybersecurity regulator mentioned web platform operators with information of multiple million people [within China] should bear a […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] for scaling. But that route is also looking dimmer. In December, China’s cybersecurity regulator said internet platform operators with data of more than one million individuals [within China] must […]
[…] to scale. . But this road also seems darker. In December, the Chinese cybersecurity regulator mentioned Internet platform operators with the data of more than one million individuals [within China] must […]
[…] However that course may be taking a look dimmer. In December, China’s cybersecurity regulator mentioned web platform operators with information of a couple of million people [within China] will have to […]
[…] that course could also be taking a look dimmer. In December, China’s cybersecurity regulator stated web platform operators with records of multiple million people [within China] will have to go […]
[…] However that path may be taking a look dimmer. In December, China’s cybersecurity regulator mentioned web platform operators with information of a couple of million folks [within China] will have to go […]
[…] that course could also be having a look dimmer. In December, China’s cybersecurity regulator mentioned web platform operators with information of multiple million folks [within China] should go through […]
[…] Pero esa ruta también se ve más tenue. En diciembre, el regulador de ciberseguridad de China dicho operadores de plataformas de internet con datos de más de un millón de personas [within China] […]
[…] that path could also be taking a look dimmer. In December, China’s cybersecurity regulator stated web platform operators with information of a couple of million people [within China] should go […]