China’s Cybersecurity Reviews Eye International Suppliers Serving Large Volume Data Controllers

China’s Cybersecurity Reviews Eye International Suppliers Serving Large Volume Data Controllers

February 21, 2022

By Donnie Dong

In China, a new regulation titled Measures for Cybersecurity Reviews (Measures), governing the “cybersecurity review” against companies who control critical information infrastructures, important industrial data, or large volumes of personal information (Target Companies), has been in effect as of February 15, 2022.

While the Target Companies will primarily be Chinese entities, multinational companies (MNCs) who are suppliers (e.g., IT service providers, software licensors, IDCs) of Target Companies should pay attention to the Measures, as they may be asked to provide information detailing their products and security measures. Suppose Target Companies are important clients of an MNC. In that case, the MNC should reach out to trustworthy IT lawyers to review their standard terms, client data management practice, and relevant workflows to prevent risks of business disruption in case its clients are targeted in a cybersecurity review case.


The Measures are made to implement the PRC Cyber Security Law (CSL), which has been in effect since 2017. According to the CSL, if a company is identified as a Critical Information Infrastructure Operator (CIIO), it shall go through a cybersecurity review when the authority believes its operation may threaten national security. In addition to the CSL, the Measures also referred to the PRC Data Security Law promulgated in 2021, in which terms “core data” and “important data” refer to those critical to national security and social stability.

The authority issued an earlier version of the Measures in 2020. However, the authority had not initiated any cybersecurity review case until July 2021, when DiDi, the leading Chinese car-sharing platform, triggered the first case after it went to the New York State Exchange. After Didi, two other Chinese companies were required to go through cybersecurity reviews due to their U.S. stock market listings.

The authority has not published its findings or conclusions over these cases. The updated Measures can be deemed the authority’s summary of these experiences.

When to review

According to the Measures, in the following circumstances, a cybersecurity review shall be conducted:

– where a CIIO purchases network products and services, and such purchase may have an impact on national security, or

– where a network platform operator processing the personal information of more than 1 million users carries out data processing activities

Procedural rules

Enforcement Agency

The authority enforcing the Measures is the “Cybersecurity Review Office” (CRO), a newly formed department under the Cyberspace Administration of China (CAC). The CRO is empowered to launch a review case and proceed with investigations against the targeted enterprises.

Case Conclusion

Before concluding a case, CRO’s must submit its preliminary conclusions to other government departments with authority over the targeted enterprise’s industry. For example, if a cybersecurity review investigation targets a telecommunication service provider, the Ministry of Industry and Information shall be consulted before the CRO concludes.

The 2022 version Measures remains unclear whether the result of a cybersecurity review case will be published. This brings ambiguity to the practice.


According to the Measures, a cybersecurity review case shall be concluded within two months. If the regulatory authorities do not agree with the CRO’s preliminary conclusion, a one-month extension will be automatically applied. Having said that, the time limit can be further extended in “complicated cases”, which will be determined by CRO itself. Also, if the targeted enterprise must provide supplementary materials during the CRO’s review process, the clock will be stopped until the supplemented materials satisfy the CRO.

Substantive Rules

According to the Measures, CRO shall focus on the following factors to assess the targeted enterprise’s data processing activities:

– the risk of data being illegally controlled, tampered with or sabotaged

– the disruptive risk of the supply chain that may endanger the continuity of CIIO

– the disruptive risk due to political, diplomatic, or trade policy factors

– the risk of any important data being breached, leaked, destroyed, or illegally transferred abroad

– the risk of the system being controlled or maliciously used by foreign governments

*     *     *     *     *

Author: Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP). Dr. Dong is also a member of the steering committee for Digital Asia Hub, a non-profit think tank collaborating with leading scholars and practitioners of digital society in Asia.

*     *     *     *     *

This communication is not a piece of legal advice but a research outcome reflecting legislation, policies, and related practices at the time of its publication. It is intended for informational purposes only and not to create an attorney-client relationship or constitute any form of advertisement.