China issues new cybersecurity review measures

Abstract

\nPurpose\nTo describe and analyze the implications of the new Measures (the “Measures”) for Cybersecurity Review jointly promulgated on April 27, 2020 by twelve Chinese government departments led by the Cyberspace Administration of China (CAC).\n\n\nDesign/methodology/approach\nDefines the scope of the Measures, explains the functions and obligations of critical information infrastructure operators (each, a CIIO), outlines the self-assessment and cybersecurity review process and discusses the implications of the Measures for foreign companies doing business in China.\n\n\nFindings\nThe Measures impose an obligation on CII operators to apply for a cybersecurity review when they intend to procure network products and services that present or may present a national security concern. Such review will focus not only on national security and data leakage concerns, but also on supply-chain security concerns. The cybersecurity review will likely further the decoupling between China and the US.\n\n\nPractical implications\nWhile the Measures are not formally intended to discriminate against foreign products and services, the promulgation of the Measures will have a significant impact on foreign companies that supply network products or services to CII operators in China.\n\n\nOriginality/value\nPractical guidance from lawyers with extensive experience in advising Chinese, US, European and other companies on laws and regulations related to competition, cross-border investments, joint ventures, strategic alliances and international trade matters.\n