Exactly which companies are considered critical information infrastructure operators remains unclear, but the umbrella term cuts a swathe through China’s industries including telecommunications, energy, transport, finance, health care and social security, as well as defence-related science and technology industries.

China’s new cybersecurity rules ‘risk delaying threat warnings’

The new guidelines lay out both a government review timeline and a set of steps these companies must follow when purchasing products or services whose operations could be seen to have national security implications. These could include core network equipment, servers, cloud computing services, database software, and network security equipment.

To comply, the operators will need to initiate a cybersecurity review process when purchasing services and products, which could lead to an inter-agency evaluation of the national security risks of using certain products, led by a designated office housed under the Cyberspace Administration of China (CAC).

The review will be based on security factors including the risk of theft, breach, or damage of critical data, the possibility of disruption or interference with the infrastructure, and the service providers’ compliance with Chinese laws.

The criteria may push companies to stay away from multinational providers that are more likely to be viewed as a higher risk for China’s national security, if they anticipate a more rigorous or lengthy review, according to Beijing-based lawyer Luo Yan, who focuses on cybersecurity policies at international law firm Covington & Burling.

Coronavirus pandemic exposing internet users to new cybersecurity risks

Meanwhile, the suppliers could be put in the difficult position of having to prove that a future event that may be detrimental to China’s national security, but out of their control, would not happen, she said.

In comments published online, a CAC spokesperson said the purpose of the cybersecurity review was to “maintain national cybersecurity, not to restrict or discriminate against foreign products and services”, and China’s “policy of welcoming foreign products and services into the Chinese market has not changed”.

Jim Fitzsimmons, Singapore-based director of consulting firm Control Risks, said the measures were not inconsistent with how countries generally looked to gauge and understand national security risks to supply chain and critical technologies.

“There’s no reason to think, at least initially, that this is about cutting out foreign suppliers, but it’s something that people will think about, it’s going to raise concerns,” he said, noting the regulations were introduced within the context of tensions between the US and China.

“That’s the atmosphere … but it doesn’t necessarily mean [companies] won’t be able to sell things any more,” he said. “Do [the measures] introduce some friction? Yes, but the key question is going to be how do we see this being enforced over the next few years.”

Fitzsimmons also pointed to the requirement for suppliers of network services and products to provide documents to their clients operating critical information infrastructure for the review. “That’s where it becomes a material concern for our [multinational] clients … does it mean things like code reviews, deep product specifications, that could include intellectual property? It’s possible,” he said.

These concerns are addressed by the regulations, which state that trade secrets and intellectual property rights will be protected, and confidentially will be maintained for materials submitted by service providers as part of the cybersecurity review.

While some procedural details still needed to be worked out, the measures were likely have a significant impact on how procurement for critical information infrastructure operators worked in the future, according to Luo.

“Now this is formalised and it’s part of the procurement process, we expect this is going to be more widespread and regular,” she said.