On 12 August 2016, the Cyberspace Administration of China (“CAC”), the General Administration of Quality Supervision, the Inspection and Quarantine of China (“GAQSIQ”), and the Standardisation Administration of China (“SAC”) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the “Guidelines”). Under the Guidelines, mandatory national standards will be introduced to regulate critical fields such as major information technology infrastructure and classified networks in an effort to harmonise the current divergent local practice.
The National Information Security Standardisation Technical Committee will be the agency solely responsible for the review, approval, and release of national cybersecurity standards. The Guidelines propose to enhance the role of cybersecurity standards in guiding industrial development by, inter alia, establishing a standard-sharing mechanism for major cybersecurity projects as well as by incorporating standard requirements into the evaluation criteria of such projects and setting up professional qualifications. The Guidelines also stress the importance of establishing essential standards such as the “Internet +” Action Plans, “Made in China 2025,” and “Action Plans for Big Data” for critical projects such as big data security and cybersecurity audits. Finally, the Guidelines call for China’s active participation in international standard-setting activities with the aim of elevating China’s influence at the international level. As a sign of commitment to this, China will selectively adopt international standards which are deemed to suit China’s own situation.
The release of the Guidelines, on the one hand, is consistent with the Chinese government’s intent to have a tighter grip over China’s Internet and networks. On the other hand, standards unification will likely improve the transparency of cybersecurity governance and the predictability of cybersecurity enforcement, a positive step as we are still waiting for the finalisation of the draft Cybersecurity Law. While the content of the national cybersecurity standards may be redolent of heavy “Chinese characteristics,” there is a glimmer of hope as China has now signalled a desire to be involved in international cybersecurity standards-setting.