On 1 July, 2015, the Standing Committee of the National People’s Congress, China’s top legislature, approved the new National Security Law of the People’s Republic of China (中华人民共和国国家安全法, the “New Law”) which became effective on the same day. This New Law is very high-level in its nature covering a wide range of areas from the military, wider economy and natural resources to environment, religion, food security, cyber security and space exploration. The most significant aspect of this New Law in relation to cyber security is the fact that it was issued by China’s top legislature, indicating the importance being placed on cyber security at the highest level of China’s legislative system.
The New Law provides for a general legislative framework to control cyber security which includes the following:
- The state should develop its ability to protect against cyber and information security risks, and to ensure that the core cyber and information technology, key infrastructure, information system and data in important sectors are secure and controllable.
- The state should set up a national security review and supervision system and should conduct national security reviews of any foreign investment, key technologies, internet and information technology products and services and other important matters and activities that impact or are likely to impact national security.
- The state should actively develop independent controllable key technologies in important sectors and strengthen the application of intellectual property.
As this New Law is newly promulgated and is very general in its nature, there is considerable ambiguity which will may be clarified by subsequent guidance. In particular:-
- The New Law does not provide specific requirements as to how to ensure that IT systems are secure and controllable. The term “secure and controllable” is also used in the CBRC Guidelines that DLA Piper reported on earlier this year. Although the CBRC Guidelines set out specific requirements to implement “secure and controllable” information technology products in the banking sector, we understand that the implementation of such rules are still pending.
- Although the New Law requires a national security review system, it does not provide any details of the practical implementation of such rules. For example, which authority will conduct such a review, what are the specific criteria to determine whether a technology product will impact or is likely to impact national security, and what the review process will be etc.
Due to the above ambiguity, we believe that more specific implantation rules, and a possible update of the CBRC Guidelines will be issued in the near future.