This is a translation of a draft. The finalized version available here:
Article 1: These Measures are drafted on the basis of the "People's Republic of China National Security Law", the "People's Republic of China Cybersecurity Law" and the People's Republic of China Data Security Law so as to ensure supply chain security for critical information infrastructure and to preserve national security.
Article 2: Where critical information infrastructure operators (hereafter referred to as "operators") purchase network products and services, or data handlers (hereafter referred to as "operators") carry out data handling activities, that impact or have the potential to impact national security, they shall conduct network security reviews in accordance with these measures.
Article 3: Cybersecurity reviews are to combine the prevention of cybersecurity risks with promotion of technological applications, combine equity and transparency in procedures with protection of intellectual property rights, combine ex ante reviews with ongoing regulation, and combine enterprise's pledges with social oversight, to carry out reviews of areas such as the products' and services' security, reliability, and potention national security risks.
Article 4: Under the leadership of the Central Cyberspace Affairs Commission, the State Internet Information Office is to establish a national mechanism for cybersecurity review work, in conjunction with the National Development and Reform Commission, Ministry of Industry and Information, Ministry of Public Security, Ministry of State Security Ministry of Finance, Ministry of Commerce, People's Bank of China, State Administration for Market Regulation, State Administration of Radio and Television, The China Securities Regulatory Commission, State Secrets Administration, and State Cryptography Administration.
An Office for Cybersecurity Review is to be set up in the State Internet Information Office, and be responsible for regulating systems related to cybersecurity reviews and organizing cybersecurity reviews.
Article 5: Where operators purchase network products and services, they shall make an anticipatory judgment of national security risks that might occur after they are put into use. Where there is an impact or potential impact on national security, an application for cybersecurity review shall be made to the Office for Cybersecurity Review.
Departments for critical information infrastructure protection work may draft guidebooks for anticipatory judgments in the corresponding industry or sector.
Article 6: Where operators that have information on 1,000,000 or more users in hand are to be publicly listed abroad, an application for cybersecurity review must be made to the Office for Cybersecurity Review.
Article 7: For procurement activities that are submitted for cybersecurity review, operators should use procurement documents, agreements, and so forth, to request that providers of products and services cooperate in the cybersecurity review, including pledging not to use the provision of products and services to facilitate the illegal acquisition of user data, illegal control or operation of user equipment, and to not interrupt the supply of products or necessary technical support services without legitimate reason.
Article 8: Operators shall submit the following material in applying for network security review:
(1) a written declaration;
(2) An analytic report on the impact or potential impact to national security;
(3) Materials such as the purchasing documents, agreements, signed contracts, or submitted IPO materials;
(4) Other materials required for cybersecurity review efforts.
Article 9: The Office for Cybersecurity Review shall confirm whether a review is necessary within 10 working days of receiving the application materials, and notify the operators in writing.
Article 10: Cybersecurity reviews are to emphasize the assessment of national security risks that might be brought on by the purchasing activities, data handling activities, as well as public listing abroad, primarily considering the following factors:
(1) The risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after that the product or service is put into use;
(2) The threat to the continuity of critical information infrastructure from interruptions in the supply of the products or services;
(3) The products' or services' security, openness, transparency, and diversity of sources, as the reliability of supply channels and the risk of supply interruptions due political, diplomatic, or trade factors, and so forth;
(4) The supplier of the product or services' compliance with Chinese law, administrative regulations, and departmental rules;
(5) The risk of core data, important data, or large volumes of personal information being stolen, leaked, destroyed, or being illegally used or sent abroad;
(6) The risk of critical information infrastructure, core data, important, or large volumes of personal information being impacted, controlled, or maliciously used by foreign governments after public listing abroad;
(7) Other factors that might endanger critical information infrastructure security and national data security.
Article 11: Where the Office for Cybersecurity Review finds that it is necessary to carry out cybersecurity review, it shall complete a preliminary review within 30 working days of issuing a written notice to operators, including forming review conclusions and recommendations and sending them to solicit comments from the mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure; and where the circumstance are complicated, the period may be extended by 15 working days.
Article 12: The mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure shall reply with written comments within 15 working days of receiving the review conclusions and recommendations.
Where the mechanism for cybersecurity review work's member units and related departments for the protection of critical information infrastructure's comments are consistent, the Office for Cybersecurity Review is to notify the operators of the review conclusions in writing; where the comments are not consistent, handled it in accordance with the procedures for special review, and notify the operators.
Article 13: Where the special review procedures are followed, the Office for Cybersecurity Review shall hear the opinions of relevant departments and units, conduct a thorough analytic assessment, put together new review conclusions and recommendations, and solicit the comments of the mechanism for cybersecurity review work's member units and related departments, and after following procedures to apply for approval from the Central Cyberspace Affairs Commission, are to form review results and notify the operators in writing.
Article 14: The special review procedures shall normally be completed within 3 months, but where circumstances are complex, this may be extended.
Article 15: Where the Office for Cybersecurity Review requests that supplementary materials be provided, operators and providers of products and services shall cooperate. The time for the provision of supplementary materials is not counted in the time for review.
Article 16: Products and services, data handling activities, and public listing abroad that member units of the mechanism for cybersecurity review work find might impact national security, are to be reviewed in accordance with these Measures after the Office for Cybersecurity Review reports to the Central Cyberspace Affairs Commission for permission in accordance with procedures.
Article 17: The institutions and personnel participating in cybersecurity reviews should strictly protect enterprises' commercial secrets and intellectual property rights, and bear an obligation to protect the secrecy of undisclosed materials submitted by operators and the providers of products and services, as well as other undisclosed information learned of in the course of review work, and must not disclose it to unrelated parties or use it for purposes other than reviews.
Article 18: Where operators feel that reviewers are no longer objective and fair, or are unable to bear the obligation to preserve the confidentiality of information obtained in the course of the review, they may report this to the Office for Cybersecurity Review or relevant departments.
Article 19: Operators shall urge product and service providers to perform on the pledges they make during cybersecurity reviews.
The Office for Cybersecurity Review is to strengthen ex-ante and ongoing oversight through means such as accepting reports.
Article 20: Where operators violate the provisions of these Measures, it is to be addressed in accordance with the "People's Republic of China Cybersecurity Law" and the "People's Republic of China Data Security Law."
Article 21: "Critical information infrastructure operators" as used in these Measures refers to operators that have been designated by the departments for critical information infrastructure protection work.
"Network products and services" as used in these Measures primarily refers to core network equipment, important communications equipment, high-performance computers and servers, mass storage equipment, large-scale databases, and application software, cloud computing services, as well as other network products and services that have a major impact on critical information infrastructure security.
Article 22: Where information that is a state secret is involved, implementation is to be in accordance with state provisions on secrecy.
Article 23: These Measures are to be implemented beginning on X/X/2021, and the "Security Review Measures for Network Services and Products (Provisional) are to be simultaneously abolished.