China has adopted its controversial Cybersecurity Law end 2016. The law will take effect on June 1, 2017, and has broad implications for international companies’ how to operate in China .The law addresses a number of issues, including requiring certain companies to pass national security reviews, store user and business data in mainland China, and ( for international companies ) to provide technical support to Chinese authorities.
Applicability
The law imposes obligations on two types of businesses: network operators and critical information infrastructure operators. “Network operators” are defined as owners or providers of any “network,” which in turn is defined as any system of computers or other terminals that collect, store, transmit, and process information. (Article 76.) Given the broad definition of a network, it likely includes most internet offering businesses ( this may also include telecom operators offering “hardware” with integrated functions) “Critical information infrastructure operators” remain to be precisely defined…
Technology Reviews, Inspections, and Certifications
The law imposes several requirements for the security of certain network products and services. For example article 23 requires “key network equipment and network security products” to meet China’s national standards and mandatory requirements. Also, before such equipment or products may be used in China, the equipment and products must either pass a safety inspection or be safety certified by a qualified national Chinese agency. The law states that the Chinese government will release a catalogue of the types of network equipment and products subject to this requirement .
Much of the final law still remains unclear. The law’s few defined terms remain vague,or are not defined at all. It is highly recommended that companies assess their exposure under the law, in particular whether they may qualify as “critical information infrastructure operators.” Should a company potentially fall within that definition,
internal risk assessment of its current compliance with this law and the work required to bring it into compliance, is highly recommended.