According to the WeChat public account of "Netinfo China", recently, the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the Chinese Bank, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Secrecy Administration, the State Cryptography Administration and other thirteen departments jointly revised and issued the "Network Security Review Measures" (hereinafter referred to as the "Measures"), which will be implemented from February 15, 2022.
Cybersecurity Review Measures
Article 1: These Measures are formulated on the basis of the "National Security Law of the People's Republic of China", the "Cybersecurity Law of the People's Republic of China", the "Data Security Law of the People's Republic of China", and the "Regulations on the Security Protection of Critical Information Infrastructure" in order to ensure the security of the critical information infrastructure supply chain, ensure network security and data security, and preserve national security.
Article 2: Where critical information infrastructure operators procure network products and services, and network platform operators carry out data processing activities that affect or may affect national security, they shall conduct a network security review in accordance with these Measures.
The key information infrastructure operators and network platform operators provided for in the preceding paragraph are collectively referred to as parties.
Article 3: Network security reviews persist in combining the prevention of network security risks with the promotion of the application of advanced technologies, the process of fairness and transparency with the protection of intellectual property rights, the combination of prior review and continuous supervision, and the combination of enterprise commitments and social supervision, and conduct reviews from aspects such as the security of products and services, data processing activities, and the national security risks that may be brought about.
Article 4: Under the leadership of the Central Cybersecurity and Informatization Commission, the State Internet Information Office, together with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of State Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the Chinese Bank, the State Administration for Market Regulation, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Secrets Administration, The State Cryptography Administration is to establish a national network security review working mechanism.
The Cyber Security Review Office is located in the State Internet Information Office, which is responsible for formulating relevant systems and norms for network security review and organizing network security reviews.
Article 5: Where critical information infrastructure operators purchase network products and services, they shall prejudge the national security risks that may be brought about after the products and services are put into use. Where it affects or may affect national security, a network security review shall be reported to the Network Security Review Office.
Departments for the security protection of critical information infrastructure may formulate guidelines for pre-judgment in their respective industries and fields.
Article 6: For procurement activities that declare network security reviews, critical information infrastructure operators shall require product and service providers to cooperate with network security reviews through procurement documents, agreements, and so forth, including undertaking not to take advantage of the facilities of providing products and services to illegally obtain user data, illegally control and manipulate user equipment, and not to interrupt product supply or necessary technical support services without a legitimate reason.
Article 7: Network platform operators with more than 1 million users' personal information who go public abroad must report a network security review to the Cyber Security Review Office.
Article 8: Parties applying for network security review shall submit the following materials:
(1) The declaration;
(2) Analysis reports on impacts on or likely to affect national security;
(3) Procurement documents, agreements, contracts to be signed or initial public offering (IPO) and other listing application documents to be submitted;
(4) Other materials required for network security review efforts.
Article 9: The Network Security Review Office shall determine whether review is necessary and notify the parties in writing within 10 working days of receiving review and declaration materials that comply with article 8 of these Measures.
Article 10: Network security reviews focus on assessing the following national security risk factors for relevant targets or situations:
(1) The risk of critical information infrastructure being illegally controlled, interfered with, or destroyed after the use of products and services;
(2) The harm caused by the interruption of the supply of products and services to the business continuity of critical information infrastructure;
(c) the security, openness, transparency, diversity of sources of products and services, reliability of supply channels, and the risk of supply disruption due to political, diplomatic, trade and other factors;
(4) Product and service providers' compliance with Chinese laws, administrative regulations, and departmental rules;
(5) The risk of core data, important data, or a large amount of personal information being stolen, leaked, or destroyed, as well as illegally used or illegally exported abroad;
(6) There is a risk that critical information infrastructure, core data, important data, or a large amount of personal information will be influenced, controlled, or maliciously used by foreign governments, as well as network information security risks;
(7) Other factors that might endanger critical information infrastructure security, network security, and data security.
Article 11: Where the Network Security Review Office finds it necessary to carry out a network security review, it shall complete a preliminary review within 30 working days of issuing a written notice to the parties, including forming review conclusions and suggestions and sending review conclusions and suggestions to member units of the network security review work mechanism and relevant departments for solicitation of comments; where the circumstances are complex, it may be extended by 15 working days.
Article 12: Member units and relevant departments of the network security review work mechanism shall respond in writing to their comments within 15 working days of receiving the review conclusions and suggestions.
Where member units of the network security review work mechanism and relevant departments have a consensus, the network security review office will notify the parties of the review conclusions in writing; where there is disagreement, follow special review procedures, and notify the parties.
Article 13: Where handling is to be conducted in accordance with special review procedures, the Network Security Review Office shall hear the opinions of relevant units and departments, conduct in-depth analysis and assessment, re-form review conclusions and suggestions, and solicit the opinions of member units and relevant departments of the network security review work mechanism, and after reporting to the Central Network Security and Informatization Commission for approval in accordance with procedures, form a review conclusion and notify the parties in writing.
Article 14: Special review procedures shall generally be completed within 90 working days, and may be extended if the circumstances are complex.
Article 15: Where the Network Security Review Office requests supplementary materials, the parties and product and service providers shall cooperate. The time for submission of additional materials does not count towards the time of review.
Article 16: Where member units of the network security review work mechanism find that network products and services and data processing activities that affect or may affect national security are to be reviewed by the Network Security Review Office in accordance with procedures and reported to the Central Network Security and Informatization Commission for approval, follow the provisions of these Measures.
In order to prevent risks, the parties concerned shall take measures to prevent and reduce risks in accordance with the requirements of the network security review during the review period.
Article 17: Relevant institutions and personnel participating in network security reviews shall strictly protect intellectual property rights, and bear obligations to preserve confidentiality of commercial secrets and personal information learned of during review work, undisclosed materials submitted by parties and product and service providers, and other undisclosed information; without the consent of the information provider, they must not be disclosed to or used for purposes other than review.
Article 18: Where parties or network product and service providers find that review personnel have failed to be objective and impartial, or fail to bear confidentiality obligations for information learned during review work, they may report it to the network security review office or relevant departments.
Article 19: Parties shall urge product and service providers to perform on commitments made during network security reviews. The Cyber Security Review Office strengthens supervision before, during, and after the event by accepting reports.
Article 20: Where parties violate the provisions of these Measures, they are to be handled in accordance with the provisions of the "Cybersecurity Law of the People's Republic of China" and the "Data Security Law of the People's Republic of China".
Article 21: "Network products and services" as used in these Measures mainly refers to core network equipment, important communications products, high-performance computers and servers, mass storage equipment, large databases and application software, network security equipment, cloud computing services, and other network products and services that have an important impact on critical information infrastructure security, network security, and data security.
Article 22: Where state secret information is involved, it is to be implemented in accordance with the relevant state secrecy provisions.
Where the State has other provisions on data security reviews and foreign investment security reviews, they shall comply with those provisions at the same time.
Article 23: These Measures take effect on February 15, 2022. The Measures for Network Security Review promulgated on 13 April 2020 (Order No. 6 of the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the Chinese Bank, the State Administration for Market Regulation, the State Administration of Radio and Television, the State Secrecy Administration, and the State Cryptography Administration) shall be repealed at the same time.
![The Japanese asked Zhang Zuolin to sign, zhang Zuolin acted out a play, and the Japanese had no choice[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)