The decision was made in the context of China-US conflicts. Source: Shutterstock

Could China’s new cybersecurity rules lock out foreign firms?

  • China is bolstering its review process for certain companies working with foreign firms
  • The decision to introduce tougher measures comes amid ongoing US-China tension
  • There are concerns the lengthier, more complex review process could see foreign firms shuttered out

In efforts to bolster its national security, China is taking steps to tighten rules for how companies within its “critical information infrastructure” choose network products and services. 

As a result, there are concerns among foreign firms that provide Chinese businesses those services that they could be locked out. 

Set to go live from June 1, new guidelines will require businesses that fall into that category will have to carry out a cybersecurity review process for any procurements that could have implications on the company’s national security – the rules are built on China’s 2017 cybersecurity law. 

While which types of companies will be considered part of China’s “critical information infrastructure” is unclear, it’s likely the guidelines will impact organizations within telecommunications, energy, finance, healthcare and social security, and defense-related science and technology industries, said the South China Morning Post

It’s likely organizations within these areas, among others, would have to follow a much more rigorous set of steps to purchase and onboard products and services including core network hardware, servers, cloud services, database software, and network security equipment. 

A cybersecurity review process could lead to an evaluation of national security risks – including theft, breach or damage of critical data, compliance with local laws, and potential for disruption or interference in national infrastructure – led by the Cyberspace Administration of China (CAC). 

But it will also include a review of the potential for disruption based on “political, diplomatic or trade factors.” According to SCMP, that point emerged as the US was taking action to cut Chinese tech giant Huawei out of its own critical infrastructure in May last year. 

The new rules will see companies having to submit procurement documents, purchase agreements and their own analysis of the deal’s potential to impact national security for government review before signing a contract, while the review process itself is expected to take up to 45 days. That review will involve “pre-examination” and “continuous supervision”.

Faced with a lengthy review process – as well as potentially having to prove their lack of involvement in a future national security event – multinational vendors and their customers in China may back away from working together. That complexity has led to the belief by some that the move is being made to shoulder out foreign firms. 

A CAC spokesperson has played down those intentions, stating that it’s a national security measure which is not designed to “restrict or discriminate against foreign products and services,” and that China welcomes products and services from overseas. Although, they did admit the regulations came in the context of US-China tensions.

“There’s no reason to think, at least initially, that this is about cutting out foreign suppliers, but it’s something that people will think about, it’s going to raise concerns,” they said, adding that the measures will indeed introduce some “friction” which could include code reviews and deep product specifications.