Digital Policy Alert logo

China: Cybersecurity Review Measures Implemented

Policy overview

Description

Cybersecurity Review Measures Implemented

On 15 February 2022, the Cybersecurity Review Measures, adopted by the Cyberspace Administration of China (CAC) on 4 January 2022 to promulgate cybersecurity measures for critical information infrastructure and network platform operators, are implemented. The Measures apply to critical information infrastructure operators which purchase network products or services potentially affecting national security, as well as network platform operators engaging in data processing activities that may affect national security. The Measures also apply to network platform operators with personal information of over 1 million users planning to enter a public listing abroad. The affected entities must apply request the Cybersecurity Review Office to conduct a cybersecurity review when they plan to engage in the specified activities. In conducting the review, the Office will consider, for example, whether there is a risk of illegal control, interruption of service supply, or data theft.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
infrastructure provider: internet and telecom services, platform intermediary: user-generated content
Implementation Level
national
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2021-07-10
in consultation

On 10 July 2021, the Cyberspace Administration of China (CAC) has published and opened a consultati…

2021-07-25
processing consultation

On 25 July 2021, after being opened on 10 July 2021, the Cyberspace Administration of China (CAC) h…

2021-12-28
adopted

On 28 December 2021, the Cyberspace Administration of China (CAC), after working together with a nu…

2022-02-15
in force

On 15 February 2022, the Cybersecurity Review Measures, adopted by the Cyberspace Administration of…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity infrastructure provider: internet and telecom services,platform intermediary: user-generated content
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): storage (any form)
Regulatory tool
Risk or other impact assessment requirement
Regulator notification requirement
Regulator approval requirement
Regulator cooperation requirements
Sanctions
Determined by existing law or regulation
Regulated subjects
1
personal data (all forms): data collection
Regulatory tool
Risk or other impact assessment requirement
Regulator notification requirement
Regulator approval requirement
Regulator cooperation requirements
Sanctions
Determined by existing law or regulation
Regulated subjects
1
personal data (all forms): data processing
Regulatory tool
Risk or other impact assessment requirement
Regulator notification requirement
Regulator approval requirement
Regulator cooperation requirements
Sanctions
Determined by existing law or regulation
Regulated subjects
1

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): storage (any form)

personal data (all forms): data collection

personal data (all forms): data processing