When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured by operators of critical information infrastructure must clear a “national security review,” but left that term unexplained.  Last week, the nation’s leading internet regulator—the Cyberspace Administration of China (“CAC”)—stepped in to elaborate, at least in part.

On February 4, CAC issued a draft regulation outlining the contours of the “cybersecurity review” required by the new law and opened a one-month window for receiving public comments (see original Chinese here and our analysis here).  The name change (“cybersecurity” in lieu of “national security”) seems purely cosmetic; consistent with the Cybersecurity Law, the review process focuses on safeguarding China’s national security in cyberspace.  To that end, the draft regulation sheds light on some of CAC’s priorities, while raising new questions about what businesses must do to comply.

First, the regulations appear to contemplate a two-tier compliance system: Government agencies, Communist Party organs, and entities in “key sectors” would be prohibited from procuring any network products and services that have not passed the cybersecurity review, while other critical infrastructure operators would enjoy greater leeway, though any procurement that “may affect national security” is still subject to review. Although the “key sectors” with the strictest obligations include sectors “such as” finance, telecommunications, and energy, it is unclear whether other sectors will join their ranks.  As for other sectors, the regulations do not explain how regulators will determine if certain procurement activities “may affect national security.”

Second, the agencies will focus on ensuring that products and services are “secure and controllable.” This standard, the draft regulations explain, aims to mitigate several distinct risks—the risk that products or services will be “unlawfully controlled, interfered with, or interrupted”; the risks associated with “research and development, delivery, and technical support”; the risks that products or services will become a means to “illegally collect, store, process, or utilize users’ data”; and the risk that providers will leverage user reliance to “engage in unfair competitive practices or otherwise harm consumers.”  The “secure and controllable” standard, then, encompasses not only the more obvious goal of guarding against hacking or interference, but also a distinct and more expansive interest in protecting consumers and their data.  Additionally, to be “secure and controllable” also requires adequate protection against “possible harms to national security and the public interest,” terms that leave ample room for interpretation.

Lastly, the regulations sketch out the cybersecurity review’s core elements—“laboratory testing, on-site inspection, online monitoring, and review of background information.” What each of these elements means in practice, however, remains to be seen.

Public comments are due by March 4.