China has released new rules requiring companies buying networking products and services to perform cybersecurity evaluations for vulnerabilities that could affect national security.

Why it matters: China has been imposing stricter controls over the technology that makes up the backbone of its internet and how people interact in the cyber world.

  • In 2017, China implemented its landmark Cybersecurity Law, which has served as a framework for regulations that have been rolled out since.
  • The law set standards for the governance of the country’s internet, including rules over real-name verification, content moderation, and data localization.
  • The new rules clarify procurement review requirements and procedures to comply with existing laws.

Details: Operators of “critical information infrastructure” are required to conduct reviews of networking equipment and services to address any national security concerns, China’s internet watchdog said this week (in Chinese).

  • The rules could affect purchases of server equipment, mass storage devices, cloud computing services, and large-scale databases, among others.
  • There is no clear definition of which companies could be classified as critical information infrastructure operators, though they broadly include firms involved in the finance, energy, transportation, and telecommunications industries, or those that handle large amounts of personal data.
  • Operators are required to make “anticipatory judgments” over whether the use of the equipment could pose a threat to national security.
  • If risks are found, operators will be required to submit a cybersecurity review application to the government.
  • A new government office will be set up to conduct evaluations to determine whether the equipment can be interfered with or illegally controlled, whether the systems could jeopardize data security, or if there are risks of service outages.
  • The new rules will be implemented beginning on June 1.

Context: Previous updates to China’s cybersecurity frameworks placed additional burdens on foreign companies and how they handle data collected from Chinese citizens.

  • In 2018, Apple moved all of its Chinese user data to China through a partnership with a data center operator in the country’s southwestern Guizhou province.
  • Cloud operators, including Microsoft Azure and Amazon Web Services, are required to offer their products through partnerships with Chinese companies.

Chris Udemans

Christopher Udemans is a Shanghai-based technology reporter. He covers Chinese artificial intelligence, mobility, and cybersecurity. You can contact him at chrisudemans [at] technode [dot] com.