China issues new measures for cybersecurity review

Back to Technology Law Committee publications

Jihong Chen
Zhong Lun, Beijing

Yun Luo
Zhong Lun, Beijing


On 27 April 2020, the Cyberspace Administration of China (CAC) together with 12 other bureaus, jointly issued the Measures for Cybersecurity Review (the ‘New Measures’) effective 1 June 2020.

The New Measures are promulgated to implement Article 59 of the National Security Law and Article 35 of the Cybersecurity Law, aiming to protect national security and, in particular, the security of the supply chain of critical information infrastructure (‘CII’). According to the Guidelines on the Determination of CII, the information infrastructure in a number of sectors, including finance, banking and other financial institutions, might fall into the scope of CII if, once destroyed or disabled, it would severely endanger national security, national welfare or public interest.

As stated below, the New Measures have evidently made changes to former drafts and changed the review mechanism from one of passive determination to an active declaration, requiring CII operators to conduct pre-determination as to whether the network products and/or services to be procured would pose a potential national security risk. If so, CII operators should submit an application for a cybersecurity review prior to the procurement of such network products and/or services.

Article 16 of the New Measures also include confidentiality obligations to protect trade secrets and intellectual property, which not only includes the undisclosed information of the CII operators, but also those of the product and service providers. The New Measures even include a complaint clause in Article 17 that applies when objectively unfair or in breach of the confidentiality obligations.

The New Measures focus on a central goal of protecting national security and have removed the provisions relating to personal information in the former drafts, which confirms China’s dual-track approach to regulating important data and personal information after the Measures on Security Assessment for Cross-border Transfer of Personal Information (Exposure Draft) were issued last June.

Additionally, in responding to some doubts and questions from foreign investors, the spokesperson of CAC has stated that the New Measures are not intended to restrict or discriminate against foreign products or services as China will continue to embrace an opening-up policy to the market and foreign investment.

Back to Technology Law Committee publications