context: Few cybersecurity documents came out in 2018, but the state has been stepping up implementation of the 2016 Cybersecurity Law in recent months, as experts highlight the need for a comprehensive data defense system. SAMR has revised cybersecurity standards, MPS has released a new set of data security guidelines, and CAC is calling for comment on data security management measures.
Cyber Administration of China (CAC) is calling for comment on ‘Cybersecurity review measures’ until 24 Jun 2019. The draft requires critical information infrastructure (CII) operators to file risk reports when purchasing products and services and occurrence reports if
- CII stops functioning or main functions are not functioning properly
- large amount of personal information or important data is leaked, lost, damaged or exits the country
- operation and maintenance, technical support and upgrading of critical information infrastructure faces supply chain security threats
- other potential risks seriously endanger critical information infrastructure security
A new Cybersecurity Review Office (CRO), set up under the National Internet Information Office, will administrate the process. Upon receiving a risk or occurrence report, CRO will in principle complete preliminary reviews within 30 days, considering
- impact on sustained, safe, stable operation of CII, including possibility of control, disruption and detriment to business community
- controllability, transparency, supply chain security including possibility of disruption due to non-technical factors, such as politics, foreign relations, trade
- impact on defence industry or critical information infrastructure tech and industries
- compliance of product and service providers with national laws and administrative regulations
- products and providers being subsidised or controlled by foreign governments
CRO will then send its verdict to reviewers, who have 15 work days to comment. If they raise an issue, CII operators will be notified that a special review procedure will be started, which in principle should be finished in 45 work days. The whole process should take 90 working days, excluding extensions.