[TechWeb] July 11, a few days ago, the State Internet Information Office issued a notice on the measures for Network Security Review (revised draft for soliciting opinions) (hereinafter referred to as: draft for soliciting opinions) for public consultation. The draft for soliciting opinions points out that operators who have the personal information of more than 1 million users to list abroad must apply for network security review to the Network Security Review Office.

The measures for network security review (revised draft for soliciting comments) are as follows:

Measures for Network Security Review

(draft for soliciting comments on the revised draft)

Article 1: in order to ensure the supply chain security of critical information infrastructure and safeguard national security, these measures are formulated in accordance with the National Security Law of the people's Republic of China, the Cyber Security Law of the people's Republic of China and the data Security Law of the people's Republic of China.

Article 2: key information infrastructure operators (hereinafter referred to as operators) purchase network products and services, and data processors (hereinafter referred to as operators) carry out data processing activities that affect or may affect national security, network security review shall be conducted in accordance with these measures.

Article 3: network security review adheres to the combination of preventing network security risks with promoting the application of advanced technology, fair and transparent process with intellectual property protection, prior review with continuous supervision, enterprise commitment with social supervision, review from the aspects of product and service security, possible national security risks, etc.

Article 4: under the leadership of the Central Cyber Security and Informatization Committee The State Internet Information Office in conjunction with the National Development and Reform Commission of the people's Republic of China, the Ministry of Industry and Information Technology of the people's Republic of China, the Ministry of Public Security of the people's Republic of China, the Ministry of State Security of the people's Republic of China, The State Secret Administration and the State Cryptography Administration shall establish a national network security review mechanism.

The Network Security Review Office is located in the State Internet Information Office, which is responsible for formulating relevant systems and norms for network security review and organizing network security review.

Article 5: when purchasing network products and services, operators shall anticipate the national security risks that may be brought about after the products and services are put into use. If it affects or may affect national security, it shall apply for network security examination to the Network Security Review Office.

Key information infrastructure protection departments can formulate pre-judgment guidelines for their own industries and fields.

Article 6: operators who hold the personal information of more than 1 million users who list abroad must apply for network security review to the Network Security Review Office.

Article 7: for procurement activities that apply for network security review, the operator shall, through procurement documents, agreements, etc., require product and service providers to cooperate with the network security review, including undertaking not to take advantage of the convenience of providing products and services to illegally obtain user data, illegally control and manipulate user equipment, and not to disrupt product supply or necessary technical support services without justifiable reasons.

Article 8 when applying for network security review, the operator shall submit the following materials:

(1) the declaration form

(II) Analytical reports on the impact or possible impact on national security

(3) procurement documents, agreements, contracts to be signed or IPO materials to be submitted, etc.

(4) other materials required for network security review.

Article 9: the Network Security Review Office shall, within 10 working days from the receipt of the examination and declaration materials, determine whether it is necessary to review and notify the operator in writing.

Article 10: the network security review focuses on the assessment of procurement activities, data processing activities and national security risks that may be brought about by foreign listing, taking into account the following factors:

(I) the risk of illegal control, interference or destruction of critical information infrastructure caused by the use of products and services

(II) the harm of disruptions in the supply of products and services to the business continuity of critical information infrastructure

(III) the security, openness, transparency, diversity of sources of products and services, the reliability of supply channels and the risk of supply disruptions due to political, diplomatic, trade and other factors

(4) compliance of product and service providers with Chinese laws, administrative regulations and departmental rules

(v) the risk of core data, important data or a large amount of personal information being stolen, disclosed, destroyed, illegally used or left the country

(6) the risk that key information infrastructure, core data, important data or a large amount of personal information will be influenced, controlled and maliciously exploited by foreign governments after listing abroad.

(VII) other factors that may endanger the security of critical information infrastructure and national data security.

Article 11: if the Network Security Review Office considers it necessary to carry out a network security review, it shall complete the preliminary review within 30 working days from the date of sending a written notice to the operator, including the formation of the review conclusion recommendations and sending the review conclusion recommendations to the member units of the network security review working mechanism and the relevant key information infrastructure protection departments for comments; if the situation is complicated, it may be extended by 15 working days.

Article 12: the member units of the network security review working mechanism and the relevant key information infrastructure protection departments shall reply in writing within 15 working days from the date of receiving the recommendations of the review conclusions.

If the member units of the network security review working mechanism and the relevant key information infrastructure protection departments agree, the network security review office shall notify the operator of the review conclusion in writing; if there is any disagreement, it shall be dealt with in accordance with the special review procedure, and notify the operator.

Article 13: if handled in accordance with the special examination procedure, the Network Security Review Office shall listen to the opinions of the relevant departments and units, conduct in-depth analysis and evaluation, and form the conclusion of the review again, and solicit the opinions of the members of the working mechanism of the network security review and the relevant departments, submit them to the Central Network Security and Information Technology Committee for approval in accordance with the procedures, form a conclusion of the review and notify the operator in writing.

Article 14: the special review procedure shall generally be completed within three months and may be extended if the situation is complex.

Article 15: if the Network Security Review Office requests to provide supplementary materials, the operators, products and service providers shall cooperate. The time for the submission of supplementary materials is not included in the review time.

Article 16: the network products and services, data processing activities and foreign listing activities that the members of the working mechanism of network security review consider to affect or may affect national security, shall be submitted by the Network Security Review Office to the Central Network Security and Informatization Committee for approval in accordance with the procedures and shall be reviewed in accordance with the provisions of these measures.

Article 17: the relevant institutions and personnel participating in the network security review shall strictly protect the business secrets and intellectual property rights of the enterprise, and the undisclosed materials submitted by operators, products and service providers, and other undisclosed information learned during the review shall bear the obligation of confidentiality; it shall not be disclosed to an independent party or used for purposes other than the review without the consent of the information provider.

Article 18: if the operator or network product and service provider considers that the censors are not objective and impartial, or fail to undertake the obligation of confidentiality of the information learned during the examination, they may report to the network security review office or the relevant departments.

Article 19 the operator shall urge the product and service providers to fulfill the commitments made in the network security review.

The Network Security Review Office strengthens the supervision before and after the event by accepting reports and other forms.

Article 20 operators who violate the provisions of these measures shall be dealt with in accordance with the provisions of the Network Security Law of the people's Republic of China and the data Security Law of the people's Republic of China.

Article 21: the key information infrastructure operators in these measures refer to the operators identified by the key information infrastructure protection departments.

The network products and services referred to in these measures mainly refer to core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other network products and services that have an important impact on the security of critical information infrastructure.

Article 22 where state secret information is involved, the relevant state secrecy provisions shall be followed.

Article 23: these measures shall enter into force as of the day of 2021, and the measures for Security examination of Network products and Services (for trial implementation) shall be repealed at the same time.