Brief Introduction of the Measures for Cybersecurity Review

2022-01-28

中文摘要：2021年12月28日，国家网信办、国家发改委等十三个部门联合发布《网络安全审查办法》（以下简称《办法》），《办法》将自2022年2月15日起施行。作为2020年6月实施之后的重要修订，《办法》既是落实《国家安全法》、《网络安全法》、《数据安全法》、《关键信息基础设施安全保护条例》等一系列新出台法律法规的明确要求，也是不断完善国家网络安全审查制度、适应国际国内网络安全新形势的重要举措，更是保障人民群众切身利益、促进经济社会发展和维护国家安全的现实需要。本文将重点介绍《办法》的修订背景、主要内容及意义，兼评《办法》与其他安全审查制度规定的协调适用的问题。

On December 28th, 2021, thirteen authorities of the PRC jointly issued the "Measures for Cybersecurity Review (2021)" (hereinafter referred to as the "Measures"), including the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, People's Bank of China, the State Administration for Market Regulation, the State Administration of Radio and Television, China Securities Regulatory Commission (hereinafter referred to as the "CSRC"), the National Administration of State Secrets Protection, and the State Cryptography Administration.

The old version of the Measures was promulgated in June 2020, and the revision of the Measures in 2021 was to implement a series of newly introduced laws and regulations such as the "National Security Law", "Cyber Security Law", "Data Security Law", and "Key Information Infrastructure Security Protection Regulations". The Measures is not only an important measure to continuously improve the national network security review system and adapt to the new situation of international and domestic network security, but also a practical requirement to protect the vital interests of the people, promote economic and social development, and maintain national security. It has released a "good signal" for the competent authorities to adhere to the principle of national, network and data security for listed companies, while taking into account the overall interests of social and economic development.

I. The main content of the Measures

The Measures has a total of 23 articles after this revision. In general, the review mechanism and process continue to use the original review system framework. The system is constantly being improved in practice. While expanding the scope of the review, appropriate adjustments have been made to the review's working mechanism and workflow. The main contents of the adjustment include: adding the CSRC as a member of the cybersecurity review working mechanism, clarifying that the time when the Office of Cyber Security Review receives qualified application materials is the review start time, adding listing application documents as part of the listing review application materials, regarding data security risks arising from listing activities as one of the essential factors leading to the national security risk, and the working time limit of special review is extended to 90 working days.

1.Purpose and objective

The purpose of the Measures is to "ensure the security of the critical information infrastructure supply chain, ensure network security and data security, and maintain national security". Compared with the "Draft for Revision", "network security and data security" has been added as a new content, indicating that the Measures will examine various factors that affect or may affect network, data and national security under the specific activities of relevant applicable subjects.

2.Competent authority for cyber security review

Under the leadership of the Cyberspace Administration of China, thirteen competent departments or agencies, including the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Industry and Information Technology of China, jointly established a national cybersecurity review working mechanism. The Cyber Security Review Office is specifically responsible for formulating relevant institutional norms and organizing cyber security review. According to the official information on answering reporters' questions^[1] , the specific work of the cybersecurity review will be undertaken by the China Cybersecurity Review Technology and Certification Center entrusted by the Cybersecurity Review Office.

What calls for special attention is that CSRC, as one of the competent departments of cyber security review, will participate in the operation and review of the system, and may focus on the factors that affect or may affect national security in the listing activities of enterprises abroad. Combined with the “Administrative Measures of the State Council on the Recordation of Overseas Issuance of Securities and Listing by Domestic Enterprises (Draft for Comment)” and the “Administrative Measures for the Recordation of Overseas Issuance of Securities and Listing by Domestic Enterprises (Draft for Comment)” issued by CSRC, the issuer’s first overseas issuance within three working days after submitting the IPO listing application documents, the filing materials including the security assessment review opinions issued by the relevant departments shall be submitted to CSRC. In addition, according to the "Network Security Review Measures" answers to reporters' questions, network platform operators should apply for a network security review before submitting a listing application to a foreign securities regulatory agency. Based on this, it can be seen that CSRC will form a new regulatory connection point in the two working mechanisms of network security review and filing management ^[2] .

3. Applicable persons and applicable situations

A. Applicable persons

The Measures limit the applicable persons of declaration or acceptance of national cybersecurity review to "critical information infrastructure operators" and "network platform operators", and adjust the collective name to the "parties" instead of the "operators". The scope of applicable persons that must apply for cyber security review when they have personal information of more than one million users for listing abroad is narrowed to "network platform operators".

According to the Measures, the application of cybersecurity review is not only applicable to the "voluntarily report" situation, but also to the situation triggered by the initiative of the relevant authorities. That is to say, the basic standard for judging whether to apply for voluntarily report or accept the cybersecurity review of relevant departments should be whether the business activities (including listing) of the enterprise and the corresponding data processing activities affect or may affect national security.

B.Applicable situations

According to Article 5 to Article 7 of the Measures, 1) If it is predicted that the products and services may bring national security risks after being put into use while operators of critical information infrastructure are purchasing network products and services, the operators must report to the Cyber security Review Office for those that affect or may affect national security; 2) When an online platform operator with more than one million users’ personal information goes public abroad, it must report to the Cybersecurity Review Office for cybersecurity review. Under these two circumstances, enterprises have the legal obligation to voluntarily report to relevant departments for cybersecurity review. For those who violate the aforementioned requirements, relevant departments may impose penalties in accordance with the provisions of the Cybersecurity Law and the Data Security Law.

According to Article 16 and Article 19 of the Measures, the network products and services and data processing activities (including listing activities) that are considered by member units of the network security review work mechanism to affect or may affect national security could be carried out only after being submitted for cybersecurity review. In addition, if the Cybersecurity Review Office discovers the aforementioned situations after accepting the reports, etc., it may also review relevant subjects and data processing activities in accordance with the law and relevant procedures. It’s worth noting that Article 16 of the Measures has added the relevant requirement that "in order to prevent risks, the parties shall take measures to prevent and reduce risks in accordance with the requirements of the network security review during the review period". From the perspective of relevant practice, the optional measures here include but are not limited to temporarily stopping the provision of network products and services, temporarily removing download links, or stopping new account registration, etc.

4. Review content and key issues

Article 10 of the Measures further clarifies and expands the evaluation elements for data processing activities and foreign listing of enterprises, specifically:

On one hand, it clarifies whether core data, important data or a large amount of personal information is "illegally" exiting the country as an evaluation factor. It is clear that the cybersecurity review focuses on the potential security risks caused by the illegal exit of enterprises. If an enterprise can comply with the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law and other outbound data regulatory or industry regulatory requirements to implement security assessment, and to obtain user consent and other compliance requirements, then the data outbound behavior of the enterprise will probably not fall into the evaluation scope of cybersecurity review.

On the other hand, "network information security risk" has been added as an evaluation factor for enterprise listing. As to how to understand "network information security risk", the content stipulated in Chapter 4 "Network Information Security" of the Cyber Security Law should be an important reference factor for evaluating network information security risks, that is, it mainly includes the processing and compliance with protective measures, as well as the security risks of online information content dissemination during the listing stage and after listing.

5. Review process and period

The Cybersecurity Review Office shall, within 10 working days of receiving the review application materials that meet the provisions of Article 8 of the Measures, and determine whether review is necessary and notify the parties in writing. If it is deemed necessary to conduct a network security review, the preliminary review shall be completed within 30 working days from the date of sending a written notice to the parties concerned, including forming review conclusions and suggestions and sending the review conclusions and suggestions to the member units and relevant departments of the network security review work mechanism for comments. If the situation is complicated, it can be extended for 15 working days. The member units of the network security review working mechanism and the relevant critical information infrastructure protection work departments shall reply to the operators in writing within 15 working days from the date of receipt of the review conclusion and recommendation. Where members of the cybersecurity review working mechanism disagree, they will be dealt with in accordance with the special review procedures, which should generally be completed within 90 working days, and may be extended if the situation is complicated.

The time required for the general procedure is (10+30+15+15=)70 working days at the longest from the start of the declaration; while for the special review procedure, the longest need is (70 working days + 90 working days + n=)160+n working days, that is, the actual time required is likely to reach more than 8 months.

For companies planning to be listed abroad, it is necessary to assess whether the cybersecurity review is applicable, the possible applicable procedures and estimated time required for the review, and to arrange the listing plan and timetable in light of the above-mentioned cybersecurity review procedures.

II. Coordinated application of the Measures and other security review system provisions

Article 22 of the Measures stipulates that if the state has other regulations on data security review and foreign investment security review, the regulations shall be complied with at the same time. The above-mentioned new regulations further clarify that although they all belong to the category of national security review, there may still be certain differences in the supervision objects and applicable standards of network security review, data security review and foreign investment security review. For companies planning to go public abroad, the above three types of review may be applicable simultaneously. In particular as follows:

Cybersecurity review: Article 7 of the Measures stipulates that operators of online platforms that hold the personal information of more than 1 million users to go public abroad must report to the Cybersecurity Review Office for cybersecurity review.

Data security review: According to Article 24 of the Data Security Law, which came into effect on September 1st, 2021, the state establishes a data security review system to conduct national security review of data processing activities that affect or may affect national security. If there are data processing activities that affect or may affect national security in the process of preparing for foreign listing, it may be subject to data security review conducted by relevant regulatory authorities. Since Article 2 of the Measures also includes "data processing activities carried out by network platform operators that affect or may affect national security" in the scope of cybersecurity review, the relationship and connection between data security review and cybersecurity review may remain to be further clarified by relevant legislation.

Foreign investment security review: According to the latest 2021 Negative List jointly issued by the National Development and Reform Commission and the Ministry of Commerce on December 27th, 2021, domestic enterprises that are prohibited from investing in business to issue shares overseas and go public for trading should be reviewed and approved by the relevant state authorities. Therefore, if an enterprise involved in an industry with restricted access to foreign investment (such as surveying and mapping, compulsory education, etc.) plans to go public abroad, it should also pass the review of the relevant competent authorities at the same time.

In a summary, the Measures brings about new challenges and opportunities for enterprises. Under the guidance of “implementing the overall national security” concept, the official promulgation of the Measures will undoubtedly build a more solid foundation for the protection of national security in the governance of non-traditional security issues such as cybersecurity and data security.

参考文献：

[1]" Answers to Reporters' Questions ," the official website of the Cyberspace Administration of China, January 4, 2022, link: http://www.cac.gov.cn/2022-01/04/c_1642894602460572.htm .

[2]"Security First, Development First": Official Release of the Cybersecurity Review Measures, King & Wood Compliance Team, January 4, 2022.

本文作者：

声明：            

本文由德恒律师事务所律师原创，仅代表作者本人观点，不得视为德恒律师事务所或其律师出具的正式法律意见或建议。如需转载或引用本文的任何内容，请注明出处。