Foration Blog

What can we learn from China's "Draconian" cyber-security bill?

Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

[fa icon="clock-o"] 18 January 2017 [fa icon="user"] Paul Weeden [fa icon="folder-open'] cyber threats, Compliance, regulated industries, china, legal

china-it-security-bill.jpgIn November of last year, China’s parliament rubber-stamped a controversial cyber security law. The legislation, which is due to become effective from June 1 2017, is designed to combat what the Chinese government regards as the critical threats of hacking and cyber terrorism.

In effect, those businesses who wish to make inroads into the Chinese market are faced with a choice: either comply with the new rules (thereby allowing the Chinese authorities access to proprietary information which was previously private) - or bar themselves from the market.

Here, we take a closer look at those rules and consider the wider challenges faced by companies grappling with international regulatory frameworks as they seek to explore new markets.

The new law: a snapshot

Key aspects of the new bill include the following:

  • National standards for network equipment and network security products. In order to comply with new national and industry standards, products or services that fall into the categories “Key Network Equipment or “Specialised Network Security Products” will need to pass an official certification or testing process before they are released onto the Chinese market.

  • Restrictions on “Critical Information Infrastructure Facilities”. Across a wide range of industry sectors including utilities, transport, financial and healthcare, new network products and services must pass a state security assessment before going live.

  • Personal data restrictions. Security regarding data collection, storage and protection has been stepped up. In effect, data must only be collected with consent and knowledge - and any breaches must be reported to the authorities and to the individuals affected. In the case of Critical Information Infrastructure Facilities, personal and business data collected in China must generally be stored within the country and not be transferred abroad - save for limited exceptions.

What can all businesses learn from the bill?

Those businesses who currently have direct exposure to the Chinese market (or who are considering expansion into it) will need to look closely at its terms - along with the clarifications and guidance that is expected to come from the Chinese authorities over the next few months.

More widely, the new law provides a reminder of the ‘regulatory risks’ faced by businesses considering international expansion. Bear in mind the following…

IT compliance should be top of the list of considerations when looking at new geographic markets

Companies typically devote considerable resources on market analysis before moving into a new area. Even if a new market is viable from a commercial point of view, businesses need to ask themselves whether it is accessible from a regulatory perspective. Clearly, it makes sense to establish this early - before resources are wasted on market research.

Breaches can lead to severe sanctions and reputational loss

Early indications are that failure to comply with the breach-reporting aspects of the bill can result in individual fines of up to RMB 100,000 (equivalent to around GBP 12,000). Failure to get to grips with local regulations can lead not just to financial penalties but also to reputational blows - which can of course be catastrophic for any new player seeking to build brand recognition and trust.

Are your assets in safe hands?

The big sticking point of the new Chinese law can be summed up, thus: the Chinese authorities will get to take a long hard look at the back-end infrastructure of new products and services before they are unleashed on the Chinese market. Are you comfortable with divulging your intellectual property in this way?

Before moving abroad in 2017, all businesses need to scan the local regulatory framework carefully before asking, “Is it really worth it?”.

Email Security Diagnostic from Foration
Paul Weeden

Written by Paul Weeden

Founder & Managing Director at Foration. IT and technology fixer.

Subscribe to our Blog