Measures for Network Security Review
2022-01-05
Source: National Password Administration website Hits:
National Internet Information Office
National Development and Reform Commission of the People's Republic of China
Ministry of Industry and Information Technology of the People's Republic of China
Ministry of Public Security of the People's Republic of China
Ministry of State Security of the People's Republic of China
Ministry of Finance of the People's Republic of China
Ministry of Commerce of the People's Republic of China
People's Bank of China
State Administration of Market Supervision
State Administration of Radio and Television
China Securities Regulatory Commission
National Administration for the Protection of State Secrets
State Password Administration
order
No. 8
The Cyber Security Review Measures have been deliberated and adopted at the 20th 2021 office meeting of the State Internet Information Office on November 16, 2021, and have been approved by the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Market Supervision and Administration, the State Administration of Radio and Television With the consent of the China Securities Regulatory Commission, the State Secrets Administration and the State Password Administration, it is hereby announced and will come into force as of February 15, 2022.
Zhuang Rongwen, Director of the State Internet Information Office
He Lifeng, Director of the National Development and Reform Commission
Xiao Yaqing, Minister of Industry and Information Technology
Zhao Kezhi, Minister of Public Security
Chen Wenqing, Minister of National Security
Minister of Finance Liu Kun
Wang Wentao, Minister of Commerce
Yi Gang, President of the People's Bank of China
Zhang Gong, Director of the State Administration of Market Supervision
Nie Chenxi, Director General of the State Administration of Radio and Television
Yi Huiman, Chairman of China Securities Regulatory Commission
Li Zhaozong, Director of the State Secrets Administration
Liu Dongfang, Director of the State Encryption Administration
December 28, 2021
Measures for Network Security Review
Article 1 In order to ensure the security of key information infrastructure supply chain, ensure network security and data security, and maintain national security, these Measures are formulated in accordance with the National Security Law of the People's Republic of China, the Network Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Regulations on the Security Protection of Key Information Infrastructure.
Article 2 If key information infrastructure operators purchase network products and services, and network platform operators carry out data processing activities that affect or may affect national security, they shall conduct network security reviews in accordance with these Measures.
The key information infrastructure operators and network platform operators specified in the preceding paragraph are collectively referred to as the parties.
Article 3 The network security review adheres to the combination of preventing network security risks and promoting the application of advanced technology, the combination of fair and transparent process and intellectual property protection, the combination of prior review and continuous supervision, and the combination of enterprise commitment and social supervision. It reviews products and services, as well as the security of data processing activities, and possible national security risks.
Article 4 Under the leadership of the Central Cyber Security and Information Technology Commission, the State Internet Information Office, together with the National Development and Reform Commission of the People's Republic of China, the Ministry of Industry and Information Technology of the People's Republic of China, the Ministry of Public Security of the People's Republic of China, the Ministry of National Security of the People's Republic of China, the Ministry of Finance of the People's Republic of China, the Ministry of Commerce of the People's Republic of China, the People's Bank of China The State Administration of Market Supervision, the State Administration of Radio and Television, the China Securities Regulatory Commission, the State Secrets Administration and the State Password Administration have established a national network security review mechanism.
The Cyber Security Review Office, located in the State Internet Information Office, is responsible for formulating relevant regulations and rules for cyber security review and organizing cyber security review.
Article 5 When purchasing network products and services, key information infrastructure operators shall predict the national security risks that may be brought by the products and services when they are put into use. If it affects or may affect national security, it shall report to the Cyber Security Review Office for cyber security review.
The security protection department of key information infrastructure can formulate the prediction guide for the industry and the field.
Article 6 For procurement activities that apply for network security review, key information infrastructure operators shall require product and service providers to cooperate with network security review through procurement documents, agreements, etc., including undertaking not to illegally obtain user data, control and manipulate user equipment by taking advantage of the convenience of providing products and services, Do not interrupt product supply or necessary technical support services without justified reasons.
Article 7 Network platform operators who have mastered the personal information of more than 1 million users must apply for network security review to the Network Security Review Office when going abroad for listing.
Article 8 When applying for network security review, the parties concerned shall submit the following materials:
(1) Declaration;
(2) An analysis report on the impact or possible impact on national security;
(3) Procurement documents, agreements, contracts to be signed or IPO and other listing application documents to be submitted;
(4) Other materials required for network security review.
Article 9 The Cyber Security Review Office shall, within 10 working days from the receipt of the review and application materials in accordance with Article 8 of these Measures, determine whether the review is necessary and notify the parties in writing.
Article 10 The network security review focuses on the following national security risk factors of relevant objects or situations:
(1) Risk of illegal control, interference or destruction of key information infrastructure brought about by the use of products and services;
(2) The damage of product and service supply interruption to business continuity of critical information infrastructure;
(3) The security, openness, transparency, diversity of sources of products and services, the reliability of supply channels, and the risk of supply interruption due to political, diplomatic, trade and other factors;
(4) Compliance of product and service providers with Chinese laws, administrative regulations and departmental rules;
(5) The risk of core data, important data or a large amount of personal information being stolen, disclosed, damaged, illegally used and illegally left the country;
(6) There are risks of key information infrastructure, core data, important data or a large amount of personal information being affected, controlled or maliciously used by foreign governments, as well as network information security risks;
(7) Other factors that may endanger the security of critical information infrastructure, network security and data security.
Article 11 If the Cyber Security Review Office deems it necessary to conduct cyber security review, it shall complete the preliminary review within 30 working days from the date of sending a written notice to the parties concerned, including forming review conclusions and suggestions and sending the review conclusions and suggestions to the members of the cyber security review mechanism and relevant departments for comments; If the situation is complicated, it can be extended for 15 working days.
Article 12 The member units and relevant departments of the network security review mechanism shall reply in writing within 15 working days from the date of receiving the review conclusions and suggestions.
If the member units and relevant departments of the network security review mechanism agree, the Network Security Review Office will notify the parties of the review conclusion in writing; In case of disagreement, it shall be handled according to the special review procedure and the parties concerned shall be notified.
Article 13 If it is handled according to the special review procedure, the Cyber Security Review Office shall listen to the opinions of relevant units and departments, conduct in-depth analysis and evaluation, form the review conclusions and suggestions again, and solicit the opinions of the member units of the Cyber Security Review Working Mechanism and relevant departments. After reporting to the Cyber Security and Information Technology Commission of the Central Committee of the People's Republic of China for approval according to the procedure, the review conclusions shall be formed and the parties shall be notified in writing.
Article 14 The special review procedure should generally be completed within 90 working days, and can be extended in complex circumstances.
Article 15 Where the Cyber Security Review Office requires the provision of supplementary materials, the parties, products and service providers shall cooperate. The time for submitting supplementary materials shall not be included in the review time.
Article 16 The network products and services and data processing activities that the member units of the network security review mechanism consider to affect or may affect national security shall be reviewed in accordance with the provisions of these Measures after the Network Security Review Office submits them to the Central Network Security and Information Technology Commission for approval according to procedures.
In order to prevent risks, the parties shall take measures to prevent and reduce risks according to the requirements of network security review during the review period.
Article 17 Relevant institutions and personnel participating in the network security review shall strictly protect intellectual property rights, and assume confidentiality obligations for business secrets, personal information, non-public materials submitted by parties, products and service providers, and other non-public information learned in the review; Without the consent of the information provider, it shall not be disclosed to an unrelated party or used for purposes other than review.
Article 18 If the party concerned or the provider of network products and services considers that the reviewers are not objective and impartial, or fail to assume the confidentiality obligation for the information learned during the review, they can report to the Cyber Security Review Office or relevant departments.
Article 19 The parties concerned shall urge the product and service providers to fulfill the commitments made in the network security review.
The Cyber Security Review Office strengthened supervision before, during and after the event by accepting reports and other forms.
Article 20 If a party violates the provisions of these Measures, it shall be handled in accordance with the provisions of the Network Security Law of the People's Republic of China and the Data Security Law of the People's Republic of China.
Article 21 The network products and services referred to in the Measures mainly refer to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other network products and services that have an important impact on the security of key information infrastructure, network security, and data security.
Article 22 Where state secrets are involved, the relevant state confidentiality provisions shall apply.
If the State has other provisions on data security review and foreign investment security review, they shall be complied with at the same time.
Article 23 The Measures shall come into force as of February 15, 2022. Internet Security Review Measures (Order No. 6 of the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Market Supervision Administration, the State Administration of Radio and Television, the State Security Administration, and the State Password Administration) issued on April 13, 2020 It shall be abolished at the same time.