Measures for Cybersecurity Review (2021)
Area of Law: Network Security Management
Level of Authority: Departmental Rules
Issuing Authority: Cyberspace Administration of China National Development & Reform Commission (incl. former State Development Planning Commission) Ministry of Industry & Information Technology Ministry of Public Security Ministry of State Security Ministry of Finance Ministry of Commerce People's Bank of China State Administration for Market Regulation National Radio and Television Administration China Securities Regulatory Commission State Secrets Bureau State Encryption Administration
Date Issued:12-28-2021
Effective Date:02-15-2022
Status: Effective
Topic: Artificial Intelligence
国家互联网信息办公室、中华人民共和国国家发展和改革委员会、中华人民共和国工业和信息化部、中华人民共和国公安部、中华人民共和国国家安全部、中华人民共和国财政部、中华人民共和国商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、中国证券监督管理委员会、国家保密局、国家密码管理局令
Order of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration
(第8号)
(No. 8)
《网络安全审查办法》已经2021年11月16日国家互联网信息办公室2021年第20次室务会议审议通过,并经国家发展和改革委员会、工业和信息化部、公安部、国家安全部、财政部、商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、中国证券监督管理委员会、国家保密局、国家密码管理局同意,现予公布,自2022年2月15日起施行。
The Measures for Cybersecurity Review, as deliberated and adopted at the 20th executive meeting of the Cyberspace Administration of China on November 16, 2021, and with the approval of the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the China Securities Regulatory Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration, are hereby issued and shall come into force on February 15, 2022.
国家互联网信息办公室主任 庄荣文
Zhuang Rongwen, Director of the Cyberspace Administration of China
国家发展和改革委员会主任 何立峰
He Lifeng, Director of the National Development and Reform Commission
工业和信息化部部长 肖亚庆
Xiao Yaqing, Minister of Industry and Information Technology
公安部部长 赵克志
Zhao Kezhi, Minister of Public Security
国家安全部部长 陈文清
Chen Wenqing, Minister of State Security
财政部部长 刘 昆
Liu Kun, Minister of Finance
商务部部长 王文涛
Wang Wentao, Minister of Commerce
中国人民银行行长 易 纲
Yi Gang, Governor of the People's Bank of China
国家市场监督管理总局局长 张 工
Zhang Gong, Head of the State Administration for Market Regulation
国家广播电视总局局长 聂辰席
Nie Chenxi, Head of the National Radio and Television Administration
中国证券监督管理委员会主席 易会满
Yi Huiman, Chairman of the China Securities Regulatory Commission
国家保密局局长 李兆宗
Li Zhaozong, Head of the National Administration of State Secrets Protection
国家密码管理局局长 刘东方
Liu Dongfang, Head of the State Cryptography Administration
2021年12月28日
December 28, 2021
网络安全审查办法
Measures for Cybersecurity Review
第一条 为了确保关键信息基础设施供应链安全,保障网络安全和数据安全,维护国家安全,根据《中华人民共和国国家安全法》、《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、《关键信息基础设施安全保护条例》,制定本办法。
第二条 关键信息基础设施运营者采购网络产品和服务,网络平台运营者开展数据处理活动,影响或者可能影响国家安全的,应当按照本办法进行网络安全审查。
Article 2 If a critical information infrastructure operator purchases network products and services or an online platform operator conducts data processing, either of which affects or may affect national security, a cybersecurity review shall be carried out according to these Measures.
前款规定的关键信息基础设施运营者、网络平台运营者统称为当事人。
第三条 网络安全审查坚持防范网络安全风险与促进先进技术应用相结合、过程公正透明与知识产权保护相结合、事前审查与持续监管相结合、企业承诺与社会监督相结合,从产品和服务以及数据处理活动安全性、可能带来的国家安全风险等方面进行审查。
Article 3 For cybersecurity review, the focus shall be on the combination of preventing network security risks and promoting the application of advanced technologies, the combination of process fairness and transparency and intellectual property protection, the combination of ex-ante review and ongoing supervision, and the combination of enterprise commitment and social supervision. Such review shall be conducted from the aspects of, among other factors, the security of products and services and data processing activities, and the possible national security risks.
第四条 在中央网络安全和信息化委员会领导下,国家互联网信息办公室会同中华人民共和国国家发展和改革委员会、中华人民共和国工业和信息化部、中华人民共和国公安部、中华人民共和国国家安全部、中华人民共和国财政部、中华人民共和国商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、中国证券监督管理委员会、国家保密局、国家密码管理局建立国家网络安全审查工作机制。
Article 4 Under the leadership of the Central Cyberspace Affairs Commission, the Cyberspace Administration of China shall establish a national working mechanism for cybersecurity reviews in conjunction with the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, China Securities Regulatory Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration.
网络安全审查办公室设在国家互联网信息办公室,负责制定网络安全审查相关制度规范,组织网络安全审查。
第五条 关键信息基础设施运营者采购网络产品和服务的,应当预判该产品和服务投入使用后可能带来的国家安全风险。影响或者可能影响国家安全的,应当向网络安全审查办公室申报网络安全审查。
Article 5 If a key information infrastructure operator purchases network products and services, it shall anticipate the potential national security risks that may arise from the use of such products and services. Those that affect or may affect national security shall be reported to the Cybersecurity Review Office for cybersecurity review.
关键信息基础设施安全保护工作部门可以制定本行业、本领域预判指南。
第六条 对于申报网络安全审查的采购活动,关键信息基础设施运营者应当通过采购文件、协议等要求产品和服务提供者配合网络安全审查,包括承诺不利用提供产品和服务的便利条件非法获取用户数据、非法控制和操纵用户设备,无正当理由不中断产品供应或者必要的技术支持服务等。
Article 6 For the purchasing activities subject to applying for cybersecurity reviews, critical information infrastructure operators shall, through purchase documents and agreements, require product and service providers to cooperate with cybersecurity reviews, including the commitments not to use their convenience of providing products and services to illegally obtain user data or control and manipulate user equipment and not to interrupt product supply or necessary technical support without justifiable grounds.
第七条 掌握超过100万用户个人信息的网络平台运营者赴国外上市,必须向网络安全审查办公室申报网络安全审查。
Article 7 An online platform operator who have more than 1 million users' personal information must report to the Cybersecurity Review Office for cybersecurity review when going public abroad.
Article 8 When applying for cybersecurity review, a party shall submit the following materials:
2. An analytical report on whether national security is affected or may be affected;
(三)采购文件、协议、拟签订的合同或者拟提交的首次公开募股(IPO)等上市申请文件;
4. Other materials required for cybersecurity review.
第九条 网络安全审查办公室应当自收到符合本办法第八条规定的审查申报材料起10个工作日内,确定是否需要审查并书面通知当事人。
Article 9 The Cybersecurity Review Office shall, within ten working days of receipt of the review application materials that comply with Article 8 of these Measures, determine whether a review is required and notify the parties in writing.
第十条 网络安全审查重点评估相关对象或者情形的以下国家安全风险因素:
Article 10 A cybersecurity review shall focus on assessing the following national security risk factors for the relevant targets or situations:
(一)产品和服务使用后带来的关键信息基础设施被非法控制、遭受干扰或者破坏的风险;
(二)产品和服务供应中断对关键信息基础设施业务连续性的危害;
(三)产品和服务的安全性、开放性、透明性、来源的多样性,供应渠道的可靠性以及因为政治、外交、贸易等因素导致供应中断的风险;
(四)产品和服务提供者遵守中国法律、行政法规、部门规章情况;
(五)核心数据、重要数据或者大量个人信息被窃取、泄露、毁损以及非法利用、非法出境的风险;
(六)上市存在关键信息基础设施、核心数据、重要数据或者大量个人信息被外国政府影响、控制、恶意利用的风险,以及网络信息安全风险;
(七)其他可能危害关键信息基础设施安全、网络安全和数据安全的因素。
第十一条 网络安全审查办公室认为需要开展网络安全审查的,应当自向当事人发出书面通知之日起30个工作日内完成初步审查,包括形成审查结论建议和将审查结论建议发送网络安全审查工作机制成员单位、相关部门征求意见;情况复杂的,可以延长15个工作日。
Article 11 If the Cybersecurity Review Office deems it necessary to launch a cybersecurity review, it shall, within 30 working days of receipt of the written notice from the party, complete a preliminary review, including forming a proposal for review conclusions and sending it to the member entities of the working mechanism for cybersecurity reviews and relevant departments for comments. If the circumstances are complicated, an extension may be granted for additional 15 working days.
第十二条 网络安全审查工作机制成员单位和相关部门应当自收到审查结论建议之日起15个工作日内书面回复意见。
Article 12 The member entities of the working mechanism for cybersecurity reviews and relevant departments shall reply to their comments in writing within 15 working days of receiving the proposal for review conclusions.
网络安全审查工作机制成员单位、相关部门意见一致的,网络安全审查办公室以书面形式将审查结论通知当事人;意见不一致的,按照特别审查程序处理,并通知当事人。
第十三条 按照特别审查程序处理的,网络安全审查办公室应当听取相关单位和部门意见,进行深入分析评估,再次形成审查结论建议,并征求网络安全审查工作机制成员单位和相关部门意见,按程序报中央网络安全和信息化委员会批准后,形成审查结论并书面通知当事人。
Article 13 If the aforementioned inconsistency has been done according to the special review procedure, the Cybersecurity Review Office shall listen to the opinions of the relevant entities and departments, conduct in-depth analysis and assessment, and form a renewed proposal for review conclusions before submitting to the member entities of the working mechanism for cybersecurity reviews and relevant departments for comments. After the proposal is submitted to the Central Cyberspace Affairs Commission for approval according to the procedures, review conclusions will be formed, and the Cybersecurity Review Office shall notify the parties in writing of the review conclusions.
第十四条 特别审查程序一般应当在90个工作日内完成,情况复杂的可以延长。
Article 14 The special review procedure shall generally be completed within 90 working days, and may be extended if the circumstances are complicated.
第十五条 网络安全审查办公室要求提供补充材料的,当事人、产品和服务提供者应当予以配合。提交补充材料的时间不计入审查时间。
Article 15 If the Cybersecurity Review Office requests supplementary materials, the parties and the product and service provider shall cooperate on that. The time for submitting supplementary materials shall not be included in the review time.
第十六条 网络安全审查工作机制成员单位认为影响或者可能影响国家安全的网络产品和服务以及数据处理活动,由网络安全审查办公室按程序报中央网络安全和信息化委员会批准后,依照本办法的规定进行审查。
Article 16 If a member entity of the working mechanism for cybersecurity reviews deems that a network product or service or a data processing activity may affect or potentially affect national security, the Cybersecurity Review Office shall submit it to the Central Cyberspace Affairs Commission for approval according to the procedures before conducting a review in accordance with the provisions of these Measures.
为了防范风险,当事人应当在审查期间按照网络安全审查要求采取预防和消减风险的措施。
第十七条 参与网络安全审查的相关机构和人员应当严格保护知识产权,对在审查工作中知悉的商业秘密、个人信息,当事人、产品和服务提供者提交的未公开材料,以及其他未公开信息承担保密义务;未经信息提供方同意,不得向无关方披露或者用于审查以外的目的。
Article 17 The relevant institutions and personnel involved in the cybersecurity review shall strictly protect intellectual property, and assume the confidentiality obligation for the trade secrets and personal information learned during the review and the undisclosed materials submitted by the parties and product and service providers as well as other undisclosed information; without the consent of the information provider, the aforementioned information shall not be disclosed to unrelated parties or used for purposes other than review.
第十八条 当事人或者网络产品和服务提供者认为审查人员有失客观公正,或者未能对审查工作中知悉的信息承担保密义务的,可以向网络安全审查办公室或者有关部门举报。
Article 18 If a party or a network product or service provider deems that the review personnel are unfair and impartial, or that they fail to assume the obligation of confidentiality of information learned during the review, it may report to the Cybersecurity Review Office or relevant departments.
第十九条 当事人应当督促产品和服务提供者履行网络安全审查中作出的承诺。
Article 19 The parties shall supervise the product and service provider in fulfilling the commitments made in the cybersecurity review.
第二十条 当事人违反本办法规定的,依照《中华人民共和国网络安全法》、《中华人民共和国数据安全法》的规定处理。
第二十一条 本办法所称网络产品和服务主要指核心网络设备、重要通信产品、高性能计算机和服务器、大容量存储设备、大型数据库和应用软件、网络安全设备、云计算服务,以及其他对关键信息基础设施安全、网络安全和数据安全有重要影响的网络产品和服务。
Article 21 For the purposes of these Measures, “network product and service” means core network equipment, important communication products, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment, cloud computing services as well as other network products and services that have a significant impact on the security of critical information infrastructure, network security and data security.
Article 22 If state secret information is involved, the relevant provisions of the state on confidentiality shall apply.
国家对数据安全审查、外商投资安全审查另有规定的,应当同时符合其规定。
第二十三条 本办法自2022年2月15日起施行。2020年4月13日公布的《网络安全审查办法》(国家互联网信息办公室、国家发展和改革委员会、工业和信息化部、公安部、国家安全部、财政部、商务部、中国人民银行、国家市场监督管理总局、国家广播电视总局、国家保密局、国家密码管理局令第6号)同时废止。
Article 23 These Measures shall come into force on February 15, 2022. The Measures for Cybersecurity Review (Order No. 6 of the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of State Security, the Ministry of Finance, the Ministry of Commerce, the People's Bank of China, the State Administration for Market Regulation, the National Radio and Television Administration, the National Administration of State Secrets Protection, and the State Cryptography Administration), as issued on April 13, 2020, shall be repealed concurrently.
©Pkulaw:(www.pkulaw.com) provides various professional solutions in such fields as legal information, law knowledge and legal software. Pkulaw provides you with abundant reference materials. When you invoke articles of laws and regulations, please check them with the standard texts. You are welcome to view all our products and services.
Pkulaw Express: How to quickly find information you need? What are the new features of Pkulaw V6?
Scan QR Code for instant access to the original text
Original Link: https://www.pkulaw.com/en_law/2c77a9b321683224bdfb.html
