A Close Reading Of China’s New Cybersecurity Review Measures In Effect Feb 15 2022

Posted: 10th January 2022 10:22

On January 4, the first working day of 2022, the Cyberspace Administration of China (CAC), in conjunction with 12 other authorities – including the China Securities Regulatory Commission (CSRC) – finally promulgated the high-profile Cybersecurity Review Measures (hereafter the “Measures”).

The new Measures, which will come into force from February 15, 2022, spell out the legal basis, scope of application, government bodies in charge, content, and procedures for cybersecurity review.

The Main Message

The Measures will subject two main groups – critical information infrastructure (CII) operators as well as network platform operators – to a cybersecurity review, under the following circumstances:

(Based on the Regulation on the Security and Protection of CII, CII operators refer to operators of information infrastructure in important industries and sectors, such as public communications and information services, energy, transport, water conservancy, finance, public services, e-government services, and national defense)

(The Measures don’t define the network platform operators. For a network platform operator with more than one million users, it could be any data-rich consumer tech company.)

Some Context

The CAC began revising the Cybersecurity Review Measures on July 10, 2021, days after the announcement of the investigation into the ride-hailing firm Didi Chuxing.

The revision was to supersede the original Measures that were effective from June 1, 2020, which focused on reviews of the procurement of ICT (information communication technology) equipment and services by CII operations – in other words, CII supply chain reviews.

With a new aim to protect cybersecurity and data security, the draft revision started incorporating data processing activities and foreign IPOs into the scope of review, which in part echoed the Data Security Law (DSL) adopted on June 10, 2021.

Cybersecurity review measures timeline China

What’s New In The 2021 Measures?

Compared with the original file, the 2021 Cybersecurity Review Measures have made the following amendments:

Will Hong Kong IPOs Be Exempt From Cybersecurity Reviews?

Among all the changes, the newly added Article 7 of the revamped Measures has attracted most attention. It stipulates that:

“Where any network platform operator who possesses the personal information of more than one million users seeks foreign listings (“国外上市”), it shall file an application with the Office of Cybersecurity Review for cybersecurity review.”

As the draft and final versions of the Measures both use the term “foreign listings” (“国外上市”), instead of “offshore listings” (“境外上市”) – the former term is often interpreted as listing outside of China, like in the US, and excluding listing in Hong Kong, while the latter term would include Hong Kong, many lawyers and bankers speculate the wording indicates that mainland companies pursuing IPOs in Hong Kong may be exempt from the cybersecurity review process.

Such discussion took place in November when the CAC issued a draft of the Network Data Security Management Regulation. The regulation specifically mentioned Hong Kong listings as requiring special vetting if they involve matters of national security, and separated Hong Kong listings from foreign listings in two perspective items.

According to Caixin’s report citing several lawyers involved in Hong Kong IPOs, “the city’s bourse recently started to ask mainland companies whether they could be subject to cybersecurity reviews. The inquiries have extended to non-Internet companies. At the moment, companies are required only to submit a legal document drawn up by mainland lawyers outlining the likelihood of a cybersecurity review.”

China’s Cybersecurity Review Process

Who Implements The Cybersecurity Review?

The Office of Cybersecurity Review (OCR), a subordinate office under the CAC, will entrust the China Cybersecurity Review Technology and Certification Center (CCRC) to conduct the review, the CAC said in a press conference.

The CCRC will undertake the tasks of receiving the filing materials and conducting formal examination of the submissions under the guidance of the OCR. The CCRC will also set up a window for cybersecurity review consultation.

CII And Network Platform Operators Applying For Cybersecurity Review

Network platform operators holding data of more than one million users are required to proactively apply to the OCR for a security review before they apply to foreign securities regulators to list.

Operators voluntarily filing an application for cybersecurity review should submit the following materials:

The OCR initiating The Review

When members under the cybersecurity review working mechanism deem a network product or service or a data processing activity as affecting or potentially affecting national security, the OCR can also report to the CCRC for approval and initiate a cybersecurity review in accordance with the Measures.

The Reviewing Time And Process

In aggregate, the general review process takes up to 70 working days from the start of the application. For the special review process, the maximum reviewing time required can be more than 160 working days, or more than eight months.

How Will China Assess For National Security Risks?

When carrying out the cybersecurity review, the OCR will focus on the assessment of national security risks that may be brought about by procurement activities, data processing activities, and overseas listing. The following factors are taken into account (the last three items are newly added, zeroing in on protecting core or important data and personal information):

Looking Forward

Most revisions in the new Cybersecurity Review Measures relates to risks associated with data processing activities. It also emphasizes the data security risks arising from Chinese market entities listed overseas, which reflects China’s growing concerns that foreign regulators could gain access to sensitive data from Chinese entities listed on foreign stock markets, particularly in the US.

In fact, the promulgation of the new Measures was preceded by a string of decisions by Chinese authorities to boost the oversight of offshore listings by Chinese companies. On December 24, 2021, the CSRC unveiled a set of rules imposing new filing requirements for Chinese companies seeking to sell shares directly or indirectly overseas. On December 27, the new negative lists for foreign investment access allowed companies in foreign investment-restricted sectors to go public overseas, but at the same time required them to obtain approval from relevant regulators in advance.

In the mid- to long-term, mainland companies, especially those whose businesses impact cybersecurity, data security, and are subject to foreign investment restriction, will face a stringent review process when seeking offshore listings.

The practical processes are still a black box for many companies, and even a conundrum for officials, as it will not be easy to secure the data without compromising the potential economic loss caused by data blocking. Thus, more detailed rules and guidelines can be expected along with the implementation of the new Cybersecurity Review Measures. Presently, it may very well be that many mainland companies hold out their IPO plans, shift towards Hong Kong IPOs, or navigate a route that does not trigger cybersecurity or data security red flags

If your business requires assistance to set up a compliant IT system in China, you can reach out to our team by sending and to technology@dezshira.com. 

Related articles


bodrum escort istanbul masöz

Subscribe to our newsletter

Sign up here and get the latest news and updates delivered directly to your inbox

You can unsubscribe at any time