China’s cybersecurity review system was first introduced into law by the CSL, which requires CII operators to apply for national security review on their procurement of network product and services if it may impact national security. The cybersecurity review regime has been further updated and implemented by the Measures for Cybersecurity Review (Review Measures) which came into effect on February 15, 2022.
The Review Measures extend the scope of cybersecurity review from procurement by CII operators to also include data processing activities by network platform operators that impact or may impact national security. Notably, a network platform operator must also apply for a cybersecurity review over its proposed listing outside China, if the network platform operator controls over one million users’ PI.
The Review Measures provide that the cybersecurity review should take into account the following aspects:
The time limit for a cybersecurity review is 30 working days for review and 15 working days for reply under normal situations and can be extended by 15 working days. Notably, for cases where the relevant ministries cannot reach a consensus, the case will follow a special review procedure, and the statutory time limit can be extended for 90 working days or longer.
*Information is accurate up to 27 November 2023