On May 24 2019 the Cyberspace Administration of China released the Cybersecurity Review Measures (Draft for Comment), which is open for public comment until 24 June 2019.
According to the draft, where an operator of critical information infrastructure (CII) purchases a network product or service, it must make an ex ante assessment of the potential security risks that could emerge once the product or service is put into operation and produce a security report accordingly. The operator must also apply to the Cybersecurity Review Office for a cybersecurity review if the purchase is likely to lead to:
- a complete shutdown or main function failure of CII;
- the leakage, loss, corruption or cross-border transfer of personal information and important data;
- supply-chain security threats, which compromise the operation and maintenance, provision of technical support and upgrading of CII; or
- other potential events that could severely jeopardise CII.
The draft stipulates that the operator must require the product or service provider to cooperate with the review by reflecting such an operation in the purchase document or contract or through other binding means. Further, a positive review result is a precondition for the contract to take effect.
The draft has been promulgated based on Article 35 of the Cybersecurity Law, which provides that "the purchase of network products or services by operators of critical information infrastructures, which might affect the national security, shall pass the security review organized by the national internet information department in conjunction with relevant departments of the State Council".
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.