China continues to strengthen its control of operators of large Internet platforms. In addition to the regulation on the use of algorithms to influence user behavior, such as recommendation algorithms, which will come into force on March 1, 2022, the Cybersecurity Review Measures will come into force on February 15, 2022.
In addition to operators of large Internet platforms that process the data of more than 1 million users, these also affect operators of critical infrastructure and processors of data relevant to national security. These must undergo a Cyber Security Review before deploying new network products or network services. This assesses what risks the use of the product or service poses.
Affected products and services primarily include core network equipment, critical communications products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services, and other network products and services that have a significant impact on critical information infrastructure security, network security, and data security.
Submissions for the review must include a request for review, an analysis of the risks posed by a new product, service, or IPO to national security, relevant documents such as purchase agreements (drafts), agreements, or IPO documentation, and other documents requested by the agency.
Aspects of the review include:
- Risk of illegal control, interference, or destruction of critical infrastructure.
- Risk to business continuity of critical infrastructure due to disruption.
- Security, openness, transparency, diversity of sources of products and services, reliability of supply routes, and risk of disruption due to political, diplomatic, trade, or other factors.
- Compliance of the provider of the product or service with Chinese laws, administrative regulations, and departmental regulations.
- Risk of core data, critical data, or large amounts of personal data being stolen, disclosed, corrupted, used illegally, or taken out of the country illegally.
- Risk that critical infrastructure, core data, important data, or large amounts of personal data will be influenced, controlled, and used maliciously by foreign governments, as well as network security risks.
- Other factors that may affect critical infrastructure security, network security, and data security.
It is important to note that only appropriately certified cyber security products may be used in China. Testing can take 3 months and slow down business processes accordingly.