On April 12, 2023, China’s regulators on cybersecurity and product standardization, including the Cyberspace Administration of China (“CAC”), Ministry of Industry and Information Technology (“MIIT”), Ministry of Public Security (“MOPS”), Ministry of Finance (“MOF”) and the China National Certification and Accreditation Administration (“CNCA”), jointly published a Circular to announce the following changes to the licensing regimes for network products distributed in the Chinese market:
- Effective from July 1, 2023, the Sales Permit for Specialized Computer Information System Security Products, also known as the MOPS License, administered by the MOPS, which is a license for distributing the in-scope information security products or software in China, will no longer be issued. However, the MOPS licensing regime is not officially repealed by the Circular. Instead, the Circular provides that the MOPS Licenses already issued shall remain effective after July 1, 2023, as long as they are within their original valid term.
- The China Compulsory Certification applied to information technology products, known as CCCi, which is a certification regime applied specifically to government procurement of the specified information security items, is repealed, effective from July 1, 2023.
- The regulators that jointly issued the Circular will collaborate to determine and release amendments to the catalogues of the Critical Network Equipment and Specialized Network Security Products, which are the products regulated under the Cybersecurity Law of China, without a specified timeline. Under the current cybersecurity regime, these products must undergo the requisite inspection or certification procedures to ensure conformity to the applicable Chinese industrial standards to be lawfully distributed in the Chinese market.
The above changes are a manifestation of the Chinese regulators’ efforts to harmonize the licensing regimes governing the local distribution of network products and information security products. Currently, these regimes are administered separately by various authorities and overlap with one another regarding the scopes of the licensable products.
Based on our inquiries with the authorities, it seems probable that the scope of the Critical Network Equipment and Specialized Network Security Products under the cybersecurity regime may be expanded to encompass products that are currently covered by the MOPS Licensing regime but are not within the scope of the cybersecurity regime. This change would provide greater certainty to suppliers and buyers of these products, as the cybersecurity regime employs a more straightforward, catalogue-based approach to define the scope of the licensable products, while the MOPS licensing regime defines the scope of the regime in a more ambiguous and general manner. It is currently unclear whether a product already licensed under the MOPS licensing regime will still need to undergo the certification or inspection procedures under the cybersecurity regime after July 1, 2023, if it falls under the expanded scope of the Critical Network Equipment and Specialized Network Security Products. This may depend on various factors, including the valid term of the original MOPS License.
It is also important to note that the acquisition of licenses for these highly regulated network products or information security products is an essential prerequisite for obtaining clearance for the national security review of the critical information infrastructures (“CIIs”), in the event that these products or software are deployed in the CIIs. On March 31, 2023, the CAC initiated a national security review targeting products sold by a US semiconductor device company in China that are deployed in CIIs. This is the first published national security review case, since the promulgation of the Cybersecurity Law of China, which focuses on the security of network equipment, as opposed to the data in respect of CIIs. CIIs that fail to pass the security review due to the unlicensed network equipment or equipment otherwise considered posing security threat to the CIIs would be required to remove the equipment from their networks. Therefore, to ensure the sustainability of CII operations and supply chains of network equipment suppliers in China, it is crucial to comply with aforementioned licensing regimes.
Frank Pan is a partner of FenXun Partners who is a premier Chinese law firm. FenXun established a Joint Operation Office with Baker McKenzie in China as Baker McKenzie FenXun which was approved by the Shanghai Justice Bureau in 2015.
