Article 1: These Measures are drafted on the basis of the "People's Republic of China National Security Law", the "People's Republic of China Cybersecurity Law", and other laws and regulations, so as to increase the security and containability of network products and services, to prevent network security threats, and to preserve national security.
Article 2: Important network products and services related to national security network and information system procurement, shall go through network security reviews.
Article 3: Persist in combining enterprise assurances and social oversight, combining third-party assessments and sustained government supervision and management; combining laboratory testing, on-site inspections, online testing, background investigations; in carrying out network security reviews of network products and services and their supply chain.
Article 4: The key review of network security review on the security and containability of network products and services primarily includes:
(1) The risk of the products or services themselves, and of their being unlawfully controlled, interfered with, or disrupted;
(2) Supply Chain Risks in the course of production, testing, delivery, and technical support for products and key components.
(3) The risk of product or service providers illegally using products and services to facilitate collection, storage, processing, or use of information related to users;
(4) The risk of product and service providers using users' reliance on the products and services to harm network security or users' interests;
(5) Other risks that might endanger national security.
Article 5: The State Internet Information Office, together with relevant departments, is to establish a Network Security Review Committee, responsible for deliberating important policies on network security reviews, unifying and organizing network security review efforts, and coordinating on key issues related to network security reviews.
The Network Security Review Office is specifically organizes the implementation of network security reviews.
Article 6: The Network Security Review Committee is to recruit relevant experts to form a Network Security Review Experts Committee, to carry out comprehensive assessment of network products' and services' security risks and their providers' security credibility status, based on third-party assessments.
Article 7: The State lawfully identifies third-party institutions for network security reviews to take on the work of third-party assessments in network security reviews.
Article 8: the Network Security Review Office is to follow the relevant state requirements to determine subjects of review on the basis of national industry associations' recommendations and user feedback; and organize third-party institutions and expert committees to conduct network security review of network products and services, and publish the results of the review, or circulate them within a fixed range.
Article 9: Competent departments for key industries or fields such as finance, telecommunications, energy, and transportation are to organize and carry out network safety review efforts in that industry or field, based on the requirements of State network security review work.
Article 10: Where the purchase of network products or services by operators in important industries and fields such as public communications and information services, energy, transportation, water, finance, public services, and e-government, and other critical information infrastructure, might impact national security, they shall go through network security reviews. Whether network products and services might impact national security is determined by the departments working on critical information infrastructure protections.
Article 11: Third-party institutions undertaking network security reviews shall adhere to the principles of objectivity, justness, and fairness; shall follow the relevant national provisions and consult relevant standards; shall conduct assessments emphasizing the security and containability of network products and services, and the transparency of security systems and techniques; and shall be responsible for assessment results.
Article 12: Network product and service providers shall cooperate with network security review efforts, and are responsible for the authenticity of materials they provide.
Third-party institutions and other related units and individuals have an obligation to preserve the confidentiality of information obtained during network security review work, and must not use it for purposes other that network security reviews.
Article 13: the Network Security Review Office is to occasionally publish a security assessment report on network products and services.
Article 14: Where network product and service providers feel that a third-party institution or other relevant unit or individual is no longer objective and fair, or is unable to bear the obligation to preserve the confidentiality of information obtained in the course of the review, they may report this to the Network Security Review Office or relevant departments.
Article 15: Violations of these Provisions are handled in accordance with relevant laws and regulations.
Article 16: These Measures are to take effect on June 1, 2017.
[…] The final version of this document is here. […]
Article 4 now mentions that the product or service themselves may be a risk.
Article 5 removes mention of preventing unfair competition.
Deleted previous Article 10 prioritizing government purchase of security reviewed products, and forbidding purchase of those that fail security review.
Expanded definition of key industries/fields.
Article 14 now provides a mechanism for complaint by a goods/services provider about the neutrality of the 3-rd party security assessment.
Article 15 no longer gives the SIIO (CAC) power to interpret, but instead discusses punishment of violations, if only in the vaguest of terms.
Also important is the removal of threats to the public interest as subject of review, which previously stood alongside national security in several articles.
Several other minor adjustments or language changes
[…] provision to China’s 2016 Cybersecurity Law, set to be implemented on June 1, states that reviews will screen for risks of “network products and services” potentially “being […]
[…] provision to China’s 2016 Cybersecurity Law, set to be implemented on June 1, states that reviews will screen for risks of “network products and services” potentially […]