Interim Security Review Measures for Network Products and Services
This translation was kindly provided by Paul Triolo
Article 1 These Measures are developed with a view to enhancing the secure and controllable levels of network products and services, guarding against cyber security risks, and safeguarding the national security, and in accordance with the laws and regulations such as National Security Law of the People’s Republic of China and the Cybersecurity Law of the People’s Republic of China.
Article 2 Important network products and services procured for use in networks and information systems that touch on national security are subject to a cybersecurity review.
Article 3 A cybersecurity review shall be conducted for network products and services and their supply chains, in a manner that combines enterprise commitments with public supervision, combines third-party assessments with government continuous regulation, and combines laboratory testing with on-site checks, on-line monitoring and background investigations.
Article 4 The review will focus on the security and controllability of network products and services, including:
- Security risks arising from the products and services themselves, and risks that products and services are illegally controlled, interfered with or interrupted;
- Security risks coming from supply chain throughout the manufacturing, test, delivery and technical support of products and critical components;
- Risks that product or service suppliers illegally collect, store, process or use the user-related information while providing products or services;
- Risks that product or service suppliers draw on the reliance on such products or services by users to impair cybersecurity and the interests of users;
- Other risks that may endanger national security.
Article 5 The State Internet Information Office [Cyberspace Administration of China] shall work with the departments concerned to establish a Cybersecurity Review Committee, which is tasked with deliberating on key cybersecurity review policies, organizing cybersecurity review efforts, and coordinating key matters with respect to cybersecurity reviews. The Cybersecurity Review Office is responsible for conducting cybersecurity reviews.
Article 6 The Cybersecurity Review Committee shall engage relevant experts to establish a Cybersecurity Review Experts Committee, which shall, based on third-party assessments, perform comprehensive assessment on the security risks of network products and services, and the security and trustworthiness of the suppliers.
Article 7 The third-party organizations involved in cybersecurity review shall be accredited by the State according to the law, to perform third-party assessments as part of cybersecurity review work.
Article 8 The Cybersecurity Review Office shall, in line with the requirements of relevant national departments, at the request of any national industry association, or based on user responses, identify the entities for review according to procedures, organize third-party organizations and the Experts Committee to conduct cybersecurity reviews on network products or services, and then release review results or report these results within a certain scope.
Article 9 The regulators in such key sectors as finance, telecommunications, energy, and transportation shall, according to the requirements of national cybersecurity review work, implement cybersecurity review efforts over network products and services in their respective sectors.
Article 10 Network products and services procured for critical information infrastructure (CII) in important sectors/fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government, as well as the network products and services to be procured by the operators of other critical information infrastructure (CII) having potential impact on national security, shall undergo a cybersecurity review. Whether the products and services influence national security shall be determined by the departments responsible for CII protection.
Article 11 The third-party organizations performing cybersecurity review shall conduct the assessment on an objective, just and fair basis, in line with relevant national rules, by referring to relevant standards, and with a focus on the security and controllability of network products and services and their supply chains, and transparency of security mechanism and technologies, and assume responsibility for assessment results.
Article 12 The suppliers of network products and services shall cooperate in cybersecurity review work, and be responsible for the authenticity of the materials they provide. The organizations involved such as third-party organizations and their employees shall keep confidential information obtained during the review, and shall not use such information for other purposes than the cybersecurity review.
Article 13 The Cybersecurity Review Office can release security assessment reports with respect to network products and services on a non-scheduled basis.
Article 14 Should any network product or service supplier deem a relevant organization such as third-party organization and any of its employees to have failed to be objective and fair in conducting review work, or to have failed to keep confidential the information it obtained during the review, the supplier may inform the Cybersecurity Review Office or relevant departments about the violation.
Article 15 In case of violation of the Measures, such violation shall be dealt with in accordance with applicable law and regulations.
Article 16 The Measures shall come into force as of June 1, 2017.