New Cybersecurity Review Measures approved by the Chinese Government
The Government of the People’s Republic of China has approved new cybersecurity measures for enterprises in China. These new measures for reviewing China’s cybersecurity will come into effect on 1 June 2020.
One of the fundamental principles of China’s cybersecurity law is that the purchase of network products and services (whenever national security interests are affected) should be subject to official cybersecurity review.
Under these new measures, operators of China’s critical information infrastructure are required to conduct a cybersecurity review when purchasing network products and services that may affect China’s national security interests. Network products and services include core network equipment, high-performance computers and servers, mass storage equipment, large-scale database and application software, cybersecurity equipment, cloud computing services, as well as other network products and services that have a significant impact on the security of critical information infrastructure.
It is important to note that these measures require operators of critical information infrastructure to anticipate potential national security risks arising from the acquisition; to determine whether the acquisition may impact national security; to declare to the Office of the Cybersecurity Review the need for a cybersecurity review; and to seek the right to seek the cooperation of vendors in the review process.
The Cyber Security Review Board will respond on whether a cybersecurity review will be required within 10 business days of receiving the operator’s statement. Any initial cybersecurity review is expected to be completed within 30 business days.
Violation of these measures may be subject to a fine of up to ten times the purchase price, along with individual fines of up to RMB 100,000 ($ 14.065) for the personnel involved.