On May 2, 2017, the State Internet Information Office promulgated the Security Review Measures for Networking Products and Services (Pilot) (the “Measures”), which serve as an accompanying measure to the National Security Law and the Network Security Law and has come into effect on June 1, 2017. This article highlights the scope of the security review, the key criteria for the review, and the agencies in charge of the review as follows:
1. Scope of security review
The Measures provide that the key networking products and services purchased for networks and information systems relating to national security shall be subject to security review. If operators in major industries such as public communications and information services, energy, transportation, water conservancy, public services and e-government as well as those in other key information infrastructures procure networking products and services which may affect national security, they must pass the security review first. Whether the products and services actually affect national security shall be determined by the agencies protect the key information infrastructures.
2. Key criteria for the review
The Measures set out that the key point of the review will be on the security and operability of the networking products and services, including: (1) the security risks associated with the products and services themselves, and the risk of such products being hijacked, interfered with or halted from operation; (2) supply chain security risks associated with the production, testing and delivery of the products and the relevant parts as well as the provision of technical support; (3) risks associated with illegal collection, storage, processing and use of relevant user information by the providers of products and services through such products and services; (4) risks posed by the providers of the products and services in exploiting the reliance of the users on such products and services; and (5) other potential risks of jeopardizing national security. The above provisions suggest that the review of networking products and services under the Measures would be a comprehensive and full-process review and not just the products and services themselves. This will be more effective in preventing security risks.
3. Security review agencies
The Measures provide that the State Internet Information Office will set up a Network Security Review committee in conjunction with the relevant agencies. The Network Security Review Committee will be responsible for reviewing the major policies in network security review, while the Network Security Review Office will conduct the security review, identify the review targets pursuant to relevant requirements of the state and according to user complaints and the recommendations of national trade associations, organize third-party entities and an expert committee to conduct the network security review of products and services, and release or, to a certain extent, report the results of the review.
In conclusion, the Measures will effectively regulate the provision of networking products and services in the market the so that the providers can better address the security of their own products and services, enhance network security services to their users and greatly improve the overall cyberspace security index of the country.