Cybersecurity Review Measures: new pressure on foreign security solution providers and CIIO’s procurement departments

29 May 2020

What is the new regulation?

According to the “Network Security Review Measures” (the “Measures”) published on 27th of April 2020 by the Standardisation Committee TC260 of the Peoples republic of China and effective as of 1st of June 2020, Critical Information Infrastructure Operators (CIIO) need to conduct a “network security review” when purchasing network products and services potentially affecting national security.

Network products and services are broadly understood as core network equipment, high-performance computers and servers, mass storage equipment, large database and application software, network security equipment, cloud computing services (art. 20).

The review is conducted by the CIIO under supervision of the “Cyber Security Review Office”, which is under the leadership of a myriad of governmental authorities (NDRC, MPS, CAC, SAMR, MIIT, MofCom, SART, etc.).

What’s new?

The impact on national safety becomes a key criterion for CIIO to select network products and services (art. 5). The concept of “national safety” is hovering around cybersecurity regulations as an Damocles sword that may be enabled by any government authority for potential enforcement purposes.

Going a step further than the “national safety” criterion, the risk of the network product’s supply disruption due to political, diplomatic and trade factors is one of the criterion part of cyber security review (art. 9).

This point opens a backdoor to executive power to interfere on political and diplomatic grounds at the most granular level of regulatory implementation.

Finally the Measures include as part of network security reviews, criteria of safety, openness, transparency and diversity of sources, without defining them.

How does it impact CIIO and security solutions providers?

The Measures translate into the practical reality of compliance for CIIO by shifting the burden of cybersecurity compliance to procurement departments. The Measures pose several new questions to procurement teams: will compliance become an additional cost in procurement’s budget or will it be shared with the legal department? Will the legal department be further involved in procurement process?

Although the Measures apply to CIIO, they de facto target foreign security products. In practice, overseas suppliers will be prompted by CIIO to provide them with additional information to comply with the network security review, namely an “analysis report on the impact or possible impact on national security”. This will create additional pressure on suppliers to manage accounts in the PRC: in order to stay competitive on the Chinese market, a supplier will need to prepare for cybersecurity accountability under PRC regulations – even without a physical presence in the PRC.

Ultimately the pressure of diplomatic and trade factors is now extending to overseas suppliers: although foreign providers are not explicitly targeted by the Measures, they are the only ones concerned by a disruption of the supply chain due to diplomatic and trade tensions. The nationality of the providers is irrelevant as their products might transit – physically or digitally – through a politically or diplomatically tensed region, or through a “black box” step and thus presenting a risk of being disrupted to reach the CIIO in the PRC.

Coupled with recently rolled out corporate credit score on foreign invested entity, Chinese authorities have now in place a very efficient toolbox to restrict foreign businesses carried out in and with China.

What’s next?

CIIO should enable their procurement teams to understand the impact of cybersecurity regulations in their purchasing process.

Security solutions providers with clients in the PRC should prepare data protection assessments to evaluate the impact – or lack thereof – of their products on PRC’s national safety.

Foreign players should also review their supply chain management under a filter of safety, openness and transparency to demonstrate their accountability when supplying CIIO in the PRC.

Full text of the Measures on TC260 official website (Chinese).


To know more, please contact

Gregory Louvel g.louvel@leaf-legal.com

Nicolas Bahmanyar n.bahmanyar@leaf-legal.com

The TL Group is a team providing tech and legal services.

The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.