The Measures aim to ensure safety of the supply chain of critical information infrastructure and guarantee national security.
The Cyberspace Administration of China (CAC), together with 11 other authorities, has jointly issued the Measures for Cybersecurity Review (Measures), which will take effect on 1 June 2020, aiming to ensure safety of the supply chain of critical information infrastructure and guarantee national security.
Where the purchase of network products and services by an operator of critical information infrastructure (Operator) influences or may influence national security, the Operator shall notify the Cybersecurity Review Office, which is under the CAC, and a cybersecurity review shall be conducted pursuant to the Measures.
Operator refers to an operator recognized by the relevant department as protecting critical information infrastructure. Network products and services refer to core network equipment, high-performance computers and servers, large-capacity storage equipment, large databases and application software, network security equipment, cloud computing services, and other network the products or services that have a significant impact on the security of critical information infrastructure.
To apply for a cybersecurity review, the Operator shall submit the following materials: a declaration statement; the analysis report of the effect or possible effect on national security; a purchase document, agreement or contract intended to be signed, etc.; and other materials required for the cybersecurity review.
During a cybersecurity review, the national security risk, which may be generated by the purchase of network products and services, will be evaluated with the following factors taken into consideration among others:
The risk of illegal control over, disturbance or destruction of critical information infrastructure, and the risk of critical data being stolen, divulged or damaged after the use of products and services;
Damage to the continuity of critical information infrastructure business, due to interruption of supply for products and services;
The security, openness, transparency and the diversity of sources of products and services, the dependability of the supply chain, and the risk of supply interruption due to factors such as politics, diplomacy, trade or any other factor;
Conditions of compliance with state laws, administrative regulations and department rules by the provider of products and services; and
Other factors which may endanger the safety of critical information infrastructure and national security.
Under Article 65 of the PRC Cybersecurity Law, where the Operator of critical information infrastructure uses network products and services that have neither been reviewed for security, nor passed the cybersecurity review, it shall be ordered by the relevant competent departments to stop using such products or services, and a fine of no less than one, but no more than ten times the purchase amount shall be imposed.
As for the persons directly in charge or otherwise directly responsible, a fine of no less than RMB 10,000 but no more than RMB 100,000 shall be imposed.
Is COVID-19 a Force Majeure event under your CM contract?
Shanghai Abundant in Investment Opportunities
Weve Got to Communicate during and after this Pandemic