Promulgation Authorities: Cyberspace Administration of China, National Development and Reform Commission, Ministry of Industry and Information Technology, The Ministry of Public Security, the Ministry of State Security, Ministry of Finance, Ministry of Commerce, People’s Bank of China, State Administration of Radio and Television, China Securities Regulatory Commission, State Secrecy Administration, State Cryptography Administration
Release Date: 2021-12-28
Effective Date: 2022-02-15
Source: http://www.cac.gov.cn/2022-01/04/c_1642894602182845.htm
Original Title: 网络安全审查办法(2021)
Cybersecurity Review Measures (2021)
Decree No. 8 of the Cybersecurity Administration of China
The Cybersecurity Review Measures, adopted upon deliberation on November 16, 2021 at the 20th administrative meeting of the Cyberspace Administration of China in 2021, with the consent of the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the China Securities Regulatory Commission, National Administration of State Secrets Protection and the State Cryptography Administration, are hereby promulgated, effective February 15, 2022.
Zhuang Rongwen
Director General of the Cyberspace Administration of China
He Lifeng
Director General of the National Development and Reform Commission
Xiao Yaqing
Minister of Industry and Information Technology
Zhao Kezhi
Minister of Public Security
Chen Wenqing
Minister of State Security
Liu Kun
Minister of Finance
Wang Wentao
Minister of Commerce
Yi Gang
Governor of the People’s Bank of China
Zhang Gong
Director General of the State Administration for Market Regulation
Nie Chenxi
Director General of the National Radio and Television Administration
Yi Huiman
Chairman of the China Securities Regulatory Commission
Li Zhaozong
Director General of the National Administration of State Secrets Protection
Liu Dongfang
Director General of the State Cryptography Administration
December 28, 2021
Cybersecurity Review Measures
Article 1 The present Measures are enacted in accordance with the State Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China and the Security Protection Regulations for Critical Information Infrastructure, in order to ensure the supply chain security of critical information infrastructure, safeguard network security and data security, and maintain national security.
Article 2 The purchase of network products and services by critical information infrastructure operator and the data processing activities carries out online platform operators, which affects or may affect national security, shall be subject to cybersecurity review in accordance with the present Measures.
Article 3 Cybersecurity review shall be conducted under the principle of combining cybersecurity risk prevention with the promotion of the application of advanced technologies, fairness and transparency of the process with the protection of intellectual property rights, ex ante review with continuous regulation, and corporate commitment with social supervision, in terms of the security of products and services as well as data processing activities, potential risks to the national security, etc.
Article 4 Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China establishes a working mechanism for the cybersecurity review of the State, in concert with the National Development and Reform Commission of the People’s Republic of China, the Ministry of Industry and Information Technology of the People’s Republic of China, the Ministry of Public Security of the People’s Republic of China, the Ministry of State Security of the People’s Republic of China, the Ministry of Finance of the People’s Republic of China, the Ministry of Commerce of the People’s Republic of China, the People’s Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration.The Office of Cybersecurity Review, located in the Cyberspace Administration of China (“CAC”), is responsible for developing relevant rules and regulations on cybersecurity review and organizing cybersecurity review.
Article 5 To purchase network products or services, a critical information infrastructure operator shall prejudge any possible risks to national security after such products or services are put into use. It shall declare any network product or service that affects or may affect national security to the Office of Cybersecurity Review for cybersecurity review.The authority for protection of critical information infrastructure may develop pre-judgment guidelines for the industry or field concerned.
Article 6 For the procurement activity declared for cybersecurity review, the critical information infrastructure operator shall require the product or service provider to cooperate in the cybersecurity review by virtue of the procurement document, agreement or otherwise, including undertaking not to take advantage of the provision of the product or service to illegally obtain user data, illegally control and manipulate user equipment, and not to suspend product supply or necessary technical support services without justifiable reasons.
Article 7 To go public abroad, an online platform operator who possesses the personal information of more than 1 million users shall declare to the Office of Cybersecurity Review for cybersecurity review.
Article 8 To file an application for cybersecurity review, the operator shall submit the following materials:
(I) A written declaration;
(II) An analysis report concerning the impact or possible impact on national security;
(III) The procurement document, agreement, contract to be entered into or IPO materials to be submitted, etc.; and
(IV) other materials necessary for cybersecurity reviews.
Article 9 The Office of Cybersecurity Review shall, within ten working days upon receipt of the declaration materials for review in conformity with the provisions of Article 8 hereof, determine whether the review is required and notify the party in writing thereof.
Article 10 Cybersecurity review shall focus on the assessment of national security risk factors of the relevant object or situation:
(I) Risks of illegal control, interference or destruction of critical information infrastructure brought about by the use of products and services;
(II) The harm caused by supply interruption of products and services to the business continuity of critical information infrastructure;
(III) Security, openness, transparency and diversity of sources of products and services, reliability of supply channels, and risks of supply interruption due to political, diplomatic, trade or other factors;
(IV) Information on compliance with Chinese laws, administrative regulations and departmental rules by product and service providers;
(V) Risks of theft, disclosure, damage, illegal use or cross-border transfer of core data, important data or large amounts of personal information;
(VI) Risks of influence, control or malicious use of critical information infrastructure, core data, important data or large amounts of personal information by foreign governments after overseas listing; and
(VII) Other factors that may endanger critical information infrastructure security and national data security.
Article 11 Where the Office of Cybersecurity Review deems it necessary to conduct a cybersecurity review, it shall complete the preliminary review within 30 working days from the date when it issues a written notice to the party, including the formation of review findings and suggestions and sending review findings and suggestions to members of the cybersecurity review working mechanism and relevant authorities for their comments. If the case is complicated, the said time limit may be extended by 15 working days.
Article 12 Members of the cybersecurity review working mechanism and relevant authorities shall give a written reply within 15 working days upon receipt of the review findings and suggestions.If a unanimous agreement is reached among the members of the cybersecurity review working mechanism and relevant authorities, the Office of Cybersecurity Review shall notify the Operator of the review findings in writing. In case of disagreement, the case shall be handled under the special review procedures, and the party shall be notified of the same.
Article 13 Where a case is handled under the special review procedures, the Office of Cybersecurity Review shall listen to the opinions of relevant authorities and organizations, conduct in-depth analysis and evaluation, form a review finding and suggestions again, seek opinions from members of the cybersecurity review working mechanism and relevant authorities, report the same to the Central Cyberspace Affairs Commission for approval under procedures, and form a review finding and notify the party thereof in writing.
Article 14 The special review procedures shall generally be completed within 90 working days and the time limit may be extended for complicated cases.
Article 15 Where the Office of Cybersecurity Review requires supplementary materials, the party and the product or service provider shall do so accordingly. The time for submission of such supplementary materials will not be included in the review period.
Article 16 Where a member of the cybersecurity review working mechanism believes that a network product or service or data processing activity affects or may affect national security, the Office of Cybersecurity Review shall report the same to the Central Cyberspace Affairs Commission for approval under procedures, and then conduct review in accordance with the present Measures.In order to prevent risks, the party shall take measures to prevent and mitigate risks during the review in accordance with the requirements of the cybersecurity review.
Article 17 Relevant agencies and personnel involved in the cybersecurity review shall strictly protect intellectual property rights, and shall have confidentiality obligations for the trade secrets, personal information, undisclosed materials submitted by the party, product and service providers as well as other undisclosed information known in the review. Without the consent of the information provider, it is not allowed to disclose such information to unrelated parties or use such information for any purpose other than the review without the consent of the information provider.
Article 18 Where the party or the network product or service provider believes that a review officer is not objective and impartial or fails to bear confidentiality obligations for the information accessed during the review, it may report the same to the Office of Cybersecurity Review or the relevant authority.
Article 19 The party shall urge the product or service provider to fulfill its commitments made during the cybersecurity review.The Office of Cybersecurity Review shall strengthen ex ante, interim and ex post supervision by means of accepting reports or otherwise.
Article 20 Any party in violation of the present Measures shall be punished in accordance with the provisions of the Cybersecurity Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China.
Article 21 For the purpose of the present Measures, the term “network products and services” mainly refers to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, cybersecurity equipment, cloud computing services, and other network products and services that have a significant impact on the security of critical information infrastructure.
Article 22 Where any state secret is involved, the relevant confidentiality provisions of the State shall apply.Where the State has other provisions on data security review and foreign investment security review, such provisions shall be complied with at the same time.
Article 23 The present Measures shall come into force on February 15, 2022, simultaneously repealing the Cybersecurity Review Measures (issued under Decree No. 6 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People’s Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection and the State Cryptography Administration) promulgated on April 13, 2020