Source:http://www.cac.gov.cn/2020-04/27/c_1589535450769077.htm 【release time】April 13, 2020
The Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, the State Cryptography Administration have jointly formulated the "Cybersecurity Review Measures", which are now published.
Article 1: These Measures are drafted on the basis of the "People's Republic of China National Security Law" and the "People's Republic of China Cybersecurity Law" so as to ensure supply chain security for critical information infrastructure and to preserve national security.
Article 2: Where critical information infrastructure operators (hereafter referred to as "operators") purchase network products and services that impact or have the potential to impact national security, they shall conduct network security reviews in accordance with these measures.
Article 3: Cybersecurity reviews are to combine the prevention of cybersecurity risks with promotion of technological applications, combine equity and transparency in procedures with protection of intellectual property rights, combine ex ante reviews with ongoing regulation, and combine enterprise's pledges with social oversight, to carry out reviews of areas such as the products' and services' security, reliability, and potention national security risks.
Article 4: Under the leadership of the Central Cyberspace Affairs Commission, the State Internet Information Office is to establish a national mechanism for cybersecurity review work in conjunction with the National Development and Reform Commission, Ministry of Industry and Information, Ministry of Public Security, Ministry of State Security Ministry of Finance, People's Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, State Secrets Administration, and State Cryptography Administration.
An Office for Cybersecurity Review is to be set up in the State Internet Information Office, and be responsible for regulating systems related to cybersecurity reviews and organizing cybersecurity reviews.
Article 5: Where operators purchase network products and services, they shall make an anticipatory judgment of national security risks that might occur after they are put into use. Where there is an impact or potential impact on national security, an application for cybersecurity review shall be made to the Office for Cybersecurity Review.
Departments for critical information infrastructure protection work may draft guidebooks for anticipatory judgments in the corresponding industry or sector.
Article 6: For procurement activities that are submitted for cybersecurity review, operators should use procurement documents, agreements, and so forth, to request that providers of products and services cooperate in the cybersecurity review, including pledging not to use the provision of products and services to facilitate the illegal acquisition of user data, illegal control or operation of user equipment, and to not interrupt the supply of products or necessary technical support services without legitimate reason.
Article 7: Operators shall submit the following material in applying for network security review:
(1) Declaration form;
(2) Analysis report on the impact or possible impact on national security;
(3) Procurement documents, agreements, contracts to be signed, etc.
(4) Other materials required for cybersecurity reviews.
Article 8: The Office for Cybersecurity Review shall confirm whether a review is necessary within 10 working days of receiving the application materials, and notify the operators in writing.
Article 9: Cybersecurity reviews are to emphasize assessment of national security risks that might be brought on by the purchased products or services, primarily in consideration of the following factors:
(1) The risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after that the product or service is put into use, as well as the risk of important data being stolen, leaked, or harmed;
(2) The threat to the continuity of critical information infrastructure from interruptions in the supply of the products or services;
(3) The products' or services' security, openness, transparency, and diversity of sources, as the reliability of supply channels and the risk of supply interruptions due political, diplomatic, or trade factors, and so forth;
(4) The supplier of the product or services' compliance with Chinese law, administrative regulations, and departmental rules;
(5) Other factors that might endanger critical information infrastructure security and national security.
Article 10: Where the Office for Cybersecurity Review finds that it is necessary to carry out cybersecurity review, it shall complete a preliminary review within 30 working days of issuing a written notice to operators, including forming review conclusions and recommendations and sending them to solicit comments from the mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure; and where the circumstance are complicated, the period may be extended by 15 working days.
Article 11: The mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure shall reply with written comments within 15 working days of receiving the review conclusions and recommendations.
Where the mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure's comments are consistent, the Office for Cybersecurity Review is to notify the operators of the review conclusions in writing; where the comments are not consistent, handled it in accordance with the procedures for special review, and notify the operators.
Article 12: Where the special review procedures are followed, the Office for Cybersecurity Review shall hear the opinions of relevant departments and units, conduct a thorough analytic assessment, put together new review conclusions and recommendations, and solicit the comments of the mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure, and after following procedures to apply for approval from the Central Cyberspace Affairs Commission, are to form review results and notify the operators in writing.
Article 13: The special review procedures shall normally be completed within 45 working days, but where circumstances are complex, this may be appropriately extended.
Article 14: Where the Office for Cybersecurity Review requests that supplementary materials be provided, operators and providers of products and services shall cooperate. The time for the provision of supplementary materials is not counted in the time for review.
Article 15: Products and services that member units of the mechanism for cybersecurity review work find might impact national security, are to be reviewed in accordance with these Measures after the Office for Cybersecurity Review reports to the Central Cyberspace Affairs Commission for permission in accordance with procedures.
Article 16: The institutions and personnel participating in cybersecurity reviews should strictly protect enterprises' commercial secrets and intellectual property rights, and bear an obligation to protect the secrecy of undisclosed materials submitted by operators and the providers of products and services, as well as other undisclosed information learned of in the course of review work, and must not disclose it to unrelated parties or use it for purposes other than reviews.
Article 17: Where operators feel that reviewers are no longer objective and fair, or are unable to bear the obligation to preserve the confidentiality of information obtained in the course of the review, they may report this to the Office for Cybersecurity Review or relevant departments.
Article 18: Operators shall urge product and service providers to perform on the pledges they make during cybersecurity reviews.
The Office for Cybersecurity Review is to strengthen ex-ante and ongoing oversight through means such as accepting reports.
Article 19: Where operators violate the provisions of these Measures, it is to be addressed in accordance with the Article 65 of the "People's Republic of China Cybersecurity Law".
Article 20: "Critical information infrastructure operators" as used in these Measures refers to operators that have been designated by the departments for critical information infrastructure protection work.
"Network products and services" as used in these Measures primarily refers to core network equipment, high-performance computers and servers, mass storage equipment, large-scale databases, and application software, cloud computing services, as well as other network products and services that have a major impact on critical information infrastructure security.
Article 21: Where information that is a state secret is involved, implementation is to be in accordance with state provisions on secrecy.
Article 22: These Measures are to be implemented beginning on June 1, 2020, and the "Security Review Measures for Network Services and Products (Provisional) are simultaneously abolished.